S w

9B11B001

AN OVERVIEW OF RISK AND RISK MANAGEMENT

Ken Mark wrote this note under the supervision of Professor Murray J. Bryant solely to provide material for class discussion. The
authors do not intend to provide legal, tax, accounting or other professional advice. Such advice should be obtained from a qualified
professional.

Richard Ivey School of Business Foundation prohibits any form of reproduction, storage or transmission without its written
permission. Reproduction of this material is not covered under authorization by any reproduction rights organization. To order copies
or request permission to reproduce materials, contact Ivey Publishing, Richard Ivey School of Business Foundation, The University
of Western Ontario, London, Ontario, Canada, N6A 3K7; phone (519) 661-3208; fax (519) 661-3882; e-mail cases@ivey.uwo.ca.

Copyright © 2011, Richard Ivey School of Business Foundation Version: 2011-04-15

INTRODUCTION

The importance of risk and risk management as a discipline was highlighted from 2007 to 2009, during the
global financial sector crisis. Well-known financial firms, which were purported to manage
“conservatively” and to have “strong risk management” processes, discovered that their employees had bet
heavily on subprime mortgages and financial derivative instruments. The value of those instruments was
written down drastically, and the firms were suddenly insolvent, triggering falls in their stock prices.
During and after the crisis, observers wondered how top management and other stakeholders had allowed
so much risk to be taken by just a handful of people.

Firms in other industries also had their fair share of high-profile risk issues: BP had its Deepwater Horizon
disaster in the Gulf of Mexico, Toyota Motor Company had a worldwide recall of millions of its cars for
defective parts and Johnson & Johnson had, in one year, two recalls of its flagship Tylenol brand. As these
firms struggled to deal with their associated crises, their stock prices were negatively affected, wiping out
billions of dollars in market capitalization. Less tangible, but perhaps just as important, was the effect of
negative publicity on each firm’s brand image.

In an attempt to learn from others’ mistakes and thereby avoid costly failures, managers are seeking
information on how to be more effective at identifying and managing risks. This trend is evident from the
numerous risk management programs that have recently emerged and the release, in November 2009, of a
new risk management standard from the International Organization for Standardization (ISO), known for
its documents on quality standards. There is no lack of information on diagnostic and prescriptive tools for
risk: a simple Google search for the term “risk management” results in 85.6 million matches.

To make sense of the wide variety of information available, we have developed this document with three
objectives in mind:

1. to summarize the latest managerial thinking on risk

2. to highlight how some firms are approaching risk management
Page 2 9B11B001

3. to provide a threat assessment tool that can be used to complement current risk management
frameworks

Although risk examples are cited from all industries, this note emphasizes the U.S. financial industry.

HOW IS RISK DEFINED?

Risk can be defined in different ways. Our starting point on arriving at how practitioners think about risk is
the ISO 31000 standard:

Organizations of all types and sizes face internal and external factors and influences that
make it uncertain whether and when they will achieve their objectives. The effect this
uncertainty has on an organization's objectives is “risk.”1

The following are other definitions of risk as a whole and risk in specific industries:

 Risk in Project Management: “Traditionally risk has been viewed as an exclusively negative, but in
project management, it is defined as ‘an uncertain event or set of circumstances that, should it occur,
will have an effect on achievement of one or more project objectives,’ with the clear understanding
that risks can affect achievement of project objectives either positively or negatively.”2 – Association
for Project Management
 Operational risk: “Operational risk is defined as the risk of loss resulting from inadequate or failed
internal processes, people and systems or from external events. This definition includes legal risk, but
excludes strategic and reputational risk”3 – Basel II Accord
 Equity risk premium: “The excess return that an individual stock or the overall stock market provides
over a risk-free rate. This excess return compensates investors for taking on the relatively higher risk
of the equity market. The size of the premium will vary as the risk in a particular stock, or in the stock
market as a whole, changes; high-risk investments are compensated with a higher premium.”4 –
Investopedia
 Volatility and risk: “A statistical measure of the dispersion of returns for a given security or market
index. Volatility can either be measured by using the standard deviation or variance between returns
from that same security or market index. Commonly, the higher the volatility, the riskier the security.”5
– Investopedia
 Volatility and risk (another viewpoint): “The measurement of volatility: it’s nice, it’s mathematical,
and wrong. Volatility is not risk. Those who have written about risk don't know how to measure risk.
Past volatility does not measure risk. When farm prices crashed, [farm price] volatility went up, but a
farm priced at $600 per acre that was formerly $2,000 per acre isn’t riskier because it’s more volatile.
[Measures like] beta let people who teach finance use the math they've learned. That’s nonsense. Risk
comes from not knowing what you’re doing. Dexter Shoes was a terrible mistake. I was wrong about
the business, but not because shoe prices were volatile. If you understand the business you own,
you’re not taking risk. Volatility is useful for people who want a career in teaching. I cannot recall a

