Вы находитесь на странице: 1из 26

Certified Expert in Risk Management

Module 1: General Introduction into Risk Management


Certified Expert in
Risk Management
Module 1: Introduction to Risk Management
Symbols

Introduction

Definition

Example

Remember

Further Reading

Video Lecture

6. Edition 9/2015
© 2015 Frankfurt School of Finance & Management, Sonnemannstr. 9 –
11, 60314 Frankfurt am Main, Germany

All rights reserved. The user acknowledges that the copyright and all
other intellectual property rights in the material contained in this
publication belong to Frankfurt School of Finance & Management
gGmbH. No part of this publication may be reproduced, stored in a
retrieval system or transmitted in any form or by any means, electronic,
mechanical, photocopying, recording or otherwise, without the prior
written permission of the publisher. Violations can lead to civil and
criminal prosecution.

Printed in Germany
Contents

1 What is Risk? ........................................................... 5

2 Risk Management Principles and Process ............. 13

2.1 High-Level Risk Management Strategy ...................... 13

2.2 Principles of Risk Management ................................. 15

2.3 Risk Management Process ....................................... 17

3 Other Risk Management Credentials ...................... 19

4 Exercises ............................................................... 21

© 2015 Frankfurt School of Finance & Management 1


Abbreviations
ABC Activity Based Costing
ALCO Asset and Liability Management Committee
ALM Asset-Liability Management
ATM Automated Teller Machine
ATTF Agence de Transfer de Technologie Financière
BCBS Basel Committee on Banking Supervision
BSC Balanced Scorecard
CAR Capital Adequacy Ratio
CGAP Microfinance Secretariat at the World Bank
COSO Committee of Sponsoring Organizations of the Treadway Commission
EAD Exposure at Default
EL Expected Loss
ERM Enterprise Risk Management
EUR Euro currency
FRM Financial Risk Manager - professional designation
HR Human Resources
ISO International Standards Organization
KPI Key Performance Indicator
KRI Key Risk Indicator
LGD Loss given Default
MFI Microfinance Institution
MIS Management Information System
MIV Microfinance Investment Vehicle
MSME Micro-, Small and Medium Enterprise
NBFI Non-Bank Financial Institution
NGO Non-Governmental Organization
NPL Non-Performing Loan
OHSAS Occupational Health & Safety Advisory Services
PAR Portfolio-at-risk
PD Probability of Default
PMI Project Management Institute
PMI-RMP PMI Risk Management Professional designation
PRM Professional Risk Manager professional designation
ROA Return On Assets
ROE Return On Equity
SME Small and Medium Enterprise
TA Technical Assistance
USD US Dollar

© 2015 Frankfurt School of Finance & Management 2


Learning Outcomes
This Module will get us started thinking about risk in more systematic terms.
That is from the perspective of managing an organization in a dynamic and
competitive external environment.

After studying this module you should be able to:

 define the notion of risk in a general, non industry-specific


context,
 communicate effectively about the fundamentals of enterprise
risk management, risk processes, high-level risk mitigation and
transformation strategies,
 position your objective of applying risk management to financial
institutions within the global risk management movement: what
are the main sources of best practices, what are typical
applications of risk management across industries, what kind of
professional associations and certifications are out there?

© 2015 Frankfurt School of Finance & Management 3


© 2015 Frankfurt School of Finance & Management 4
Introduction to Risk Management

1 What is Risk?
Here we are. I have a stack of expensive books on Risk in Banking on my
desk, have been consulting in risk management for more than ten years, and
I am still having a hard time defining "risk".

Risk truly is one of the most overused and least understood buzzwords of
our time. It is right up there with "process", "design", "system" and "value".
Try it: The guy who gets passed over for the promotion says: "The
Schlenovo laptop weighs 15 kilos and has a 5 inch screen, I do not think
anyone will buy this." The upwardly mobile consultant says: "Let's hold a
workshop on strategic design risk. We need to build a customer-centric
value system right into our core processes."

So, I asked a few regular people what they think risk is: Mostly the response Possibility of Loss
is about the possibility of something bad or negative happening, a loss or an
injury, for example. For sure, risk has an element of uncertainty about future
outcomes. And these future events must be relevant to us, in the sense that
the individual or the organization cares, or should have cared, about the
outcome of the uncertain situation. We may call this relevance "exposure" to
the uncertain outcome. The proverbial bag of rice that may or may not tip
over in China is uncertain, but it is only a risk if we are interested or invested
in the outcome. If I bet a thousand dollars on whether the bag stands or
falls, or if it falls I don't eat for a week, then I am exposed. Now, the
uncertainty about the bag tipping or not has become a risk.

