Chapter 1.

The Building Blocks of Risk Management

 Explain the concept of risk and compare risk management with risk taking.

 Describe elements, or building blocks, of the risk management process and identify
problems and challenges that can arise in the risk management process.

 Evaluate and apply tools and procedures used to measure and manage risk, including
quantitative measures, qualitative assessment, and enterprise risk management.

 Distinguish between expected loss and unexpected loss and provide examples of
each.

 Interpret the relationship between risk and reward.

 Describe and differentiate between the key classes of risks, explain how each type of
risk can arise, and assess the potential impact of each type of risk on an organization.

Explain the concept of risk and compare risk management with risk
taking.
We can refer to risk generally as variability or—in the case of financial risk specifically—we can
refer to risk as volatility:
 Risk is the variability of adverse outcomes that are unexpected (general)
 Financial risk is volatility (volatility as special case of variability) of unexpected losses

Key aspects of this definition

 Risk is not expected loss
 Risk is the potential for unexpected loss. Further, greater variability (or uncertainty) in
these unexpected losses is greater risk.
 Some authors distinguish between uncertainty and risk, where risk is quantifiable
uncertainty. Not all FRM authors require this distinction. For some, even when
uncertainty has not been quantified—or has yet to be quantified—the uncertainty still
qualifies as “risk.” This should be intuitive: unquantified risks can pose the greatest
catastrophic threats

Technically (in insurance terms), risk is neither peril nor hazard:

 A peril is the cause of a loss
 A hazard is increases the probability (and/or frequency and/or severity) of a loss
 A risk is the variability of an unexpected loss or adverse outcome (for our purposes)

3
Risk is not identical to the magnitude a loss.
 Some costs such as housing or education are large but predictable. Because they are
predictable, they are not a genuine risk. Risk excludes expected losses.
 Risk refers to the variability or dispersion of losses. For example, a sudden and
unpredicted cost is a manifestation of risk.

While everybody has an intuition about risk, a formal treatment of risk requires statistics
 For example, we might assign probabilities to different future scenarios. Then we can
calculate a standard deviation which is a way to measure the risk.
 Probably the most essential component of this formal treatment of risk is the use of
probability distribution: a probability distribution quantifies risk.
 A probability distribution enables us to quantify value-at-risk (VaR) and unexpected loss
(UL) because every probability distribution contains a loss quantile associated with a
confidence level. For example, if a standard normal distribution characterizes our loss
distribution, then the 95th percentile (aka, 0.95 or 0.050 quantile) lies at -1.645 or +1.645,
depending on our format is P(+)/L(-) or L(+)/P(-); i.e., depending on whether losses are
mathematically assigned positive values for the sake of convenience. In the case of a
95.0% confidence level, because we know we only care about the loss side of the
distribution, we can refer to this as either the 0.050 of 0.950 quantile, given we realize
that the format can be either P(+)/L(-) or L(+)/P(-).
Knightian uncertainty illustrates the distinction between uncertainty and risk. Knightian
uncertainty “is a lack of any quantifiable knowledge about some possible occurrence, as
opposed to the presence of quantifiable risk”1 In this way, the difference between uncertainty
and risk is our ability (or attempt) to quantity. Similarly, much of what is called “risk” is the
identification and specification of a probability distribution; for this reason, probability
distributions are key ingredients in risk!

The definitions of value-at-risk (VaR) and economic capital (EC) depend on the definition
of unexpected loss (UL)
 Value at risk (VaR) is the worst expected loss associated with some confidence level
(typically 95% or 99%) over some horizon (e.g., one day, three months, one year). VaR
requires a confidence level and a time horizon, such that may VaRs are possible.
o For example, we might say that our options position has a one-day VaR of $1.0
million at the 99.0% confidence level, meaning that our risk analysis shows that there
is only a 1.0% probability of a loss that is greater than $1.0 million on any given
trading day.2
 Economic capital is the risk capital employed by the firm to absorb unexpected losses
(UL) such that we can typically define economic capital as a multiple of UL, even if the
multiple is simply 1.0.