1
“Risk Management – Principles and Guidelines,” ISO/FDIS 31000:2009(E), page v.
2
APM Body of Knowledge, 5th ed., Association for Project Management, Bedfordshire, UK, 2006, page 26.
3
“Basel ii Operational Risk,” available at http://www.basel-2.org/Basel_ii_Operational_Risk.html, accessed October 12,
2010.
4
“Equity Risk Premium,” Investopedia, available at http://www.investopedia.com/terms/e/equityriskpremium.asp, accessed
October 12, 2010.
5
“Volatility,” Investopedia, available at http://www.investopedia.com/terms/v/volatility.asp, accessed November 3, 2010.
Page 3 9B11B001

case where we lost a lot of money due to volatility. The whole concept of volatility as a measure of
risk has developed in my lifetime and isn’t any use to us.”6 – Warren Buffet.

A review of these definitions of risk might lead a manager to conclude that the issue of risk involves “an
effect, the potential for its occurrence, and their combined effect on objectives” (see Exhibit 1).

A list of risk terminology is included in Exhibit 2. The risk frameworks listed in Exhibit 1 are typically
included in what is defined generally as enterprise risk management, or ERM. An early definition of the
term, by the Casualty Actuarial Society, was as follows:

ERM is the discipline by which an organization in any industry assesses, controls,

exploits, finances, and monitors risks from all sources for the purpose of increasing the
organization’s short- and long-term value to its stakeholders.7

Broad Categories of Risks

Given the working definition of risk listed above, almost any interaction will carry some form of risk,
whether negative or positive. Executives have the potential to engage in fraudulent transactions that will
result in the failure of firms: Enron Corporation filed for bankruptcy in 2001 after the company was
discovered to have hidden billions of dollars in debt from failed projects in accounting vehicles;
WorldCom tried to hide declining earnings by capitalizing costs instead of expensing them and artificially
boosting revenues.

Even if no fraud is involved, the allure of short-term gains can prove disastrous. For example, consider the
situation in the early 2000s, as the fall in U.S. interest rates increased the attractiveness of using debt as a
way to boost equity returns when acquiring assets.

The year-over-year rises in property and stock market values prompted banks to become less conservative
with their lending standards. In addition, as investors looking for yield started to purchase mortgage-
backed securities, firms started to specialize in generating and packaging mortgages — both prime and
subprime — for resale. The drop in lending standards was one of the factors that set the stage for the global
financial crisis in 2008. In the finance industry, participants could hold a variety of risks (see Exhibit 3).

The phenomenon of participants taking on too much risk was not limited to the finance industry. In the
corporate world, the boost in equity returns for any public company was matched by competitors —
employing similar high-leverage strategies — in an attempt to keep up. As an example, in 2004, MGM
Studios was acquired by a Sony and a consortium of investors in a $5 billion buyout that included only
$1.5 billion in equity.8 The consortium was betting that consumers would start seeking out Blu-ray high-
definition DVDs, and the consortium wanted to control a strong source of content — the MGM film
library. When high demand did not materialize, sales from MGM’s film library fell from $400 million in

6
Warren Buffett, “The 2007 Berkshire Hathaway Annual Meeting Top 20 Questions,” available from http://www.ndir.com/cgi-
bin/stingynews.cgi?Topic=3497&Name=Top%2020%20questions%20from%202007's%20meeting, accessed November 3,
2010.
7
Overview of Enterprise Risk Management, Casualty Actuarial Society, Enterprise Risk Management Committee, Arlington,
VA, May 2003, p. 8.
8
Dan Lonkevich and Michael White, “Sony, Two Buyout Firms May Acquire MGM for 5 Bln, People Say,” Bloomberg, April
22, 2004, available at http://www.armeniandiaspora.com/showthread.php?2338-Sony-Two-Buyout-Firms-May-Acquire-
MGM-for-5-Bln-People-Say, accessed October 12, 2010.
Page 4 9B11B001

2004 to just $70 million in 2010.9 Because MGM could not service its debt, it filed for bankruptcy on
November 3, 2010.

Firms that survived the financial crisis of 2008–2009 generally reacted in similar ways: paring down
operations, divesting non-core assets and building cash reserves. By mid-2010, non-financial companies in
Standard & Poor’s list of the largest 500 U.S. corporations were collectively holding $837 billion in cash,
equal to 10 per cent of their total equity market value, even though interest rates were practically at zero. In
contrast, in the late 1990s and early 2000s, the cash-to-equity market value ratio averaged 6.6 per cent.10
Apparently top management at these firms prioritized safety (higher liquidity) in exchange for the risk of
lower long-term returns.