Sometimes in statistics or game theory, risk is simply equated to uncertainty


pure and simple. Rolling a six-faced die, for example. The outcome is
uncertain, is risky. One might even say that the outcome is objectively
uncertain and that obtaining a six has an objective probability of 1/6.

Yet, are these outcomes really objectively uncertain? Or, are we simply Objective Uncertainty?
ignorant of the detailed mechanics of die throwing: trajectory angles, wrist
flick velocity, tablecloth friction coefficients, etc. This is not just a
philosophical question: Our risk model might assume that next week's
EUR/USD exchange rate is the result of a "random walk", while in fact it is
the certain knowable result of a deterministic process, and a nuclear
physicist at a hedge fund has already figured out the formula. Often, random
events in finance feel indeed more like rolling a die - with a metal plate
under the six and a strong magnet under the table - than an honest game of
chance. If you are philosophically inclined, I recommend the discussion of
subjectivist versus objectivist probabilities in the brilliant article by Glyn A.
Holton "Defining Risk", which you will find in the essential reading collection.

© 2015 Frankfurt School of Finance & Management 5


For now, let's go with the mainstream definition of risk:

Risk is a form of uncertainty about outcomes that may have a


potentially adverse effect on an individual or an entity. Risk is
subjective as perceived by the entity that would sustain the loss or
injury.

If the future loss is certain, it is not a risk. Jumping out of an airplane without
a parachute to certain death is not risky. However, if I jump with a
parachute, the uncertain survival is a risk to myself and my family who are
invested in my earnings capacity. To the reader, the outcome of a sky-diving
adventure by a risk management consultant is revenue neutral, thus not a
risk.

Risk = Volatility Many other alternative definitions of risk exist for different industries or
special analytical applications. In portfolio investment theory, for example,
we view risk in the context of the classic risk/return trade-off. Here, risk is
defined as the uncertain variation of a financial return around an average
expected outcome. Thus the volatility, i.e. the standard deviation of
continuously compounded annual returns, becomes the "risk". We will get to
the math behind this assertion later, when we discuss credit and market
risks. The interesting point to note now is that this volatility definition of risk
includes both positive and negative deviations of outcome. Gains and losses
relative to the average return expectation are both manifestations of risk.

Risk = Expected Loss? In the medical field, a definition used by the Occupational Health & Safety
Advisory Services (OHSAS) defines risk as the product of the probability of a
hazard resulting in an adverse event, times the severity of the event.1 This is
similar to the concept of an "expected loss" which we will use in the
discussion of credit risk. There, we also multiply the probability of a default
with the net amount at stake in the event that a client defaults on a loan. But
we would not call this expected loss "the risk". Rather the opposite, we will
look at the expected loss more like a certainty that must be priced to the
client. The risk is instead in the variation of the actual future loss around this
expected value, most importantly to the upside, of course, towards big stress
losses.

1
"Risk is a combination of the likelihood of an occurrence of a hazardous
event or exposure(s) and the severity of injury or ill health that can be
caused by the event or exposure(s)" (OHSAS 18001:2007).

© 2015 Frankfurt School of Finance & Management 6


In Standard 31000 (2009) and ISO Guide 73:2002, the International
Standards Organization defines risk as follows:

Risk is the potential that an event, action or inaction will adversely


impact the ability of an entity to achieve its organizational objectives.
In this definition, uncertainties include events which may or may not
happen as well as uncertainties caused by ambiguity or a lack of
information.

The ISO Standard 31000 (2009) is widely recognized as the current best
practice consensus in risk management. It was developed in a broad
consultative process and incorporates inter alia the experience and prior
guidance from a diversity of thought leaders on risk management, including:
 the Committee of Sponsoring Organizations of the Treadway
Commission (COSO), www.coso.org.
 the 1999 (revised 2005) Turnbull Report on corporate internal
control and risk management disclosure in the UK. Nigel Turnbull,
"Internal Control: Guidance for Directors on the Combined Code",
www.icaew.com/en/library/subject-gateways/corporate-
governance/codes-and-reports/turnbull-report.
 the Project Management Institute (PMI), www.pmi.org
 the Australia and New Zealand Risk Management Standard
AS/NZS4360:2004, www.mwds.com/AS4me_files/AS-NZS%204360
-2004%20Risk%20Management.pdf
 Group of Thirty Report, following the derivatives trading disasters of
the early 90s in the US, www.group30.org
 Criteria of Control (CoCo) model developed by the Canadian
Institute of Chartered Accountants, www.cica.ca
 Sarbanes-Oxley Act (2002) in the US, which places greater
responsibility on the board of directors to understand and monitor an
organization's risk, www.soxlaw.com.
 New York Stock Exchange Corporate Governance Rules (2004
update), www.nyse.nyx.com.

