FM ELEC 4 – Risk Management

Chapter 1: RISK and RISK IDENTIFICATION

Risk identification is a deliberate and systematic effort to identify and document the Institution’s key
risks. The objective of risk identification is to understand what is at risk within the context of the Institution’s
explicit and implicit objectives and to generate a comprehensive inventory of risks based on the threats and
events that might prevent, degrade, delay or enhance the achievement of the objectives. This necessitated
the development of risk identification guidelines to ensure that Institutions manage risk effectively and
efficiently.

WHAT IS RISK?
Everyone is exposed to some type of risk everyday – whether it’s from driving, walking down the
street, investing, capital planning, or something else. In simple terms, risk is the possibility of something
bad happening. Risk involves uncertainty about the effects/implications of an activity with respect to
something that human’s value (such as health, well-being, wealth, property or the environment), often
focusing on negative, undesirable consequences.

The understanding of risk, the common methods of analysis and assessment, the measurements of
risk and even the definition of risk differ in different practice areas (business, economics, environment,
finance, information, technology, health, insurance, safety, security, etc.).

Risk is defined in financial terms as the chance that an outcome or investment's actual gains will
differ from an expected outcome or return. Risk includes the possibility of losing some or all of an original
investment.

Quantifiably, risk is usually assessed by considering historical behaviors and outcomes. In finance,
standard deviation is a common metric associated with risk. Standard deviation provides a measure of the
volatility of asset prices in comparison to their historical averages in a given time frame.

Overall, it is possible and prudent to manage investing risks by understanding the basics of risk and
how it is measured. Learning the risks that can apply to different scenarios and some of the ways to
manage them holistically will help all types of investors and business managers to avoid unnecessary and
costly losses.

HOW TO MEASURE AND PREPARE FOR RISK IN AN ENTERPRISE?

Risk measures are statistical measures that are historical predictors of investment risk and volatility,
and they are also major components in modern portfolio theory (MPT). MPT is a standard financial and
academic methodology for assessing the performance of a stock or a stock fund as compared to
its benchmark index.

There are five principal risk measures, and each measure provides a unique way to assess the risk
present in investments that are under consideration. The five measures include the alpha, beta, R-squared,
standard deviation, and Sharpe ratio. Risk measures can be used individually or together to perform a risk
assessment. When comparing two potential investments, it is wise to compare like for like to determine
which investment holds the most risk.

With the changing business environment brought on by events, such as the CoVid 19 pandemic,
gone are the days of focusing only on operational and tactical risk management. Enterprise Risk
Management (ERM), a framework for a business to assess its overall exposure to risk (both threats and
opportunities), and hence its ability to make timely and well-informed decisions, is now the norm.

Steps:
1. Establish an Enterprise Risk Structure. ERM requires the whole organization to identify,
communicate and proactively manage risk, regardless of position or perspective. Everyone needs to
follow a common approach, which includes a consistent policy and process, a single repository for
their risks and a common reporting format. However, it is also important to retain existing working
practices based on localized risk management perspectives as these reflect the focus of operational
risk management.
2. Assign responsibility. Once an appropriate enterprise risk structure is established, assigning
responsibility and ownership should be straightforward. Selected nodes in the structure will have
specified objectives; each will have an associated manager (executive, functional or business), who
will be responsible for achieving those objectives and managing the associated risks. Each node
containing a set of risks, along with its owner and leader, is a Risk Management Cluster®.

3. Create an enterprise risk map. Risk budgeting and common sense dictate that risks should reside
at their local point of impact, because this is where attention is naturally focused. However, the risk
cause, mitigation or exploitation strategy may come from elsewhere in the organization and often
common causes and actions can be identified.

4. Decision making through enterprise risk reporting. The most important aspect of risk
management is carrying out appropriate actions to manage the risks. However, you cannot manage
every identified risk, so you need to prioritize and make decisions on where to focus management
attention and resources. The decision-making process is underpinned by establishing risk appetite
against objectives and setting a baseline, both of which should be recorded against each Risk
Management Cluster®.

Enterprise-wide reporting allows senior managers to review risk exposure and trends across the
organization. This is best achieved through metrics reports, such as the risk histogram. For example,
you might want to review the risk to key business objectives by cluster. Or how exposed different
contracts and projects are to various suppliers.

Furthermore, there is a need to use a common set of reports across the organization, to avoid time
wasted interpreting unfamiliar formats. Such common reports ensure the risk is communicated and
well understood by all elements of the organization, and hence provide timely information on the
current risk position and trends, initially top-down, then drilling down to the root cause.

5. Changing culture from local to enterprise. At all levels of an organization, changing the emphasis
from ‘risk management’ to ‘managing risks’ is a challenge; however, across the enterprise it is
particularly difficult. It requires people to look ahead and take action to prevent (or exploit) risk to the
benefit of the organization. It also requires the organization to encourage and reward this change in
emphasis.

Unfortunately, problem management (fire-fighting) deals with today’s problems at the expense of
future ones. This is generally a far more expensive process as the available remedies are limited.
However, if potential problems are identified (as risks) before they arise, you have far more options
 available to affect a ‘Left Shift: from a costly and overly long process to one better matching the
original objectives set.

Most organizations have pockets of good risk management, many have a mechanism to report ‘top
N’ risks vertically, but very few have started to implement horizontal, functional or business risk
management. Both a bottom up and top down approach is required. An ERM initiative should allow
good local practices to continue, provided they are in line with enterprise policy and process
(establishing each pocket of good risk management as a Risk Management Cluster will provide
continuity).