1See https://en.wikipedia.org/wiki/Knightian_uncertainty
2Michel Crouhy, Dan Galai, and Robert Mark, The Essentials of Risk Management, 2nd Edition (New
York: McGraw-Hill, 2014)

4
Describe elements, or building blocks, of the risk management
process and identify problems and challenges that can arise in the
risk management process.
There are ten building blocks in risk management3:
1. The risk management process
2. Identifying risk: knowns and unknowns
3. Expected loss, unexpected loss, and tail loss
4. Risk factor breakdown
5. Structural change: from tail risk to systematic crisis
6. Human agency and conflicts of interest
7. Typology of risks and risk interactions
8. Risk aggregation
9. Balancing risk and reward
10. Enterprise risk management (ERM)

3 GARP (Global Association of Risk Professionals, 2020)

5
Figure 1.1 - The Risk Management Process4
Risk management concerns the firm’s selection of
its appropriate type(s) and level(s) of risk. Most
business decisions involve a sacrifice of current
resources for future uncertain returns. In this way,
risk management and risk-taking aren’t opposites,
but two sides of the same coin. At the core of the
management process is the capacity to make
forward-looking choices about risk in relation to
reward, and to evaluate performance.

The type of risk can be more important than (or at

least as important as) the magnitude of risk. This
perspective tends to vary by industry. Manufactures
might tolerate operational risk but worry more about
credit risk. Investors are a classic in this regard:
they tend to overlook certain risks but punish a
company for losses that manifest risk types that
signal deeper concerns.

Risk management generally involves four basic

choices by the firm’s managers:
 Avoid Risk: This is the simplest choice. For
example, the firm may decide to avoid a risk
by exiting or selling a business.
 Retain Risk: It is important to recognize that
all risks are not meant to be avoided or
minimized. The firm’s risk appetite implies that some risks should be retained. Investors
expect the firm to assume risks, as they have risk-free alternatives!
 Mitigate Risk: A key function of risk management is to mitigate risk. This is the classic
function of a hedge. The risk is retained but also reduced. There is an entire category of
credit risk mitigation (CRM) techniques including, for example, the use of collateral.
 Transfer Risk: Derivatives are the most common method of transferring risk. For
example, the buyer of a credit default swap (CDS) transfers credit risk to the seller. One
of the counterparties in an interest rate swap transfers market risk (specifically, interest
rate risk) to the other counterparty.

4Michel Crouhy, Dan Galai, and Robert Mark, The Essentials of Risk Management, 2nd Edition (New
York: McGraw-Hill, 2014)

6
What are the challenges that can arise in the risk management process? Three examples
of specific challenges that arise in risk management include:
 Unexpected loss variability
 Correlation risk
 Lessons from the 2007-2008 global financial crisis (GFC)

Challenge: To manage unexpected levels of variability

The firm depends on risk management to manage unexpected loss variability. But such
variability is better managed if the firm has measured its exposures with some level(s) of
confidence. By measuring its exposure to variability, the firm can allocate capital buffers (in
addition to other techniques) and, additionally, can communicate to stakeholders.

Challenge: To anticipate and manage correlation risk

The typical example of correlation risk is a credit portfolio (e.g., portfolio of bonds) that features
default correlation between credits in the portfolio. Or similarly, a pairwise correlation matrix
characterizes the correlation between asset returns in an equity portfolio. Because correlation is
a statistical measure between two variables, correlation risk refers to a broad array of risks.
 The classic and basic formula in credit risk is EL = EAD × PD × LGD, where EL refers to
expected loss, EAD refers to exposure at default, PD refers to default probability, and
LGD refers to loss given default. It is common to assume independence among these
variables. However, it may not be realistic! For example, a higher PD might be
associated with a higher LGD (or equivalently, a lower recovery rate).
 In general, unexpected loss increases with higher default correlation. To the extent we
are measuring (or concerned with) unexpected losses, correlations among risk factors
will tend to increase the unexpected loss. Therefore, if we omit relevant correlation(s)
between or among risk factors, we are likely to understate the unexpected loss.
Expected loss is a statistical mean and likely will be unaffected by correlation, but
unexpected loss is a function of (multiple of) the standard deviation such that it will be
influenced by correlations.