ISO 31000 (2009) / ISO Guide 73 "Risk Management Vocabulary" states:

A risk management framework is a set of components that provide


the foundations and organizational arrangements for designing,
implementing, monitoring, reviewing and continually improving risk
management throughout the organization.

The above notion of a risk management framework is essentially equivalent


to the widely discussed concept of Enterprise Risk Management (ERM). In
2004, the Committee of Sponsoring Organizations of the Treadway
Commission (COSO) defined ERM in its "Enterprise Risk Management -
Integrated Framework" as follows:

© 2015 Frankfurt School of Finance & Management 7


Enterprise risk management is a process, carried out by the
entity's board of directors, management, and other personnel,
applied in strategy setting and across the enterprise, designed to
identify potential events that may affect the entity, and manage risk
to be within the risk appetite, to provide reasonable assurance
regarding the achievement of entity objectives.

Risk & Strategy What is new in the ERM perspective on risk is that ERM is directly related to
"strategy setting". ERM creates value by being embedded in the strategic
planning and execution process. This clearly elevates risk management
from a mere compliance function (checking off legal requirements) towards a
strategic enabler that supports the attainment of the organization's
objectives.

The ERM definition also alludes to the idea of "risk appetite". This is
another key term in the high-level management approach to risk. It implies
that an organization should have a consensus on how much risk it is willing
to take on in the pursuit of its objectives. So, in addition to just defining
"risk", it is clear that we must expand our vocabulary by a few more pieces of
More Terminology high-level risk terminology: What exactly then is risk appetite, risk tolerance,
risk exposure, risk severity and a risk limit? We are sorry to bring up so
many new terms, but if Eskimos have 19 different words for snow, a good
risk manager will need a few extra words for risk as well. Also, let's
remember that we have not even begun to speak about the more specific
guidance and best practices for risk management in financial institutions. So
far, everything we say about risk is universal and applies to a chemical
manufacturing company or to a software development firm just the same.

Why is a concise grasp of generic high-level risk terminology relevant, when


we are all eager to finally get down to the specifics and crunch some
numbers? We will get to look through the risk microscope soon enough, but
the preliminaries are important. This is because risk managers sometimes
end up measuring the wrong thing with great precision, while the house is on
fire somewhere else. Also, as a risk manager you have to "sell" the very
specific and sometimes tedious practices you are imposing on the
organization. So, it is essential to be conversant in the rapidly evolving risk
management language in order to show how what we do fits in with ERM,
ISO, COSO, etc. So, here we go:

Risk appetite is the amount and type of risk an organization is


prepared to pursue or take, in order to attain the objectives of the
organization and those of its shareholders and stakeholders. (ISO
Guide 73).

"Risk tolerance" sounds rather similar, but is generally used with a more
specific meaning that is subordinate to risk appetite. It already begins to
operationalize risk appetite by means of tolerance thresholds or limits.

© 2015 Frankfurt School of Finance & Management 8


Risk tolerance(s) is/are quantified risk criteria or measures of risk
exposure that serve to clarify and communicate risk appetite. Risk
tolerances are used in risk evaluation in order to determine the
treatment needed for acceptable risk.

Risk appetite and its risk tolerance measures always have two dimensions:
one that focuses on the average expected situation and one that considers
extreme outcomes or "worst-case" situations:

1) The average, "normal" risk appetite dimension refers to typical outcomes


in the absence of major macroeconomic crisis or a disruptive technology
breakthrough by competitors and generally evolves in a business-as-
usual context.
2) the unexpected or worst-case dimension of risk appetite emphasizes the
organizational survival and explores the resilience and robustness of
its business model when faced with extreme loss events.

The term risk exposure then describes the extent to which an entity is
vulnerable to a certain risk or portfolio of risks. Mylera/Lattimore propose
that risk exposure be defined as a function of the potential impact of a risk
event and its likelihood of occurrence2. This is similar to a definition of risk in
industry and the medical field (see the OHSAS risk definition above) but not
really mainstream, certainly not in financial services. Exposure is more
frequently used like this:

Risk exposure designates a gross measure of risk, before taking


account of risk mitigation and before applying any particular
knowledge about the probability of loss events that would activate
the exposure.

For example, when we speak about the risk arising from transacting in
foreign currencies, the exposure could be measured by an open position as
the gross amount that is exposed to exchange rate risk. However, it is
impossible that the entire amount of the open position would ever be lost.
The possible losses resulting from an open position would be determined by
confronting the gross exposure with an analysis of how much exchange
rates may actually vary over a certain period of time with what level of
probability.