History has shown, however, that risk appetite returns eventually, leading to overconfidence and, usually,
another crisis. When commenting on the global financial crisis of 2008–2009, the news media often cite
the Great Depression of 1929, the oil crisis of the 1970s that led to the 1973–1974 stock market crash, the
stock market crash of 1987 and the bursting of the dot-com bubble in 2000–2001.

The notion that financial crises (apart from the Great Depression of 1929–1933) are recent phenomena
should be dispelled. Many other financial crises have occurred throughout U.S. history, and they seem to
have occurred regularly:

 Panic of 1792: A financial credit crisis due to speculation resulted in a bank run and led to banks being
bailed out.
 Panic of 1837: A severe banking crisis resulted in a six-year economic depression.
 Western Blizzard, 1857: A crisis due to excessive foreign imports and the rapid construction of
railroads (the dot-com bubble of that era) on borrowed and speculative capital led to bank failures.
 Post-Civil War Panic, 1865–1869: Financial uncertainty followed the American Civil War.
 Panic of 1873: Overexpansion from the railroad industry, an economic downturn in Europe and a
contraction in the money supply led to bank failures and a six-year economic depression.
 Panic of 1884: During the recession of 1882–1885, New York City national banks called in
outstanding loans and worsened the crisis, resulting in the failure of 10,000 investment firms.
 Panic of 1893: Numerous bank failures, due to the collapse of railroad construction, excessive debt
levels and high demand for gold, led to the most serious economic depression experienced by the
United States thus far.
 Panic of 1901: The first stock market crash occurred on the New York Stock Exchange due to parties
vying for control of the Northern Pacific Railway.
 Bankers’ Panic of 1907: During an economic recession, the New York Stock Exchange fell 50 per
cent from its highs the previous year, and led to runs on banks and trust companies.
 Depression of 1920–1921: A sharp deflationary recession followed the end of World War 1.
 Great Depression 1929–1933
 Kennedy Slide, 1962: The S&P 500 fell 23 per cent after rising steadily since the 1940s, triggering a
bear market.
 Stock Market Crash, 1973–1974
 Stock Market Crash, 1987
 Dot-com Crash, 2000–2001
 Financial Crisis, 2008–2009

9
Devin Zydel, “The Secret Numbers Behind the MGM Fiasco,” defamer.com, available at
http://commanderbond.net/9639/the-secret-numbers-behind-the-mgm-fiasco.html, accessed October 20, 2010.
10
Matt Krantz, “Company Hold Record $837B in Cash, Yet Won’t Hire Workers,” USA Today, July 29, 2010, available at
http://www.usatoday.com/money/companies/2010-07-28-cashcows28_ST_N.htm, November 3, 2010.
Page 5 9B11B001

Whereas the previous examples of the failure of individual firms focus on financial or operational risk at
the micro level, the nationwide panics underline the need for a better understanding of systemic risks. It is
difficult to draw general conclusions about these panics, other than they were sparked by an imbalance of
greed, fear or both. In some cases, these panics were the result of speculation and overextension of credit;
in others, a result of a contraction of supply (such as oil) or the result of an attempt to corner the market
(such as in 1901).

HOW FIRMS MANAGE RISK

When managers consider how to manage risk, they grapple with two concepts: risk capacity and risk
appetite. The concept of risk capacity is linked to the organization’s objectives and the amount of risk it is
capable of taking on, in pursuit of its objectives. For example, a common organizational objective may be
to grow shareholder value at a pace that is the same as — or better than — its peer group. In the pursuit of
that growth, the organization might take on some debt to fund various capital projects. Raising debt might
allow it to avoid the need to raise equity and, thereby, the dilution of earnings per share.

Based on the shareholder value of its peer group, the organization may be able to take on debt until it
reaches a certain portion of its capital structure, say 30 per cent. We can say that the organization will stay
within its risk capacity, all other things being equal, if it raises debt at or below 30 per cent of its capital
structure.

Management might, however, conclude that more debt or less debt is needed, depending on the situation.
For example, the economy might be experiencing a downturn, and firms that are seen to have stronger
balance sheets may be rewarded with higher price-to-earnings multiples. On the other hand, management
might feel that the cost of debt is at historic lows, and, thus, it is the right time to raise long-term debt,
locking in the current rates. In this example, management’s preferences — or risk appetite — will
determine how the organization’s risk capacity is utilized. How managers decide to act on the basis of their
risk appetite will have an impact on the firm’s objectives. Consider this following quote from Charles
Turner, a Liverpool merchant, a century and a half ago:

The brokers have been in the habit, we all know now pretty well, not only of advancing
upon goods after their arrival, to meet bills drawn against those goods, which is perfectly
legitimate, and upon bills of lading, which, to a certain extent, might also be done, but,
beyond that, they have done what is perfectly illegitimate; they have advanced upon the
produce before it was shipped, and in some cases before it was manufactured.11

Approach to Risk Management: Reactive or Proactive?