Challenge: Lessons of the 2007-2008 global financial crisis (GFC)

 Prior to the GFC, the overwhelming favorite approach to measuring risk was the
historical-statistical approach (it may still be the most common). As an umbrella term,
this refers to using a historical sample to inform a parameter. For example, to compute
the standard deviation of the last 250 trading days, and to employ the result in a model
that requires a volatility parameter.
 The GFC, among other consequences, exposed the weaknesses of too heavy a reliance
on historical-statistical approaches. In its place, or at least as a more common
supplement, risk managers now emphasize scenario analysis and stress testing. The
key difference is that scenario analysis and stress testing are not limited by history in
parameter selection. In fact, they require subjective judgement and even imagination.

7
The Role of the Risk Manager (RM)

The Risk Manager (RM) cannot predict the future. Rather, the RM should identify each of the
firm’s risks, attempt to put them in context (e.g., relevance), quantify them were appropriate (i.e.,
characterize with distributions), and importantly, communicate them to stakeholders. The
communication step is critical: if executives and the Board do not understand key risks, they
cannot decide or act on such risks, even if those risk are well-quantified within the risk function.
 For example, the risk manager’s role is not to produce a point estimate of the U.S.
dollar/euro exchange rate at the end of the year; but to produce a distribution estimate of
the potential exchange rate at year-end and explain what this might mean for the firm
(given its financial positions). These distribution estimates can then be used to help
make risk management decisions, and also to produce risk-adjusted metrics such
as risk-adjusted return on capital (RAROC).5

The RM’s role is not merely defensive. To compete, firms need to balance risk and
reward. Proper risk management “has a seat at the executive table” as a strategic ally in
the firm’s long-term goals. Elements of the role include:
 Implement policies and develop methodologies
 Ensure infrastructure (e.g., technology) exists to track and report relevant metrics
 Distinguish among obstacles that are technical, organizational, and/or political
 Define the reporting lines of risk managers
 Facilitate a balance in the relationship between business (unit) leaders and staff risk
managers. There must be separate, but they cannot be too detached.

The RM should seek to understand his/her role as professional in the community of

stakeholders. The professional imperative implies the RM is at least curious about best
practices, and ideally, may even seek the contribute to the profession’s development.
Questions include:

 Who explicitly and implicitly oversees the risk manager? For example, regulators.
 What is the ideal and/or evolving relationship with the audit function?
 What is the true nature of the firm’s risk culture? For that matter, where are the
disconnects between documentation (or literal definitions) and the actual artifacts that
define a culture. This is difficult job that is very different than running numbers in a
spreadsheet!

5Michel Crouhy, Dan Galai, and Robert Mark, The Essentials of Risk Management, 2nd Edition (New
York: McGraw-Hill, 2014)

8
The Ups and Downs (“bumpy road”) in Risk Management6
Ups
 Dramatic explosion in the adoption of sophisticated risk management processes, driven
by an expanding skill base and falling cost of risk technologies
 Increase in the skill levels and associated compensation of risk management personnel
as sophisticated risk techniques have been adopted to measure risk exposures •
 Birth of new risk management markets (e.g., credit, commodities, weather derivatives),
representing highly innovative and potentially lucrative financial markets
 Birth of global risk management industry associations as well as a dramatic rise in the
number of global risk management personnel
 Extension of the risk measurement frontier out from traditional measured risks such as
market risk toward credit and operational risks
 Cross fertilization of risk management techniques across diverse industries from banking
to insurance, energy, chemicals, and aerospace
 Ascent of risk managers in the corporate hierarchy to become chief risk officers, to
become members of the top executive team (e.g., part of the management committee),
and to report to both the CEO and the board of the company
Downs
 The financial crisis of 2007– 2009 revealed significant weaknesses in managing
systemic and cyclical risks.
 Firms have been tempted to over-rely on historical-statistical measures of risk— a
weakness that improved stress testing seeks to address.
 Risk managers continue to find it a challenge to balance their fiduciary responsibilities
against the cost of offending powerful business heads.
 Risk managers do not generate revenue and therefore have not yet achieved the same
status as the heads of successful revenue-generating businesses.
 It’s proving difficult to make truly unified measurements of different kinds of risk and to
understand the destructive power of risk interactions (e.g., credit and liquidity risk).
 Quantifying risk exposure for the whole organization can be hugely complicated and may
descend into a “box ticking” exercise.
 The growing power of risk managers could be a negative force in business if risk
management is interpreted as risk avoidance; it’s possible to be too risk-averse.