2
Ken Mylera & Joshua Lattimore, How to Create and Use Corporate Risk
Tolerance, p.144. In Fraser & Simkins eds., Enterprise Risk Management.
2010.

© 2015 Frankfurt School of Finance & Management 9


We further distinguish risk severity as a separate notion in the description of
risk:
Risk severity is determined by the size of the possible loss or the
gravity of the impact, in the event that a certain risk should
materialize. It does not imply any particular knowledge about how
likely or frequent such an event might be. (See "Hazard Analysis",
Wikipedia.org).
Others also define risk severity along the lines of the health and industrial
understanding of risk, i.e. as the product of the probability of occurrence
times the size of the potential loss.3 However, we think it is beneficial to look
at risk severity as a distinct dimension, before combining it with a perspective
on the frequency or probability of loss. This two-dimensional tension field
provides a very useful platform for strategic thinking about risk in
organizations, see Figure 1 below.
A risk limit is a measure of risk, either expressed in terms of (gross)
exposure or possible loss or in another metric that tends to correlate
with exposure or possible loss. Being a limit, this measure of risk is
articulated as an indication of risk tolerance with the intention to
constrain risky activities or positions within an entity to an acceptable
level.
Finally, we need to define some commonly used risk attitude terms that
relate to the inclination of an entity to readily take on risks or to rather avoid
them. This is about being a risk-taker, being risk-neutral, or being risk
averse.

Assume that you place a bet on the outcome of flipping a coin. "Heads" you
win one dollar, "tails" you receive nothing. Knowing that both possible
outcomes should have equal probability, you can expect on average to win in
half of the attempts, as long as you play the game often enough. How much
would you be willing to pay to play this game? If you are willing to pay more
than 50 cents per round, you are a risk taker, if you pay exactly 50 cents
you are risk neutral, if you are willing to risk less than 50 cents you are risk-
averse.

In traditional economic theory, we often like to think of human economic


behavior as being fully rational. Profit maximizing robots would certainly only
play the coin toss game, if the wager was 49 cents or less. Humans behave
differently, however. Otherwise, there would be no casinos or national
lotteries. The casino business model is based on the principle that the
wager placed must always be more than the expected value of the game
from the gambler's perspective.

3
See ARMAMIS - Accidental Risk Assessment Methodology for Industries
in the Context of the Seveso II Directive: ARAMIS project: the severity
index. Planas, Casal, Delvosalle et al. in Safety & Reliability, Bedford and
van Gelder eds., 2003.

© 2015 Frankfurt School of Finance & Management 10


Now, are you risk averse or rather a risk taker? Are traders risk addicts and Risk Perspective is
is microfinance managers risk averse? It depends, of course. Rolling a six- Relative
face die or playing Russian roulette with a six-shot revolver is statistically
equivalent. But clearly, if the stakes are a few dollars on a game of dice with
friends, it's easy to be a risk-taker. But when it comes down to Russian
roulette, it seems rational to become extremely risk averse. Naturally then,
organizations may display a risk-taker attitude when setting their risk appetite
on new products, i.e. taking a gamble on an innovation that could be the next
I-Phone or otherwise flop entirely. Entrepreneurial start-ups are never risk
averse, or the people working there would not have left their secure jobs
elsewhere. But the risk-taking will happen with manageable stakes, such
that the ultimate downside is still survivable. When the risk is so severe that
survival of the entity is in question if it materializes, then suddenly, the entity
will become risk-averse on this particular exposure.

Risk aversion on matters of entity survival is actually a curiosity from a Does entity survival
portfolio investment perspective. Why should an economic entity be so matter?
stuck on its survival that the owners would allow it to become risk averse? In
theory, the entity and its managers and staff don't really matter. Owners are
well diversified and if one of their shareholdings takes the bullet from the
economic Russian roulette, five others will have made a profit. The answer
is, of course, that there are massive costs and inefficiencies associated with
bankruptcy. Bankruptcy destroys careers, drains pension funds and leaves
valuable assets to rot, such that institutional survival does indeed become a
strategic objective in itself, even for diversified shareholders.

This said, we still think it is worthwhile to address this issue of difference in Empire building and
perspective on risk between owners and managers or staff early on. It is diversification are often
important to keep this tension in mind when discussing the governance of inefficient for owners
risk. It can also explain some curious institutional behavior towards risk
which seems poorly aligned with stakeholder interests. So, the point is that
management tends to diversify business and in-source more activities in an
attempt to reduce the volatility of earnings and build an empire under their
control. This risk-aversion is inefficient from the owner's standpoint, because
the earnings are being stabilized at a much lower average (expected) value
as before the risk mitigation. Owners would have been fine with the higher
earnings risk in a pure-play undiversified business, because they have
several other irons in the fire. The take-away lesson here is that risk is never
absolute: what is a severe risk to the manager's career plans or to a
director's bonus may not be an important risk to the organization's overall
objectives, or may not really concern shareholders and vice versa. So,
before we take far-reaching decisions on risk, it is always helpful to pause
and think about exactly whose risks we are managing.