A search of public sources reveals almost no example of firms implementing risk management strategies in
the absence of external triggers (such as an economic crisis, the impending failure of rivals, legislation or
shareholder questions) or internal triggers (initiated proactively, for example, by top management).12 We
might conclude that firms are more likely to look at risk management reactively, meaning the processes

11
Edwin T. Freedley, A Practical Treatise on Business, Lippincott, Grambo, and Co., Philadelphia, 1852, page 226.
12
Although we were unable to find examples of proactive risk managers, a Google search results in 400,000+ online links to
consulting firms or books selling “proactive risk management” advice. Source: Google search, available at
http://www.google.ca/#sclient=psy&hl=en&q=proactive%20risk%20management%20&aq=f&aqi=&aql=&oq=&gs_rfai=&pbx=
1&fp=d4d970cac17ea4ff&pf=p.
Page 6 9B11B001

Exhibits 4 to 10 provide a sample list of risk management tools used by various organizations. In general,
each framework requires decision-makers to follow a step-by-step process to set a context, evaluate the
issue, determine the risks, identify and communicate with stakeholders, perform analysis, implement the
changes and continually monitor the situation.

In addition to requiring a set of tools, firms typically rely on risk management structures, such as the board
of directors and committees focused on risk, audit and compliance. Conventional wisdom suggests that
having independent directors on the board and strong institutional ownership increases the alignment
between the objectives of management and shareholders.

Risk management tools and structures are important elements of a risk management strategy, but they may
not be sufficient in isolation. For example, all of the firms affected by or implicated by recent financial
crises had risk management strategies in place. In that group were, notably, AIG, Enron, Bear Stearns,
Countrywide Financial and Merrill Lynch. Moreover, recent research conducted at the University of
Southern California on the performance of 296 financial institutions in 2007to 2008 found that “none of
the tenets of good corporate governance stood up to close examination.” A report on the study continued:

Directors who were well informed about finance performed no better than know-nothings.
Companies that separated CEOs and chairmen did no better. Far from helping companies
to weather the crisis, powerful institutional shareholders and independent directors did
worse in terms of shareholder value. Indeed, the proportion of independent directors on
boards was inversely related to companies’ stock returns.

Why was this? The authors argue that in the run-up to the crisis powerful institutional
owners pushed firms to take more risks to boost shareholder returns. This suggests, they
argue, that outside shareholders may be inherently more risk-hungry than managers who
have their livelihoods tied up with their companies.

They also argue that independent directors were much more likely to press firms into
raising more equity capital even when the company’s share price was tanking. One
possible reason for this is that independent board members were worried that their value in
the market for directorships will plummet if they have overseen companies that have filed
for bankruptcy or debated restructuring.13

One possible conclusion is that an appropriate risk management strategy should pay close attention to the
incentives of the firm’s various stakeholders — both internal and external —and how those biases drive
decision-making.

The Impact of Culture on Risk Management

Media reports frequently suggest that managers of firms that failed were ignorant of the risks they were
taking; however, top management might have continued pursuing short-term incentive targets despite
advice to the contrary from their own risk managers. In the years before the financial crisis, the risk-
management department at one mortgage lending operation “was referred to as the ‘business-prevention
unit,’ and looked at as a cost center,” said Cliff Rossi, a former risk manager at the lending unit.14 On the

13
The Economist, “Corporate Constitutions,” October 30, 2010, page 74.
14
Jody Shenn, “U.S. Financial Reform Efforts Lack ‘Cover’ for Risk Managers, Rossi Says,” Bloomberg.com, June 16, 2010.
Page 7 9B11B001

other hand, like the following example, top management of at least one firm averted disaster by a change in
strategy that resulted in a reduction in risk:

It was the second week of October 2006. William King, then J.P. Morgan’s chief of
securitized products, was vacationing in Rwanda, visiting remote coffee plantations he
was helping to finance. One evening CEO Jamie Dimon tracked him down to fire a red
alert. “Billy, I really want you to watch out for subprime!” Dimon’s voice crackled over
King’s hotel phone. “We need to sell a lot of our positions. I’ve seen it before. This stuff
could go up in smoke!”15

Although the leaders of organizations may set the risk management tone and have a large impact on a
firm’s culture, management’s commitment to risk management, by itself, may not be sufficient. For
example, in January 2008, the media reported that a single trader at Société Général, Jerome Kerviel, took
massive bets with the bank’s capital, costing the firm $7 billion in losses.