6Michel Crouhy, Dan Galai, and Robert Mark, The Essentials of Risk Management, 2nd Edition (New
York: McGraw-Hill, 2014)

9
Evaluate and apply tools and procedures used to measure and
manage risk, including quantitative measures, qualitative
assessment, and enterprise risk management.
Qualitative measures and the drawbacks of naming (and categorizing) risks
We can parse portfolio risk according to the type of risk. These are the three major
broad risk categories that are controllable and manageable:
 Market risk is the changes in market risk factors which tend to be general in nature. The
most common include interest rates, foreign exchange rates, and asset (e.g., equity or
commodity) price factors.
 Credit risk refers to default, credit deterioration, adverse migration, or rating
deterioration (e.g., downgrade from investment to speculative grade)
 Operational risk most often refers to Basel’s definition: “the risk of loss resulting from
inadequate or failed processes, people and systems or from external events.” This is not
the only definition, especially because the boundaries of operational risk are less
discrete than market or credit risk. Because operational risk so often interacts with other
risk types, it is the hardest to define and has no single agreed-upon definition. Famously,
this regular definition of operational risk excludes strategic and reputational risk but
does include legal risk.

Classification schemes are valuable but also dangerous.

 We need to name (aka, give a label) to a risk to measure and manage the risk. As soon
as we name a risk, we typically assign the risk to a category.
 But categories are not necessarily exhaustive. We may deceive ourselves into thinking
that we have mapped all important risks simply because we can assign our risks to a
category. However, our categories may contain gaps.
o For example, a sharp peak in market prices will create a market risk for an institution.
Yet the real threat might be that a counterparty to the bank that is also affected by
the spike in market prices will default (credit risk), or that some weakness in the
bank’s systems will be exposed by high trading volumes (operational risk)7.
 Categories further may encourage so-called silos of expertise These silos are redolent
of, and may reflect, organizational silos. While this silo orientation may be efficient with
respect to the specific risk, it may neglect emergent issues and properties that are
relevant to the overall organization.

7Michel Crouhy, Dan Galai, and Robert Mark, The Essentials of Risk Management, 2nd Edition (New
York: McGraw-Hill, 2014)

10
There is an important trend toward enterprise wide risk management (ERM)
 ERM is a holistic approach that aims to overcome the limitations of organizational silos
 ERM incorporates risk into business decisions, rather than isolating risk or treating risk
measures as separate add-ons
 ERM has a top-down orientation, or at least incorporates a top-down perspective: the
board of directors defines a risk appetite and defines risk limits (for example) which may
“cascade down” into the organization. In this way, business units (or divisions) are not
isolated from the overall firm’s needs.
 ERM employs innovative methods and tools. These may include methods from other
disciplines, experimental methods, and new technologies (e.g., cloud/ERP platforms).
 ERM blends with capital management tools because risk influences capital allocation
decisions. This is increasingly a trend.
 ERM morphs traditional tools into new tools. For example, value at risk (VaR) was
developed for market risk but under the ERM umbrella, VaR and economic capital are
used to aggregate risk horizontally (e.g., across risk types) and vertically in the
organization. As another example, scenario analysis is employed with software to
illustrate more sophisticated multivariate macroeconomic scenarios.

Quantitative Measures
Risk measurement requires assigning numbers to classified risks.
 Absolute (aka, ratio or interval) values enable carefully weighed decisions, but even
categorical rankings (aka, ordinal values) enable useful comparisons.
 The mere assignment of a numerical value does not render the value necessarily useful!
Only some numbers are effectively useful in comparison.
o For example, using the face value or “notional amount” of a bond to indicate
the risk of a bond is a flawed approach. A million-dollar position in a par value 10-
year Treasury bond does not represent at all the same amount of risk as a
million-dollar position in a 4-year par value Treasury bond.8
 Value at risk (VaR) is maybe the most prominent “sophisticated” risk measure
o Because VaR is just a statistical quantile, it can be used for comparisons.
o VaR works better in practice under so-called “normal” conditions. If markets are
abnormal (e.g., regime-changing), VaR is less effective. Most notably (and a key
lesson from the GFC), VaR requires adjustment when markets are illiquid.
o VaR favors short horizons: one-day VaR is likely more accurate than one-year VaR.
o VaR requires a robust control environment: VaR may be a risk measure but it
requires a risk management context.