While we are establishing the basic terminology of risk, it is time to define the
term governance or corporate governance, which we have already been
using in various combinations with risk and sometimes as a close proxy for
risk management.

© 2015 Frankfurt School of Finance & Management 11


In its most generic form, corporate governance is defined as the
system by which companies are directed and controlled. Corporate
governance involves regulatory and market mechanisms, and the
roles and relationships between a company’s management, its
board, its shareholders and other stakeholders, and the goals for
which the corporation is governed.

Much of the recent interest in corporate governance is concerned with


mitigation of the conflicts of interests between stakeholders, for example
between executive management, owners, ordinary employees, clients and
the general public. The general public may be impacted by external effects
originating from the company's activities, such as by pollution, for example.

Ways of mitigating or preventing these conflicts of interests include the


processes, customary practices, policies, laws and institutions, which
influence the way a company is controlled. An important theme of corporate
governance is the nature and extent of accountability imposed on decision
makers in business and the abuse of power and excessive compensation
awarded to executive managers.

The key words that resonate in the definition of (corporate) governance are
control, accountability, conflicts of interest and decision-making under
uncertainty. Exercising good corporate governance is about achieving the
strategic objectives of an organization, while balancing the interests of
stakeholders and protecting the assets of the organization in a context of
uncertain outcomes. This is largely overlapping with our definition of
(enterprise) risk management, particularly in financial institutions where all
major business variables are uncertain.

Glyn A. Holton, Defining Risk, Financial Analysts Journal, Vol. 60. 2004.
http://riskexpertise.com/papers/risk.pdf.

© 2015 Frankfurt School of Finance & Management 12


2 Risk Management Principles and
Process
2.1 High-Level Risk Management Strategy
Before we move to the ISO 31000 (2009) principles and the risk
management process, let's discuss some very high-level risk management
strategies that an entity might deploy to interact with various exposures.
This way, the following introduction of the ISO principles and process will not
feel quite so abstract.

Figure 1 provides a two-dimensional map that can be used to classify risks


and suitable strategies to manage them as a function of severity and
probability of occurrence.
High

Manage / Avoid / Transfer


PROBABILITY

Internalize

Accept Share / Transfer


Low

Low High
SEVERITY
Figure 1: Risk Severity / Risk Probability Map and Risk
Management Strategies

Consider the blue box at the intersection of high severity and low High Severity & Low
probability. For an individual, this might be the risk of death or disability Probability
from a traffic accident. To a data center operation, it might be the
simultaneous loss of multiple redundant wide-area network paths that would
cut the center off from all outside communications. The chart suggests to
share or transfer such a risk, rather than just bearing it and hoping for the
best. The classic method for sharing a risk is insurance. Insurance works
best in cases where the risk is rare, but catastrophic if it does materialize.
Since the event is rare, the premium that the individual entity would have to

© 2015 Frankfurt School of Finance & Management 13


pay into an insurance pool will be small. Yet, in the aggregate, the premiums
would still suffice to compensate the damage at those few entities that are
struck by this risk every year. Because the event is so severe, there is little
temptation for an entity to willingly bring on the risk event or neglect basic
precautions that could minimize the incidence of the risk. Thus, so called
moral hazard4 is low.

Low Severity & High Now move to the yellow quadrant, where severity is low but the frequency
Probability of occurrence is high. From an individual's perspective, examples in this
area include minor common illnesses such as a cold or flu and dental
cavities. If one tries to insure such routine health risks in a private un-
subsidized insurance market, it cannot come as a surprise that the annual
premium will be equal to the expected health maintenance cost plus an
administrative handling fee plus a moral hazard surcharge. The moral
hazard arises, because individuals can significantly influence the rate at
which the risk materializes (brush your teeth, eat better, etc.) and will often
neglect precautions because they are insured. Or, they will over-consume
treatment services, just to get their money's worth for their premium. The
high probability / low severity situation, therefore, is treated most efficiently
by managing down the probability as best as possible, while absorbing the
losses that do materialize rather than trying to share or transfer them.