From a top-down perspective, functional and business focused risk management needs to be kick
started. A risk steering group comprising functional heads and business managers is a good place
to start. The benefits of such a group getting together to understand inter-discipline risk helps break
down stove-piped processes. This can trigger increasingly relaxed cross-discipline discussions and
focus on aligning business and personal objectives that leads to rapid progress on understanding
and managing risk.
Finally, to ensure that an organizational culture shift is affected, the senior management must be
engaged. This engagement is not only aimed at encouraging them to see the benefits of managing
risk, but to also help the organization as a whole see that proactive management of risk (the Left
Shift principle) is valued by all.

A Risk Management Masterclass for the executive board and senior managers can provide them
with the tools necessary to progress an organization towards effective ERM.

The Benefits
ERM delivers confidence, stability, improved performance and profitability. It provides:

 Access to risk information across the organization in real time

 Faster decision making and less ‘fire-fighting’
 Fewer surprises (managed threats and successful opportunities)
 Improved confidence and trust across the stakeholder community
 Reduced cost, better use of resources and improved morale
 Stronger organizations resilient to change, ready to exploit new opportunities

Over time this will:

 Increase customer satisfaction, enhance reputation and generate new business

 Safeguard life, company assets and the environment
 Achieve best value and maximize profits
 Maintain credit ratings and lower finance costs

Conclusion

All of the risk management skills and techniques required to implement Enterprise Risk
Management can easily be learned and applied. From senior managers to risk practitioners, Masterclasses,
training, coaching and process definition can be used to support rollout of ERM.
 Create a practical Enterprise Risk Structure, set clear responsibilities and hold people accountable.
Define a simple risk map and provide localized working practices to match perspectives on risk. Be seen to
make decisions based on good risk management information.

INTRODUCTION TO RISK AND UNCERTAINTY

Risk Vs Uncertainty: What It Means for Your Business

Business professionals are no stranger to risk and uncertainty. Whether it’s reaching out to a new
client, or releasing a new product, risk and uncertainty influence every business decision. They can push a
startup to innovate faster, or bankrupt businesses that fail to plan accordingly.

The Difference between Risk and Uncertainty

Risk. Risk is defined as the possibility or probability of an unpleasant or undesirable event.

In business, risk might suggest the potential loss of money, time, or information. Most importantly, risk can
be calculated or measured. Entrepreneurs can use market data to calculate whether a new product may be
worth introducing. Accountants can use balance sheets to measure the profitability of certain stores.
Calculated risk can be beneficial, as risk takers can also generate significant returns.

Uncertainty. On the other side, there’s uncertainty. In contrast, uncertainty involves situations
with unknown variables, information, and outcomes. Uncertainty cannot be measured or calculated.

Since uncertain events are unique and difficult to plan for, they come with even greater downsides for
unprepared businesses. During the dot-com era, companies invested heavily in expensive domains before
understanding their value. When the bubble finally burst, several companies disintegrated, and thousands
of employees laid off.

The main takeaway from these two concepts: risk can be measured and predicted, while uncertainty cannot.

Examples of Risk and Uncertainty

 Risk is when an online clothing store decides to sell a new line of clothing, based on customer
analysis. Uncertainty is when that same clothing store introduces a new, unrelated product without
research, such as a new furniture line.
 Risk is when a company moves their processes and data to the cloud. Uncertainty is when a major
outage affects multiple servers across the nation.
 Risk is when an ad agency opens an office in a new country. Uncertainty is when the country enters
a recession.

Risk Management: How to Plan for High-Risk Events

Fortunately, risk is something that can be predicted and planned for ahead of time. Gary
Patterson’s Million Dollar Blind Spots, outlines a simple but repeatable process for risk management:

1. Identify risk – Spot the risk early through research and historical analyses.
2. Assess the probability – Evaluate all the factors involved, including the likelihood of positive and
negative outcomes
3. Make a cost-benefit analysis of alternatives – Measure the pros and cons of each decision you
could take.
Choose a response.
4. Evaluate results – How did the chosen action impact the business?
5. Ongoing monitoring – Risk events should be constantly checked for changing circumstances. In
some cases, risk aversion may be the best option.

While uncertainty cannot be measured, the same approach may be taken in addressing related
tasks and challenges. While a recession cannot be predicted, a business can take steps to protect the
future of its employees and customers.

Turning Risk into Opportunities

Risk and uncertainty surround every business. Weighing options and outcomes, and deciding the
final action as a team is just one way a business can remain vigilant. With enough practice in risk analysis
and assessment, risk turns from an obstacle into a challenge. Risk forces startups to mature and innovate
faster through competition, and rewards entrepreneurs with greater experience of the market and industry.
Risk can’t be avoided, but when businesses learn to prepare, risk can open up new business opportunities.

Conclusion
The main differences between risk and uncertainty can be summarized by control and predictability.
Risk can be measured, and therefore, controlled. Changes in sales because of the season can be
predicted and planned. This is why risk analysis or risk assessment can be important for a business’s
strategic development. Calculated risks can lead to great rewards.

Uncertainty on the other hand cannot be quantified or controlled. For example, a new local
competitor can have unpredictable effects on your own sales. You cannot measure uncertainty; you can
only deal with uncertainty. This is why we look for certainty as much as we can: the more certain future
events are to take place, the better a business can prepare.