8Michel Crouhy, Dan Galai, and Robert Mark, The Essentials of Risk Management, 2nd Edition (New
York: McGraw-Hill, 2014)

11
Distinguish between expected loss and unexpected loss and provide
examples of each.
Expected loss is typically the weighted average (aka, mean) loss. For example, if a bond’s face
value is $1,000 and its default probability is 2.0% with no expectation of recovery, the expected
loss is $1,000 × 2.0% = $20.00. Note this is the expected loss (EL) even though the actual loss
is likely to be either zero or $1,000; i.e., the expected loss is not necessarily itself an outcome.

Expected loss is generally treated as a “cost of doing business” and consequently is often built
into the pricing of a product.

As a portfolio increases in size and gains diversification, the actual losses incurred should
converge on the expected loss. The more granular (aka, less lumpy) is the credit portfolio, the
more the actual losses should converge on the expected loss.

The unexpected loss is the standard deviation of the loss around (or about) the expected loss;
the unexpected loss therefore represents the dispersion of expected losses. In the credit risk
context, unexpected loss is given by:

$ =

12
Interpret the relationship between risk and reward and explain how
conflicts of interest can impact risk management.
The relationship between risk and reward
The traditional view is that higher risk implies higher return. But this is not always what we
observe: sometimes less risky assets exhibit higher returns, counterintuitively! In the first case,
we need somewhat efficient markets to infer implied risk premiums; inefficient markets cloud the
relationship, as the impact of illiquidity is variant to many conditions. Complications include:
 Bond markets: bond prices do often indicate relative risk, however technical factors
(especially liquidity and tax effects) add confusing signals.
 Investor appetite for risk varies over time.
o That was the case during the period from early 2005 to mid-2007, until the eruption
of the subprime crisis. With the eruption of the crisis, credit spreads moved up
dramatically, and reached a peak following the collapse of Lehman Brothers in
September 2008.10

Conflicts of interest (so to speak!)

The traditional risk-reward relationship is especially distorted in the absence of traded
instruments: trading enables price discovery.

Compensation incentive programs can distort the risk-reward relationship. The notorious
example, written in countless case studies, is the annual bonus: the firm pays such bonuses for
recent performance, but the risks incurred might have been delayed into future years.

10Michel Crouhy, Dan Galai, and Robert Mark, The Essentials of Risk Management, 2nd Edition (New
York: McGraw-Hill, 2014)

13
Describe and differentiate between the key classes of risks, explain
how each type of risk can arise, and assess the potential impact of
each type of risk on an organization.
We can group risk factors together into the following categories11:

 Market risk  Legal and regulatory risk

 Credit risk  Business risk
 Liquidity risk  Strategic risk
 Operational risk  Reputation risk

These categories can be broken down into more specific categories, as shown below. Please
note that market risk and credit risk are referred to as financial risks.

FIGURE 1A-2 Schematic Presentation, by Categories, of Financial Risks12

General market
risk
Equity Price Risk
Trading Risk
Market Risk Interest Rate Risk
Specific risk
Gap Risk
Foreign Exchange
Risk
Commodity Price
Risk

Financial Risks

Transaction risk Issue Risk

Credit Risk
Porfolio concentration Issuer Risk

Counterparty
credit risk

11 Michel Crouhy, Dan Galai, and Robert Mark, The Essentials of Risk Management, 2nd Edition (New

York: McGraw-Hill, 2014)

12 Michel Crouhy, Dan Galai, and Robert Mark, The Essentials of Risk Management, 2nd Edition (New

York: McGraw-Hill, 2014)

14
Risk Typology

Market Risk
Market risk may reduce a position’s (i.e., security or portfolio) value due to a change in financial
market variables, especially prices or interest rates. Market risk includes equity price risk,
interest rate risk, foreign exchange risk, and commodity price risk.
 Price risk parses into a general market risk component and a specific
market risk component.
 Market risk specifically depends on the context. For example,
o In the case of a fund, the fund may be marketed as tracking a specific benchmark.
Here market risk is important to the extent that it creates a risk of tracking error.13
Basis risk is a type of market risk that cannot be avoided when a position is hedged, as it refers
to unanticipated changes in the basis (the price difference between the exposure and the
hedge) that render the hedge imperfect.