Low Severity & Low Consider the green section that combines low severity and low frequency.
Probability That's clearly a nice problem to have and often should simply be accepted.
Otherwise, the mitigation effort could end up costing more money than could
have been lost, if the risk occurred unmitigated. As an example, many
companies have given up on controlling basic office supplies, like pens and
paper. Such controls should have discouraged staff from over-consuming or
taking supplies home. Take the test: how many of those pens in your
drawers at home have you actually bought yourself? Yet, most companies
have decided it's not worth the effort to stop pen and paper theft. Rather,
you should have your logo printed on the office supplies and let staff
accidentally spread your marketing message in the community.

High Severity & High Finally, let's turn to the killer combination of high severity and high
Probability probability. Imagine a chemical munitions recycling business. Many things
can go wrong and will go wrong frequently, and when they do, people will be
seriously hurt. If possible, an entity should simply stay away from this
activity. If the activity cannot be avoided, the solution would be to transfer it,
i.e. contract it out to another entity. Ideally, that other entity would specialize
in these type of high risk activities and have the technologies and skills to
mitigate the probability and the severity of the risk.

4
Moral hazard is defined as a lack of incentive to guard against risk where
one is protected from its consequences, e.g., by insurance.

© 2015 Frankfurt School of Finance & Management 14


Often people reflexively opt for risk mitigation or hedging as the risk Hedging is not a miracle
treatment strategy. If risk and uncertainty are the problem then creating
certainty and removing the risk should be the obvious solution. However,
this is frequently not optimal, as we will show in the following example.

Consider an airline that is heavily exposed to the cost of jet fuel. The
management is concerned about the risk that fuel prices might increase
further next year and that this may push the airline into an accounting loss.
So, hedging the fuel price would seem like the proper risk management
strategy. What is the simplest way to hedge a factor input against future
price increases? Exactly, what your grandmother would have done when
she was afraid potatoes might go up: You buy them today and store them.
Now, you have certainty of the price of jet fuel for the next year. Instead of
putting the fuel in the tank, you could also just buy Jet-A fuel futures
contracts and thus fix the price but defer delivery and cash payment.

The hedging strategy superficially removes the fuel price risk, but this is not
a miracle solution, is it? If prices fall next year, the airline will be burning the
most expensive fuel in the industry and will be losing money while
competitors win. It might have been better to use hedging or insurance to
cut off some of the rare but extreme price events that could threaten survival,
but not lock in the entire fuel bill for next year. If you are not hedged and fuel
prices do go up, they will rise for all airlines and you can probably pass most
of the cost increase on to customers.

A better strategy than hedging the fuel cost might be to reduce exposure to Strategic interaction
fuel prices by buying more fuel efficient planes. But if prices fall, the with risk is complex and
investment may not pay off and the competition's old planes are flying more non-linear
cheaply. But then there is the correlation of new planes with a positive
image of safer and more comfortable travel, which might make new planes a
good investment regardless of fuel cost. This shows that strategic
interaction with risks is never simple or linear. We squeeze the risk out of
one end of the balloon just to make it reappear elsewhere. So, we better get
used to it: Risk management is about dealing effectively with
uncertainty and complexity.

2.2 Principles of Risk Management


The ISO framework is principle-based rather than prescriptive. It provides a ISO 31000 is principle-
general framework for enterprise risk management with the expectation that based, not prescriptive
individual countries, industry sectors, and organizations will craft their own
detailed and specific frameworks that meet the challenges of their particular
situation and environment. For the financial sector this is clearly the case:
While the ISO standard provides a globally acceptable conceptual
framework, we will in the subsequent modules develop the risk management
framework for small banks and microfinance institutions based on much
more specific guidance from the Basel Committee on Banking Supervision,
central banks, national financial regulators and industry associations and
international development agencies.

© 2015 Frankfurt School of Finance & Management 15


The overarching ISO principle is that risk management should add net
value to the organization. Risk management should make money,
enhance reputation, contribute to public safety, improve sustainability,
reduce harm and generally augment the benefits of economic activity to all
stakeholders. Based on a comprehensive analysis of prior risk management
guidance, the ISO Working Group identified ten principles for risk
management (ISO 31000, clause 4):

ISO Risk Management Risk Management:


Principles 1) Creates value for objectives of health, reputation, profits,
compliance and so on, less the costs of risk management.
2) Is an integral part of organizational processes including project
management, strategic planning, auditing, and others.
3) Is part of decision making through analysis and evaluation so as to
understand risk and determine whether it is acceptable as treated.
4) Explicitly addresses uncertainty and how it can be modified.
5) Is systematic, structured and timely and produces replicable and
verifiable outcomes and decisions.
6) Is based on best available information including historical data,
expert opinion, stakeholder concerns, etc. and is tempered with the
quality and availability of the information.
7) Is tailored to the organization, its objectives, its risks, and its
capabilities.
8) Takes human and cultural factors into account in addition to
technical and other "hard" factors that impact the likelihood of risk
consequences.
9) Is transparent and inclusive so that communication and consultation
with stakeholders keeps the risk management and risk tolerances
current and relevant.
10) Is dynamic, iterative and responsive within a continuous
improvement environment that responds to changes in context,
trends, risk factors and other internal and external factors.

