### The Building Blocks of Risk Management

After completing this reading you should be able to:

• Explain the concept of risk and compare risk management with risk-taking.
• Describe elements, or building blocks, of the risk management process and identify problems and challenges that can arise in the risk management process.
• Evaluate and apply tools and procedures used to measure and manage risk, including quantitative measures, qualitative assessment, and enterprise risk management.
• Distinguish between expected loss and unexpected loss and provide examples of each.
• Interpret the relationship between risk and reward and explain how conflicts of interest can impact risk management.
• Describe and differentiate between the critical classes of risks, explain how each type of risk can arise, and assess the potential impact of each type of risk on an organization.
• Explain how risk factors can interact with each other and describe challenges in aggregating risk exposures.

## Risk and its Management

Risk refers to the potential variability of returns around an expected return from a portfolio or an expected outcome. The financial risk that arises from uncertainty can be managed and mitigated. Modern risk management refers to the ability, in many instances, to price risks and to provide adequate compensation for the risk taken in business activities.

The building blocks of risk management include:

1. The classic risk management process
2. Identifying knowns and the unknowns
3. Expected loss, unexpected loss, and the tail loss
4. Risk factor breakdown
5. Structural change from tail risk to a systemic crisis
6. Human agency and conflicts of interest
7. Typology of risks and risk interactions
8. Risk aggregation
9. Balancing Risk and Reward
10. Enterprise risk management

## 1.  Types of Risk and Their Interactions

Risk can be grouped depending on different types of business environments. Grouping of the risks is essential for the business institutions to factor into specific risks while managing them. This is true because each type of risk needs different skills to manage it.

A typical typology of risks should always be flexible to accommodate new forms of risks that are ever-emerging (such as cyber risks). The following diagram gives the typical modern typology of corporate risks:

### Market Risk

This is the risk associated with the potential reduction in the value of a portfolio or security due to changes in financial market prices and rates. Price risk can be decomposed into a general market risk component (the risk that the market as a whole will fall in value) and a specific market risk component (idiosyncratic component), unique to the particular financial transaction under consideration. In trading activities, a risk arises both from open (unhedged) positions and from imperfect correlations between market positions that are intended to offset one another.

Market risk can be further classified into the following categories:

Interest rate risk- It arises from fluctuations in the market interest rates, which may cause a decline in the value of interest rate sensitive portfolios. For example, the bond market is affected by interest rates in the market. Curve risk can arise in portfolios in which long and short positions of different maturities are effectively hedged against a parallel shift in yields, but not against a change in the shape of the yield curve. If the rates of the positions are imperfectly correlated, basis risk may arise in offsetting positions having the same maturity.

Equity price risk – This is the risk that is associated with the volatility in the stock prices. The market risk component is the sensitivity of the equity or a portfolio to a change in the level of a market index. This risk cannot be done away with by diversification. The idiosyncratic or specific threat is the component of volatility determined by firm-specific characteristics like its management, production line, etc. This can be done away with by diversification.

Foreign Exchange Risk- Due to operations that involve foreign currencies, imperfectly hedged positions in certain currencies may arise, which may cause exposure to exchange rates. Major factors influencing foreign exchange risk are imperfect correlations in currency prices and fluctuating international interest rates.

### Credit Risk

The risk associated with a counterparty not fulfilling its contractual obligations is the credit risk. For example, the default on a credit card loan is the scenario in which credit risk materializes for a credit card company.

Credit risk can be further classified into:

• Bankruptcy risk– The risk associated with a borrower’s inability to clear his debt leading to a takeover of his collateralized assets.
• Downgrade risk– The risk that there might be a decline in credit ratings of a borrower because of a drop in his creditworthiness.

Credit risk is a matter of concern only when the position is an asset and not a liability. If the position is an asset, then a default by the counterparty may cause a loss of total or a partial value of the position. The value that is likely to be recovered is called recovery value, while the amount that is expected to be lost is called loss given default.