The Four Types of Market Risk

1. Interest rate risk
2. Equity price risk
3. Foreign exchange risk
4. Commodity price risk.

Interest Rate Risk

Interest rate risk includes trading risk and gap risk; gap risk is when the firm’s balance sheet is
adversely impacted by sensitivities of its assets and liabilities to interest rate movements. The
most obvious interest rate risk is the drop in a bond’s price (and therefore the value in a long
bond position) when interest rates increase.

Curve risk is when the fixed income is hedged against parallel shifts in the yield curve (e.g.,
duration or DV01 hedged), but are exposed to non-parallel shifts such as twists or
steepening/flattening.

Equity Price Risk

Equity price risk is primarily stock price volatility and it includes:
 General market risk: sensitivity to a change in the level of broad market indices
 Specific (aka, idiosyncratic) risk: determined by features specific to the firm. Specific risk
includes management quality and (typically) operational risk events
An important portfolio theory concept is that diversification eventually eliminates specific risk but
general (aka, systematic) risk cannot be eliminated via diversification.

13Michel Crouhy, Dan Galai, and Robert Mark, The Essentials of Risk Management, 2nd Edition (New
York: McGraw-Hill, 2014)

15
Foreign Exchange Risk
Foreign exchange (FX) risk occurs from positions in foreign currency denominated assets and
liabilities.
 FX risk is often natural (due to business operations) rather than a function of FX trades.
 FX volatility can swiftly erodes cross-border investments
 The major drivers of FX risk is correlations between currency prices and volatility in
country (foreign) interest rates.

Commodity Price Risk

Commodity price risk is distinct because it is especially vulnerable to suppliers, as in supply and
demand. Many commodity markets feature concentrated suppl; i.e., fewer numbers of larger
suppliers.
 Additionally, commodity prices are responsive to fundamentals, especially storage costs
but also the convenience yield. These are factors in the cost of carry model.
 Although commodities can be classified in various ways (e.g., hard versus perishable), in
regard to valuation and risk, our primary distinction is between consumption
commodities (e.g., corn) versus investment commodities (e.g., S&P 500 Index).
Credit Risk
Credit risk is the possibility of financial loss due to counterparty default, or credit deterioration
which is an increase in the probability of default. In this way, under credit risk we include:
default, deterioration, downgrade (aka, adverse migration).

The Four Types of Credit Risk

1. Default risk is an incapacity (or refusal) to make a payment obligation within the grace
(or relief) period.
2. Bankruptcy risk is the transfer the collateralized assets of a defaulted borrower or
counterparty.
3. Downgrade risk is the risk of credit deterioration which happens to be formalized in a
credit rating change. Deterioration may not result in a downgrade, but will typically be
reflected in an increase in the credit spread.
4. Settlement risk is the risk due to the short-term exchange of cash flows when settling a
transaction. This risk is most acute in the case of foreign exchange transfers because (i)
notional amounts are exchanged and (ii) different time zones are spanned.

16
The CDS market has struggled somewhat to define the kind of credit event that should trigger a
payout under a credit derivatives contract. Major credit events, as formalized by the
International Swaps and Derivatives Association (ISDA), include:14
 Bankruptcy, insolvency, or payment default
 Obligation/ cross default, which means the occurrence of a default (other than failure to
make a payment) on any other similar obligation
 Obligation acceleration, which refers to the situation in which debt becomes due and
repayable prior to maturity (subject to a materiality threshold of $ 10 million, unless
otherwise stated)
 Stipulated fall in the price of the underlying asset
 Downgrade in the rating of the issuer of the underlying asset
 Restructuring (this is probably the most controversial credit event)
 Repudiation/ moratorium, which can occur in two situations: First, the reference entity
(the obligor of the underlying bond or loan issue) refuses to honor its obligations.
Second, a company could be prevented from making a payment because of a sovereign
debt moratorium (e.g., City of Moscow in 1998).