© 2015 Frankfurt School of Finance & Management 16


2.3 Risk Management Process
Figure 2 illustrates a typical risk management framework that an organization
would implement under ISO 31000.5 In addition to the main components of
an enterprise risk management framework, it shows the further processes
and functions necessary for implementation and continuous improvement.
The ISO Risk Management Process is represented by the boxes at the
center of the framework overview in Figure 2.

The context element in the Risk Management Process sets the stage for the
decision or activity requiring risk management. Risk assessment identifies,
analyzes and evaluates the risks. Risk treatment enhances the probability
of positive outcomes and reduces the incidence of negative outcomes to
within acceptable levels. Monitoring and review keeps close watch over
the risk and the controls implemented to modify the risk. Finally, the process
includes a permanent, ongoing effort at communication and consultation
to ensure that the stakeholders are engaged and contribute to the
management of risks.

Commit & Strategic Process


Communicate
Mandate & Train

Establish Context
Communicate and Consult
Monitor and Review

Risk Assessment

Identify Risks
Strategic Process
Strategic Process

Analyze Risks

Evaluate Risks

Treat Risks

Risk Management Process

Review & Management Information System Structure &


Improve Accountability
Strategic Process

Figure 2: ISO 31000 Compatible Risk Management Framework and


Risk Management Process

5
Adapted from John Shortreed, "ERM Frameworks", p. 103. In Fraser &
Simkins eds., Enterprise Risk Management. 2010.

© 2015 Frankfurt School of Finance & Management 17


The core Risk Management Process is embedded into a strategic process
loop as shown on the outside of the schematic in Figure 2. The strategic
process starts with the left upper corner and goes around clockwise: (1) the
Board must commit the institution to a particular organizational mandate and
risk appetite and (2) communicate these risk tolerances and risk
management principles to senior management and throughout the entire
organization. This involves training on specific expectations and limits to
every manager and employee. (3) Articulating the risk tolerances must occur
within a clear organizational structure that ensures monitoring and control
over actual exposures and losses versus risk tolerances such that there can
be accountability and consequences. (4) Finally there must be feedback to
the Board on the performance of the strategy. Lessons must be learned and
risk appetite / tolerances must be reviewed based on the changing
realities of the business environment.

A key element, maybe the critical element, that underpins both the core risk
management process as well as the strategic feedback loop around it, is the
management information system. Without efficiently generated, timely,
and systematic data on exposures and materialized losses versus limits,
there cannot be accountability for risk and no organizational learning and
improvement of risk management.

Just as a word of caution, we should note that Figure 2 is not meant as an


implementation-ready flow chart of the risk management process in any
particular organization. Rather, it should be read as a relational depiction of
the process components and functional elements that must still be tied
together in a specific process that will be adjusted to the particular situation
of an implementing organization.

© 2015 Frankfurt School of Finance & Management 18


3 Other Risk Management
Credentials
Risk is a very hot topic in the financial sector, so obviously there are many
other training and certification programs besides the Frankfurt School e-
learning certificate in Risk Management. As a risk professional you should
be aware of what else is out there and feel comfortable with your choice of
the Frankfurt School e-Learning Certificate.

If you compare the various programs, you will notice that we made an effort Where the Frankfurt
to align ours with the theoretical foundations, terminology and quantitative School e-learning
methodologies that are shared by risk management practitioners worldwide. Certificate fits in
All of the industry certifications and academic programs are rigorous,
worthwhile and require hard work to pass the exams. We believe ours is
more reasonably priced, is more approachable for non-traditional students,
offers more support and guidance, and is uniquely focused on financial
services for SMEs and micro-entrepreneurs in an emerging and developing
market context. Other programs seem to suppose that financial services
only exist in perfect worlds where every business is quoted on the stock
exchange, issues bonds and has a rating from S&P; and every retail
customer is formally employed at a major corporation that is quoted on the
stock exchange, has a rating and issues bonds etc.

Other programs are certainly also academically challenging and practically Unique Focus on Risk in
useful for risk management in any financial sector anywhere. But with the Micro & SME Finance
Frankfurt School e-Learning Certificate under your belt, you can walk proudly
among various certified risk managers knowing that you will speak the same
language of risk and master the same theoretical apparatus. However,
where you will leave the others eating your dust is in applying risk
management to the particular circumstances of retail financial services in
emerging and developing markets. For example, in this course you will learn
how to design, calculate, interpret and maintain a statistical micro-enterprise
credit score. And we will do this with a simple statistical plug-in for Excel
without buying an expensive software "solution" and flying in an army of
implementation consultants. It is not that difficult, actually.