From 1992 to 1995, Nick Leeson, a derivatives trader, made increasingly riskier bets with Barings Bank’s
capital, resulting in the firm’s bankruptcy in 1995, after the $1.4 billion losses were discovered to be twice
the bank’s available trading capital. This incident was the firm’s second brush with disaster, and it proved
fatal.16 Just prior to the discovery of the losses, Peter Baring, chairman of Barings, stated: “It is really
rather easy to make money from derivatives.”17

Although it is clear that “culture” can have a large impact on the effectiveness of risk management
strategies, little emphasis is placed on “culture” in the currently available management tools. Although
mention is made of “human factors,” “cultural factors” and “stakeholder analysis,” to inexperienced
managers, these terms can be ambiguous, leading to the danger that, in the overall analysis, these key
factors will receive comparatively little attention.

Recently, the author of an academic article argued for a broader look at risk management:

a thin conception of “risk appetite” predominantly focused on capital rather than human
behaviour is an important source of “intellectual failure” within the Enterprise Risk
Management model which should be addressed by regulators, senior managers and
boards.18

We argue that, in risk management, more emphasis needs to be focused on individuals’ incentives. Note
that in all of the examples of crises and failures, it was the incentives driving a handful of individuals that
resulted in financial and reputational ruin for many.

15
Shawn Tully, “Jamie Dimon’s SWAT Team: How J.P. Morgan’s CEO and His Crew Are Helping the Big Bank Beat the
Credit Crunch,” Fortune, available at http://money.cnn.com/2008/08/29/news/companies/tully_dimon.fortune/, accessed
November 3, 2010.
16
In 1880, Barings Bank had to be rescued by a consortium of British banks when it became overexposed to Argentine and
Uruguayan debt.
17
Nigel Payne, “Risk Management at Enron et al.,” Accountancy SA, available at
http://findarticles.com/p/articles/mi_qa5377/is_200204/ai_n21311497/, accessed November 2, 2010.
18
Michael Power, “The Risk Management of Nothing,” Accounting, Organizations and Society, 34, 2009, p. 854.
Page 8 9B11B001

A TOOL FOR RAPID RISK ASSESSMENT

In 2010, while the global economy was still recovering from the financial crisis, managers and other
stakeholders continued to focus on risk identification and management. As already described, there is no
shortage of templates and tools to aid managers in developing a comprehensive risk management strategy.

What might be difficult for managers, however, is the continual allocation of resources to fine-tune the risk
management strategy once the strategy’s details have been signed off by stakeholders. Even when robust
risk strategies and structures are put in place, the dynamic nature of the corporation — new hires, a change
in the management team, the emergence of a new competitor and new regulations — may require revisions
to the risk management strategy. Most threats should be stopped by a firm’s risk management strategy.
Some threats, however, may pass undetected. As indicated by the feedback loop arrows in the various risk
management tools, new threats need to be continually identified and assessed.

We suggest firms use a five-step tool that is based on the concept of a risk blind spot, which might allow
serious threats to slip through unchecked. This tool is set apart from other tools by two key differences: a
single-stage approach that takes into account the interplay of multiple factors and the focus on individual
incentives as a prominent element of the analysis (see Exhibit 11).

The Risk Blind Spot Tool is meant to complement the comprehensive risk management frameworks
proposed by other organizations. This tool allows a manager to take a snapshot of an emerging situation
and evaluate whether immediate action is needed. To use the tool, managers start with what they know of
the threat and its potential impact to place the threat within the context of the firm and its environment
(identification and information). Next, managers can determine whether a robust risk management
infrastructure already exists, which will identify and contain the threat. Last, and most importantly,
managers are asked to analyse the organization’s competing interests (or Risk Capacity) and incentives (or
Risk Appetite). As is alluded to in this overview, breakdowns in risk management — in practice —
typically occur at this stage.

In an ideal situation, when the various pieces of information are assembled, all five areas should be
aligned. If anomalies or conflicts exist, these blind spots might allow threats to pass through. Although this
tool might be of use when a manager is aware of a potential issue, it will not be of help when the manager
does not perceive a threat in the first place.

See Exhibit 12 for an example of how the Risk Blind Spot Tool might be used to evaluate the situation
faced by Jamie Dimon of JP Morgan in 2006.

According to Dimon’s description of how his firm sidestepped the subprime crisis, his intervention was
clearly key to the elimination of the threat. In fact, Dimon intervened even though shareholders were
looking for higher returns and the company’s own risk management infrastructure had not yet detected the
threat. Table 5 shows an example of how the Risk Blind Spot Tool might be used to evaluate the situation
faced by Toyota in the late 2000s (see Exhibit 13).