The following are fundamental terms in credit risk:

 An asset has credit risk when it is a position with positive replacement value.
 An exposure, or exposure at default (EAD), has two components in the future, at the
time of default: the portion that is eventually recovered and the portion that is
unrecovered (aka, lost). Recovery value is often expressed as recovery rate. The
percentage lost is called the loss given default (LGD). These components sum to 1.0 or
100%. For example, a 35.0% recovery rate implies a 1 – 35.0% or 65.0% LGD.
 Current exposure is approximated by, or synonymous with, current replacement value.
However, firms must also look forward in time in order to specify the distribution of
potential future exposures.

14Michel Crouhy, Dan Galai, and Robert Mark, The Essentials of Risk Management, 2nd Edition (New
York: McGraw-Hill, 2014)

17
Credit Risk at the Portfolio Level
Three factors influence portfolio credit risk:
 The first factor is the credit quality of the obligors. This factor must be addressed by the
level of the interest rate charge, which must be high enough order to cover the cost of
expected losses.
 The second factor is concentration risk, and this can be industry, sector, or
geographical concentration. In general, this risk is addressed by limits.
 The third factor is the overall economy; aka, macroeconomic conditions. Defaults have
a marketed tendency to increase (or even spike) during economic downturns, and to
decrease during economic expansions.

Liquidity Risk
Liquidity risk refers to either funding liquidity risk or trading liquidity risk, although they can
interact (including in a downward spiral).
 Funding liquidity risk is the firm’s ability to raise cash and/or refinance (including roll-
over) debt in order to meet liquidity needs. Quantification of this risk is often difficult.
 Trading liquidity risk (aka, liquidity risk) is the risk that a position cannot be exited at
the prevailing market price. There is grave liquidity risk if a so-called fire sale is required.

Operational Risk
Operational risk refers to potential losses resulting from a range of operational weaknesses
including inadequate systems, management failure, faulty controls, fraud, and human errors (in
the financial services, operational risk often also includes natural or man-made catastrophes).
 Derivatives are highly prone to operational risk and thus require tight controls. Derivative
trades are leveraged (by definition) and therefore more prone to than cash transactions.
Complex derivatives further require sophisticated valuation which is an operational risk
(i.e., model risk). The recent history of notable (and/or large) derivative trading losses
that are “case studies” are disproportionally the consequence of operational failures.
 Operational risk includes human factor risk (aka, human or pilot error); e.g., data mis-
entry, inadvertent file destruction.
 Operational risk also includes technology risk and fraud

18
Legal and Regulatory Risk
Legal and regulatory risk is included as an operational risk.
 For example, a counterparty might lack the legal or regulatory authority to engage in a
risky transaction. Legal and regulatory risks are classified as operational risks under
Basel II Capital Accord.15
 In the derivative markets, legal risks might only manifest when money is lost on a
transaction and the investor files a lawsuit.
 Regulatory risk includes an unanticipated change in law; e.g., tax law change impacts
value of a position.
o For example, when the British government changed the tax code to remove a
specific tax benefit during the summer of 1997, one major investment bank suffered
huge losses.16

Business Risk
Business risk is the fundamental risk inherent in the conduct of business; it is an umbrella that
includes risks generally encouraged by investors (who are not seeking to eliminate risk as they
have safer alternatives). Business risk includes the costs of doing business, pricing dynamics,
and demand changes in the demand (for product) curve.
 Managing business risk, including making strategic decisions, is the primary job of
management
 The Basel II Accord excludes business risk from the definition of operational risk;
although many believe it is more impactful on bank revenue than the operational
event/failure risks that regulators do include within bank minimum capital requirements.17
 Business risk is also known as business/strategic/reputation risk.