So, let's not be too modest, Frankfurt School e-Learning Certificate holders
are at least as smart as the other guys:

The Financial Risk Manager (FRM) and the Energy Risk Professional
certifications are offered by the Global Association of Risk Professionals
(www.garp.org). The FRM exam has two levels. Level 1 covers core areas
of risk management including quantitative analysis, financial markets and
products, and risk modeling. Level 2 focuses on the practical
implementation of risk management techniques used to manage credit,
market and operational risk. This exam also covers current issues in
financial markets.

The Professional Risk Manager (PRM) designation is awarded by the


Professional Risk Managers' International Association (PRMIA). The PRM
requires four exams that must be passed in Finance Theory, Financial

© 2015 Frankfurt School of Finance & Management 19


Instruments and Markets, Mathematical Foundations of Risk Measurement
and Risk Management Practices.

In order to maintain their FRM and the PRM designations, risk managers
must keep up their membership in the sponsoring organizations and take a
certain minimum of continuing education credits every year.

The Project Management Institute (www.pmi.org) awards the PMI Risk


Management Professional (PMI-RMP) designation. The RMP certification
shares the main body of general risk management knowledge but focuses
the application of the methodological tools on project risk management. The
RMP program enables students to identify and assess project risks, mitigate
threats and capitalize on opportunities, while still conferring baseline
knowledge and practical applications in all areas of project management.

The Agence de Transfer de Technologie Financière (www.attf.lu) is the


joint education platform for the financial sector in Luxembourg. Since 2005,
ATTF has held annual workshops on 'Risk Management Excellence in
Microfinance' that stand in high regard among financial institutions from
emerging and developing markets. In parallel, ATTF arranges longer-term
technical assistance and implementation missions in risk management at
selected microfinance institutions. ATTF is also well known for organizing
preparatory courses for the GARP certifications as well as the ACI dealing
and operations certificates. You may not know that the content of the ACI
Capital Markets Association certificates and diplomas is managed by the
Frankfurt School. The author of this Certified Expert course actually also
writes the test questions for the Risk and Asset Liability Management
components in the ACI credentials. Risk Management for financial services
is a small world!

In many ways what ATTF does follows the model of Frankfurt School's
"Summer Academy" executive workshops in Frankfurt and other global
locations. The Risk Management Competence Center at Frankfurt School's
International Advisory Services also provides technical assistance to many
SME banks and microfinance institutions as they implement modern risk
management programs. In fact, most of the examples and case studies that
we will consider in this e-Learning Certificate are inspired directly by this
practical work in the field.

In short, there are many other good options out there, but you have definitely
come to the right place, if you are looking for international best practice in
risk management in an accessible format and with a very practical, hands-on
twist on inclusive financial services in developing and emerging markets.
Let's get going and dig into the details!

© 2015 Frankfurt School of Finance & Management 20


4 Exercises
For the first Module, we will let you get off easy with a few review questions
and some quick internet research. There will be progressively more technical
exercises and complex case studies in the following modules.

Review Questions Module 1

Define the following terms:


 risk
 risk appetite and risk tolerance
 risk exposure and risk severity
 risk attitude: risk taker, risk neutrality, risk aversion.

Answer the following questions using the discussion in this module:


 In terms of severity and probability, what types of risks are best
suited for management by means of insurance?
 How can a wheat farmer hedge the price risk of his upcoming
harvest, assuming he is concerned about falling prices over the
next six months?
 Is removing the uncertainty about future prices always an
efficient risk management strategy?
 Can you give an example that shows in how far uncertainty and
risk are subjective, meaning they depend on the perspective of
the entity contemplating the particular situation?

Independent Study Module 1

Do an internet search and read up on the following concepts and ideas:


 (Modern) Portfolio Theory, Markowitz.
 Capital Asset Pricing Model.
 Standard Deviation: definition & computation. - also check in the
Excel formula descriptions.
 ISO 31000 (2009)
 Nigel Turnbull: "Internal Control: Guidance for Directors on the
Combined Code"

© 2015 Frankfurt School of Finance & Management 21


Explore the following websites mentioned in this module:
 Committee of Sponsoring Organizations of the Treadway
Commission (COSO): www.coso.org
 Project Management Institute (PMI): www.pmi.org
 Global Association of Risk Professionals: www.garp.org.

© 2015 Frankfurt School of Finance & Management 22

Вам также может понравиться