By the mid-2000s, Toyota was the most valuable automotive firm and was set to surpass General Motors
as the largest car company in the world. However, in Toyota’s race to market share leadership, it had
sacrificed its quality production principles, leading to a series of recalls that threatened its brand image.
The previous two examples have been informed by the benefit of hindsight. The following is a hypothetical
assessment of a current issue, the rapid rise in gold prices resulting in, possibly, a gold bubble (see Exhibit
14).
Page 9 9B11B001

Currency devaluation, poor economic conditions and the threat of inflation have led many to perceive that
one of the surest investments is gold bullion. However, a look at the historical, real price of gold suggests
that gold prices might be at or approaching “bubble” territory in late 2010 (see Exhibit 15). On November
15, 2010, gold was trading at US$1,359 an ounce, more than twice the historical inflation-adjusted
average. Is gold overvalued? Although only time will tell for sure, it seems that gold is overvalued. The
following is a passage from A Practical Treatise on Business, which was published in 1852 and might shed
some historical light on this particular situation:

The time for entering on trade is when things are at their worst, and that is not a bad time
to enter on speculation; you may trade in anything or everything, but you can speculate
only in a few things. You should not speculate in axe-handles, wooden bowls, hoop-poles,
shoe-pegs, washing-machines,19 or mouse-traps, because countrymen and mechanics can
make them to order in any quantity when they are wanted.

Take a commodity and find out the average price of years, excluding from consideration
extreme cases, and when the price has fallen by the average of years, buy.

It matters not to a speculator whether things rise or fall. When prices are high, of course
there is a great demand, and business is brisk; when prices are low, there is little demand,
and business is dull. Hence the temptation in the one case, and the discouragement in the
other. Therefore, to be a good merchant or speculator, as to be a good general, nerve is
necessary: and the one as well as the other must often act in the face of appearances.

He must believe, contrary to what the fabulous first inhabitants of the earth are reported to
have done, that the sun will rise again after it has set. Nay, we should say a good merchant
must always act contrary to appearances, at least to what appears to the generality of
mankind.

He must buy when no other person will buy; sell when no other person will sell; although
certainly, if properly considered, it is most consistent with reason to buy when things are
low; to sell when they are high.

Is there any danger of letting people into these secrets? None whatever; for, as
Spurzheim20 said, men are so stupid there is no fear of their ever becoming wise. He, it is
said, who has the folly of mankind for an inheritance, has a plentiful estate.21

The preceding passage speaks about how speculators can take significant risk out of an impending trade by
having the right data in hand (statistics), by understanding the context (what to speculate in, what to stay
away from) and, most importantly, by understanding human behavior. This example and the others in this
note hint at the importance, in risk management, of taking a comprehensive approach and paying particular
attention to the interests, incentives and biases of decision-makers.

19
The author refers here to wooden wringer washing machines, which were operated by hand.
20
Johann Spurzheim was a German physician who lived from 1776 to 1832.
21
Edwin T. Freedley, A Practical Treatise on Business, Lippincott, Grambo, and Co., Philadelphia, 1852, pp. 169–170.
Page 10 9B11B001

Exhibit 1

COMPONENTS OF RISK

Definition of Risk An Effect Uncertainty Objectives

ISO 31000 “The effect . . .” “. . . this uncertainty . . “. . . has on an
.” organization’s
objectives.”
Association for Project “. . . will have an effect . “. . . an uncertain event . “. . . achievement of one
Management . . positive or negative. . . .” or more project
.” objectives.”
Basel II Accord “. . . loss . . .” [uncertainty of] as Not stated but implied in
defined by their use of the phrase
the word “risk”
Equity Risk Premium “. . . excess return . . .” [uncertainty of] as Not stated
(term) defined by their use of
the word “risk”
Volatility (academic Certainty of returns (not “. . . variance . . .” Not stated
term) stated)
By Warren Buffet Losses (not stated) Incorrect assessment due Not stated
to lack of information or
incorrect conclusions
(implied)
Page 11 9B11B001

Exhibit 2

ISO/IEC RISK TERMINOLOGY

 consequence – outcome of an event

 event – occurrence of a particular set of circumstances
 probability – extent to which an event is likely to occur
 risk – combination of the probability of an event and its consequences
 risk acceptance – decision to accept a risk (Note: Risk acceptance depends on risk criteria.)
 risk analysis – systematic use of information to identify sources and to estimate the risk (Note:
Risk analysis provides a basis for risk evaluation, risk treatment and risk acceptance
 risk assessment – overall process of risk analysis and risk evaluation
 risk communication – exchange or sharing of information about risk between the decision maker
 and other stakeholders
 risk control –actions implementing risk management decisions
 risk criteria – terms of reference by which the significance of the risk is assessed
 risk estimation – process used to assign values to the probability and consequences
 risk evaluation – process of comparing the estimated risk against the given risk criteria to
 determine the significance of the risk
 risk financing – provision of funds to meet the cost of implementing risk treatment and related
 costs (Note: In some industries, risk financing refers to funding only the financial consequences
related to the risk.)
 risk identification – process to find, list and characterize elements of risk
 risk management – coordinated activities to direct and control an organization with regard to
 risk
 risk management system –set of elements of an organization’s management system concerned
 with managing risk
 risk transfer – sharing with another party the burden of loss or benefit of gain, for a risk
 risk treatment – process of selection and implementation of measures to modify risk
 residual risk – risk remaining after risk treatment
 source identification – process to find, list and characterize sources
 stakeholder – any individual, group or organization that may affect, be affected by, or perceive
itself to be affected by, a risk

Source: ISO/IEC Guide 73.