At the portfolio level, the issues to be addressed are the following:

• The creditworthiness of the obligor: Based on this, appropriate interest rate or spread should be charged to compensate for the risk undertaken
• Concentration risk: The extent of diversification of the obligor should be a concern.
• The state of the economy: When the economy is booming, the frequency of defaults is comparatively lower than when there is a recession.

### Liquidity Risk

It comprises of funding liquidity risk and market liquidity risk.

Funding liquidity risk is associated with the risk that a firm will not be able to settle its obligations immediately when they are due. It relates to raising funds to roll over debt and to meet margin calls and collateral requirements. Funding liquidity risk can be managed by holding highly liquid assets like cash.

Trading liquidity risk (also called market liquidity risk) is the risk associated with the inability of a firm to execute transactions at the prevailing market price. It may reduce the institution’s ability to hedge market risk, and also it is the capacity to liquidate assets when necessary.

### Operational Risk

It refers to the risk that arises due to operational weaknesses like management failure, faulty controls, inadequate systems, among others. Human factor risk is one of the essential operational risks, and it results from human errors like entering wrong parameter values, using wrong controls, among others. Technology risk arises from a computer system’s failure.

### Business Risk

It arises from the uncertainties in demands, the cost of production, and the cost of delivery of products. Business risk is managed by framing appropriate marketing policy, inventory policies, choices of products, channels, and suppliers, etc. Business risk is affected by the quality of a firm’s strategy and its reputation too.

### Strategic Risk

It is the risk associated with the risk of significant investments for which the uncertainty of success and profitability is high. It is related to the strategic change in the policies of a company to make it more competitive in the marketplace.

### Reputation Risk

It comprises of the beliefs that an enterprise can settle its obligations to counterparties and creditors and secondly, that it follows ethical practices. Trust and fair dealing are two essential things that drive businesses. For example, reputation is of crucial importance in the financial industry.

### Interactions of Risk Types

Risks can flow from one type to another. For instance, during hard business times, the risk can flow from the credit risk to Liquidity risk and then to market risk. This kind of flow was seen in the 2007-2009 financial crisis.

Another example is where operational risk (as a form of lousy trading activity by the traders) flows to market risks by creating unfavorable market positions. Moreover, this can move to become a reputation risk to the concerned company.

## 2.  The Risk Management Process

Given below is the flow chart of the risk management process:

Risk management includes the identifying of the type and level of risk that is appropriate for the firm to assume, analyze, and measure the risk, assess the possible outcomes of each risk. The final stage is the management of the risks.

### Methods of Risk Management

1. Avoiding the risk: some risks can be managed by avoiding it. For instance, closing down the business unit or changing the business strategy.
2. Retaining or keeping the risk: the company can accommodate the risk by insuring it.
3. Mitigation of the risk: this method involves an attempt to decrease the exposure, frequency, and severity of the risk. A good example is the improvement of a firm’s infrastructure and putting collateral on credit exposure.
4. Tinder risk: this method applies to risks that can be transferred to a third party. An example is in derivative products where a company pays a premium to a party to accept a certain level of risk.

## 3.  Known and Unknown Risks

According to Donald Rumsfeld (1921), risk managers should not concentrate on known risk only but also the unknown risks. He also classified the risks, as seen in the diagram below.

Unknown risks can be very significant and essential, even though their measurement can be impossible. Unknown risks can be managed using the usual forms of risk management.

Rumsfeld classification implies that risk managers should focus not only on measurable risks but also on an unknown risk. They should strive to unravel the “unknown unknowns,” which includes threats that do hideaway.

## 4.  Expected, Unexpected and Tail Loss

### The Expected Loss

The expected loss can be defined as the mean loss an investor (position taker) might expect to experience from a portfolio. The expected risks are those that may be large in size, are predictable, and could be avoided with the risk management process.

Theoretically, portfolios usually bear the loss that is near to the average loss, which can be statistically measured with some degrees of freedom.