Strategic Risk
Strategic risk is the risk that the firm’s strategy is sub-optimal, flawed or worse; it concerns the
choice of customers and markets in the context of a competitive landscape. A good framework
for analyzing strategy risk is Porter’s five forces18. This Porter framework evaluates strategy in
the context of five forces: threat of new entrants, threat of substitutes, bargaining power of
customers, bargaining power of supplier, and intensity of competitive rivalry.

15 Michel Crouhy, Dan Galai, and Robert Mark, The Essentials of Risk Management, 2nd Edition (New
York: McGraw-Hill, 2014)
16 Michel Crouhy, Dan Galai, and Robert Mark, The Essentials of Risk Management, 2nd Edition (New

York: McGraw-Hill, 2014)

17 Michel Crouhy, Dan Galai, and Robert Mark, The Essentials of Risk Management, 2nd Edition (New

York: McGraw-Hill, 2014)

18 See https://en.wikipedia.org/wiki/Porter's_five_forces_analysis

19
Reputation Risk
Reputation risk parses into two primary classes19:
1. The belief an organization will honor its promises to counterparties and creditors.
2. The belief an organization is an ethical and fair dealer.

Reputation risk is a rising concern due to the rapid growth of social networks such as Facebook
and LinkedIn: bad news about a firm, or rumors, can “go viral.”

Reputation risk is especially important to financial institutions because they require the
confidence of their constituents including customers, creditors, and regulators. Banks are further
under pressure to demonstrate their commitment to environmental, social, and corporate
governance (ESG) principles.
 As a defensive mechanism, 10 international banks from seven countries announced in
June 2003 the adoption of the “Equator Principles,” a voluntary set of guidelines
developed by the banks for managing social and environmental issues related to the
financing of projects in emerging countries. The Equator Principles are based on the
policy and guidelines of the World Bank and International Finance Corporation (IFC) and
require the borrower to conduct an environmental assessment for high-risk projects to
address issues such as sustainable development and use of renewable natural
resources, human health, pollution prevention and waste minimization, and
socioeconomic impact21

Systemic Risk (is any threat to financial stability)

Systemic risk is the potential for a domino-like chain reaction that ripples from firm-to-firm
across the financial system. In short, systemic risk is any threat to financial stability.
 The trigger (for systemic risk) might be losses at an individual firm. But perception, loss
of confidence, and uncertainty then quickly become the problem. Participants panic and
seek a “flight to quality.” Contagious reactions then propagate dislocation into otherwise
calm markets with “knock-on” effects.
 The ensuing downward spiral: panic triggers margin and collateral calls as asset prices
fall. In order to meet these calls, counterparties must step-up their selling, which further
depresses prices.
 The failures and near-failures of Bear Stearns, Lehman Brothers, and AIG during the
financial crisis of 2007–2009 all contributed to systemic risk by creating massive
uncertainty about which of the key interconnections would transmit default risk.22
 The Dodd-Frank Act established a Financial Stability Oversight Council (FSOC) whose
job is to identify systemic risks. In 2018, The President signed a partial repeal.

19 Michel Crouhy, Dan Galai, and Robert Mark, The Essentials of Risk Management, 2nd Edition (New

York: McGraw-Hill, 2014)

21 Michel Crouhy, Dan Galai, and Robert Mark, The Essentials of Risk Management, 2nd Edition (New

York: McGraw-Hill, 2014)

22 Michel Crouhy, Dan Galai, and Robert Mark, The Essentials of Risk Management, 2nd Edition (New

York: McGraw-Hill, 2014)

20
Explain how risk factors can interact with each other and describe
challenges in aggregating risk exposures.
The job of risk managers includes analysing (aka, breaking down, deconstructing) risk factors
into their fundamental drivers. Often this involves layers of analysis: larger factors are
deconstructed into their smaller determinants or sub-factors. Ideally, the risk manager wants to
identify and understand all significant and relevant risk factors and their sub-factors.

To score the risk factor, the risk manager wants to look for its sub-factors. For example, cyber
risk is a broad umbrella that must be defined by its components.

Historically, the limitation was data availability. However, big data (accompanied by machine
learning) enables profound analysis granularity. It is reasonable to expect that an implication of
data science is that risk managers will discover new risk factors; at a minimum, the granularity
of the risk typology will be increased.

21