Page 12 9B11B001

Exhibit 3

A SELECTED LIST OF RISKS IN FINANCE

Industry Risks
Finance (1) Basis risk: Changes in interest rates will cause interest-bearing liabilities (deposits) to be repriced at
a rate higher than that of the interest-bearing assets (loans).
(2) Capital risk: Losses from unrecovered loans will affect the financial institution’s capital base and may
necessitate floating of a new stock (share) issue.
(3) Country risk: Economic and political changes in a foreign country will affect loan repayments from
debtors.
(4) Default risk: Borrowers will not be able to repay principal and interest as arranged (also called credit
risk).
(5) Delivery risk: Buyers or sellers of a financial instrument or foreign currency will not be able to
meet the associated delivery obligations on their maturity.
(6) Economic risk: Changes in the state of economy will impair the debtor’s ability to pay or the
potential borrower’s ability to borrow.
(7) Exchange-rate risk: Appreciation or depreciation of a currency will result in a loss or a naked
position.
(8) Interest-rate risk: Decline in net interest income will result from changes in relationship between
interest income and interest expense.
(9) Liquidity risk: There will not be sufficient cash and/or cash-equivalents to meet the needs of
depositors and borrowers.
(10) Operations risk: Failure of data-processing equipment will prevent the bank from maintaining its
critical operations to the customers' satisfaction.
(11) Payment system risk: Payment system of a major bank will malfunction and will hinder
its payments.
(12) Political risk: Political changes in a debtor’s country will jeopardize debt-service payments.
(13) Refinancing risk: It will not be possible to refinance maturing liabilities (deposits) when they
fall due, at an economic cost and terms.
(14) Reinvestment risk: It will not be possible to reinvest interest-earning assets (loans) at current market
rates.
(15) Settlement risk: Failure of a major bank will result in a chain reaction, reducing other banks’ ability
to honor payment commitments.
(16) Sovereign risk: Local or foreign debtor-government will refuse to honor its debt obligations on
their due date.
(17) Underwriting risk: New issue of securities underwritten by the institution will not be sold, or
its market price will drop.
Page 13 9B11B001

Exhibit 4

ISO/DFIS RISK MANAGEMENT TOOL

Relationships between the risk management principles, framework and processes

Relationship between the components of the framework for managing risk:

Source: ISO/FDIS 31000:2009(E), pages VII and 9.

Page 14 9B11B001

Exhibit 5

CANADIAN STANDARDS ASSOCIATION’S RISK MANAGEMENT GUIDELINES

FOR DECISION-MAKERS

Source: Canadian Standards Association, Risk Management: Guideline for Decision-Markers, (CAN/CSA-Q850-97), author,
author, Mississauga, ON, 1997.
Page 15 9B11B001

Exhibit 6

ASSOCIATION FOR PROJECT MANAGEMENT RISK MANAGEMENT TOOL

The risk management process

Source: Project Risk Analysis and Management Guide, 2nd Edition, Association for Project Management, Buckinghamshire,
UK, 2004, as depicted in APM Body of Knowledge, 5th Edition, Association for Project Management, Buckinghamshire,
United Kingdom, 2006, p. 26.
Page 16 9B11B001

Exhibit 7

NETWORK FOR ENVIRONMENT, RISK ASSESSMENT AND MANAGEMENT (NERAM) RISK

MANAGEMENT TOOL

NERAM Benchmark Risk Management Framework

Expanded Benchmark Framework for Risk Assessment and Treatment Options

Source: Network for Environment, Risk Assessment and Management, pp. 8–9.
Page 17 9B11B001

Exhibit 8

AUSTRALIA/NEW ZEALAND RISK MANAGEMENT STANDARDS

Source: Australia/New Zealand Risk Management Standards (AS/NZS 4360:1999).

Page 18 9B11B001

Exhibit 9

THE JAPANESE INDUSTRIAL STANDARD RISK MANAGEMENT SYSTEM

Source: JSI Q 2001:2001.

Page 19 9B11B001

Exhibit 10

THE RISK MANAGEMENT PROCESS OF THE

INSTITUTE OF RISK MANAGEMENT, THE ASSOCIATION OF INSURANCE AND RISK MANAGERS
AND THE NATIONAL FORUM FOR RISK MANAGEMENT IN THE PUBLIC SECTOR

Source: Association of Insurance and Risk Managers.