Expected loss can be calculated from the underlying risk factors. Such factors include:

• The probability of occurrence of risk event
• The size (severity) of the loss
• The exposure to risk

Let us take an example of credit risk to the bank. Denote the probability of default by PD, bank’s exposure at default by EAD, and severity of loss given default by LGD. So, the EL is given by:

$$EL=EAD \times LGD \times PD$$

So, how does the bank’s manager make sure that they make a profit? The bank management should come up with the price that covers the expected loss. It is important to note that the computation of expected loss is based on assumptions.

### The Unexpected Loss

The unexpected loss is the level at which the losses in a portfolio defer from the average loss. Unexpected risks due to unanticipated variability in the losses.

For instance, in a credit portfolio, an unexpected loss can be caused by a difference in the number and severity of the loans. That is, a large number of small loans are diversified, and hence we can estimate the expected loss. However, if the EL continuously changes due to macroeconomic factors, it leads to unexpected loss.

In some cases, some portfolios (such as credit) can show extreme loss variance over some interval of time. In this case, the expected loss (EL) is calculated by averaging the loss from the long run good years and a short run of bad years. However, in bad years, the losses can rise to an unexpected level and even to extreme levels. Consequently, the banks are forced to increase the risk capital and including an expected loss in pricing their products to guard itself against huge unexpected losses, which can cause insolvency and defaults.

### Value-at-Risk (VaR)

VaR is a statistical measure that defines a particular level of loss in terms of its chances of occurrence, i.e., the confidence level of the analysis. In other words, VaR utilizes loss distribution relative to a portfolio or a position to approximate losses at a given level of confidence.

For example, if a position in an option has a one-day VaR of $1 million at the 99% confidence level, then the risk analysis will show that there is only a 1 percent probability of a loss that is greater than$1 million on any given trading day.

The VaR measure works under normal conditions of the market and only over a short period, such as one trading day. Potentially, it is a poor and misleading measure of risk in abnormal markets, over more extended periods, or for illiquid portfolios. VaR also depends upon the control environment. Trading controls can be circumvented, and this usually happens when back-office staff, business line managers, even risk managers do not have a proper understanding of the critical significance of routine tasks, such as an independent check on volatility estimates, for the integrity of key risk measures.

## 5.  Breakdown and Interactions of Risk Factors

The risk managers must subdivide the risk into discrete risk factors so that each factor and the interactions between these factors can be studied. An excellent example in the credit risk, which we have studied earlier-where credit risk was divided into the probability of default (PD), bank’s exposure at default (EAD), and severity of loss given default (LGD).

However, there is an obvious challenge of how granular should a risk be, given the loss data. Dividing the data to very small sub-factors is impractical since it is time-consuming and tiresome. Secondly, analytical resources might be limited. Moreover, the data might be limited in terms of quantity, quality, or descriptive ability.

The solution to this challenge is the emergence of machine learning. In machine learning and substantial cloud-based calculation, power can help is isolating risk granules to smaller details.

## 6.  Structural Change from Tail Risk to Systemic Crisis

Tail risks are those that rarely occur. They can be explained as the extreme version of unexpected loss that is hard to find in the given data. They are usually revealed in time series data of long periods. The tail risk can be detected using statistical methods such as the Extreme Value Theory (EVT).

When the structure of a financial system changes, the risks increases. That is, events associated with larges losses may increase as well as risk factor levels. Unless the structural problem is fixed or proper risk management is adopted, new losses relative to a risk type might occur, which changes the amount of tail risk, expected and unexpected losses.

## 7.  Human Agency and Conflicts of Interest

Financial systems are run by intelligent human beings who can adapt to change in a personal and cunning manner. That is, those who are more experienced in risk management can play up their game by hiding their risk analysis from other participants for their gain.

Having said this, many financial firms have employed three ways to control human agency and conflicts of interest:

1. Firms create business models that can identify and manage risk.
2. Employing risk managers that are qualified in risk management and day-to-day oversight.
3. Periodic independent oversight and assurance (e.g., internal audit)

These defense mechanisms do not always work due to industry innovations, which sometimes leave loopholes in the risk management sector. Moreover, sometimes traders and the industry leadership willingly alter the credibility of the risk management systems. That is why grasping the role of human agency, self-interest, and conflicts interest are one of the cornerstones of risk management.