Page 20 9B11B001

Exhibit 11

THE RISK BLIND SPOT TOOL1

Identification Information
•What is the threat? •What is known about it?
•What is its potential •How likely is it to occur?
impact? •Let’s put it in context:
•Global
•Competition
•Regulatory
•Customers

Incentives
•Management’s incentives
•BoD’s incentives
•Employees’ incentives
•Shareholders’ incentives
•Other stakeholders…
•Any conflicts in
Risk Appetite?
Any
Blind Interests
•What are our objectives?
Spots? •What are our owners? ’
(shareholders’) objectives?
•What is our Risk Capacity?

Infrastructure
•Do we have appropriate
risk management
Infrastructure?

1
Source: Case writers.
Page 21 9B11B001

Exhibit 12

A HYPOTHETICAL ASSESSMENT OF THE STRUCTURED PRODUCTS OPPORTUNITY IN 2006

JP Morgan
Identification
•Risk of amplified
losses from
complex derivatives
•Large losses leading
to insolvency are
possible
Information
•Seen this before
•Counter-party risks
underestimated, not sure when
it will blow up but it will blow up
•Competitors ignoring it
•Regulators prefer to leave it
to the invisible hand and
customers unaware

Incentives Any
•Management and
Blind Interests
employees have short - •Safeguard company viability
term incentives Spots? •Shareholders seek returns
•But CEO has sounded •Risk capacity is large
the alarm so but it may not be enough
Risk appetite is revised
from medium to low

Infrastructure
•Yes, we have the
infrastructure, but the
infrastructure did not
detect the threat
Page 22 9B11B001

Exhibit 13

A HYPOTHETICAL ASSESSMENT OF THE TOYOTA MOTOR COMPANY IN THE LATE 2000S

Toyota

Identification Information
•Defective parts lead to •We know there are defects
to drop in standards •We don’t know how extensive
•The threat is an the problems are
expensive recall and •We have one of the strongest brands
damage to the brand for quality; the Big Three have weaker
reputations for quality

Incentives Any
•Management’s Blind Interests
incentive to become the •Objectives = quality product
Spots? •Owners = share appreciation
#1 in car sales is overtaking
The ability to expand while •Risk Capacity = medium
maintaining quality
•Risk Appetite is High

Infrastructure
•We have the appropriate
infrastructure on paper but
a tendency to conform and
underreport errors and slow
reaction has rendered infra-
structure ineffective
Page 23 9B11B001

Exhibit 14

A HYPOTHETICAL ASSESSMENT OF THE GOLD BUBBLE OF 2010/11

The Gold
Bubble
circa Information
Identification •Historical average real
2010-11 •Large demand price of gold might be in the
for a non-productive range of US$630 per ounce
asset is widespread; •Closed at US$1359 per once on
“common knowledge” November 15, 2010, twice the
that gold is the only average real price
safe investment; large •Consumers hoarding gold
increases in value •Steady increase in price
since 2001

Incentives Any Interests

•US devalues the dollar Blind •Consumers looking for
to re-invigorate exports Spots? capital protection during a
•Wary of a return to the currency war
economic crisis of 2008/09 •Intrinsic value of owning
•Underestimate the something physical
potential for a FALL •Requires long-term
in gold prices capital appreciation
Risk Appetite is •Risk Capacity =
high Infrastructure medium
•We have the historical data
to evaluate the potential for
further increases/decreases in
the price of gold; but current
demand and beliefs driven by
emotions and recent events
Page 24 9B11B001

Exhibit 15

THE HISTORICAL PRICE OF GOLD

Gold Bullion, US$/Troy Ounce

Average Monthly Price
1 January 1970 to 1 November 2010

2,500

x Highest daily price achieved on January 21st, 1980 at $2248 (in 2010 dollars)
2,000
Indexed to 2010 = 100

1,500

Average Real Gold Price = US$635.00

1,000

500

0
Jan-70
Jan-71
Jan-72
Jan-73
Jan-74
Jan-75
Jan-76
Jan-77
Jan-78
Jan-79
Jan-80
Jan-81
Jan-82
Jan-83
Jan-84
Jan-85
Jan-86
Jan-87
Jan-88
Jan-89
Jan-90
Jan-91
Jan-92
Jan-93
Jan-94
Jan-95
Jan-96
Jan-97
Jan-98
Jan-99
Jan-00
Jan-01
Jan-02
Jan-03
Jan-04
Jan-05
Jan-06
Jan-07
Jan-08
Jan-09
Jan-10
Gold Bullion US$/Troy Ounce Adjusted for Inflation Average Real Gold Price, 1970-2010

Source: DataStream and Case writers