## 8.  Risk Aggregation

The risk manager should be able to identify riskiest businesses and determine the aggregate risks of a firm. For instance, market risks are easily quantified and controlled by comparing the notional amount in each asset held. This, most of the time, is impractical since different stocks and industries have different volatilities.

Since the mushrooming of derivative markets in the 1970s, measurement of market risk became relatively achievable. This is because the value and the risk of the derivatives depend on the price of the underlying portfolio.

Derivative traders developed risk measures termed as the Greeks. They include delta and theta. Greeks are still used up to date, but they cannot be added up, rendering them limited at the enterprise level.

Another measure of risk is VaR. VaR was a useful aggregation method up to the year before the crisis, but it involves too many assumptions. However, VaR is marred with shortcomings but remains to be essential to ask managers.

The disadvantages of these aggregate risk measurements have motivated the managers to come up with total risk measures to replace the traditional measures but, most of the time, fail to include critical dimensions of the risk and must be supplemented with other methods. Conclusively, understanding how risks are aggregated and the drawbacks and advantages that come with it is an essential risk management building block.

## 9.  Risk and Reward Equilibrium

Normally, the assumption of higher systematic risk is associated with higher returns from portfolios. However, the demanded returns from risky assets may not be apparent unless the market of the asset is efficient and transparent. For example, the bond prices, solely, may not imply the return demanded, taking additional risks. This can be the case because of liquidity and tax effects. A key objective of risk management is to make transparent potential risks for the firm and identify activities that may be detrimental for the firm in the long term.

For instance, a bank can include the cost of both the expected and unexpected cost by using the following formula for risk-adjusted return on capital (RAROC):

$$RAROC= \frac{\text{Reward}}{\text{Risk}}$$

Note the Reward can be After-Tax Risk-Adjusted Expected return, and the risk is described as the economic capital so that:

$$RAROC= \frac{\text{After-Tax Risk-Adjusted Expected return} }{\text{Economic capital}}$$

If the RAROC is higher than the cost of equity capital, then the portfolio is valuable to the investor. The cost of equity capital is the minimum return on equity capital required by the shareholders to compensate for the risk.

Apart from the banking industry, RAROC is applied across different industries and institutions, with the formula varying accordingly (but its purpose remains constant).

### Uses of RAROC

1. Investment Analysis: RAROC formula is used to anticipate the likely returns from future investments.
2. Comparing businesses: RAROC can be used to compare different units of a company that needs varying amounts of economic capital.
3. Pricing strategies: A company can re-determine the pricing strategy of its products so the risk-adjusted returns.
4. Risk management cost (benefit analysis): RAROC can be used by a firm to compare the cost of risk management to the benefit of the firm.

## 10.  Enterprise Risk Management (ERM)

Enterprise management risk (ERM) is the process of planning, organizing, leading, and controlling the activities of an organization in order to minimize the effects of risk on an organization’s capital and earnings as a whole. ERM overcomes the challenge to “siloed” risk management, where each unit of an institution manages its own risk independently.

Since the financial crisis of 2007-2009, risk cannot be represented by a single number but rather:

1. Risk is multi-dimensional. That is, it should be approached from all angles and using diverse methods.
2. Risk demands specialized judgment that is seconded by statistical science application.
3. Risk develops across all risk types, and thus one may miss the point by analyzing one risk at a time.

More clearly, firms need to adopt a 360-degree view on risk by using different tools and appropriate levels of curiosity. ERM is not only about aggregating the risk across the risk types and business lines but also taking a comprehensive risk management process while taking into consideration the strategic decisions of a business. A simplified ERM is shown below:

## Question

Which of the following form is NOT included in the expected loss formula?

A. Probability of default

B. Loss given default

C. Unexpected loss

D. Exposure at default

Solution

The correct answer is C.

$$EL=EAD \times LGD \times PD$$

Unexpected loss is the level at which the losses in a portfolio defer from the average loss as calculated by the expected loss.