7/28/2019 ERM Final Notes

http://slidepdf.com/reader/full/erm-final-notes 1/41

Uni t 1: 

Enterpri se r isk management 

Enterprise risk management (ERM) in business includes the methods and processes used by organizationsto manage risks and seize opportunities related to the achievement of their objectives. ERM provides a

framework for risk management, which typically involves identifying particular events or circumstances

relevant to the organization's objectives (risks and opportunities), assessing them in terms of likelihood and

magnitude of impact, determining a response strategy, and monitoring progress. By identifying and

 proactively addressing risks and opportunities, business enterprises protect and create value for their

stakeholders, including owners, employees, customers, regulators, and society overall. (ERM)

ERM can also be described as a risk-based approach to managing an enterprise, integrating concepts

of internal control, the Sarbanes – Oxley Act, and strategic planning. ERM is evolving to address the needs of

various stakeholders, who want to understand the broad spectrum of risks facing complex organizations to

ensure they are appropriately managed. Regulators and debt rating agencies have increased their scrutiny on

the risk management processes of companies.

Enterprise Risk Management Defined

Enterprise risk management deals with risks and opportunities affecting value creation or preservation

defined as follows:

7/28/2019 ERM Final Notes

http://slidepdf.com/reader/full/erm-final-notes 2/41

―Enterprise risk management is a process, effected by an entity‘s board of directors, management and other

 personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may

affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the

achievement of entity objectives.

The definition reflects certain fundamental concepts. Enterprise risk management is:• A process, ongoing and flowing through an entity

• Effected by people at every level of an organization

• Applied in strategy setting

• Applied across the enterprise, at every level and unit, and includes taking an entity level portfolio view of

risk 

• Designed to identify potential events that, if they occur, will affect the entity and to manage risk within its

risk appetite

• Able to provide reasonable assurance to an entity‘s management and board of  directors

• Geared to achievement of objectives in one or more separate but overlapping categories

This definition is purposefully broad. It captures key concepts fundamental to how companies and other

organizations manage risk, providing a basis for application across organizations, industries, and sectors. I

focuses directly on achievement of objectives established by a particular entity and provides a basis for

defining enterprise risk management effectiveness. Executive Summary

Achievement of Objectives

Within the context of an entity‘s established mission or  vision, management establishes strategic objectives

selects strategy, and sets aligned objectives cascading through the enterprise. This enterprise risk

management framework is geared to achieving an entity‘s objectives, set forth in four categories:

• Strategic – high-level goals, aligned with and supporting its mission

• Operations – effective and efficient use of its resources

• Reporting – reliability of reporting

• Compliance – compliance with applicable laws and regulations.

This categorization of entity objectives allows a focus on separate aspects of enterprise risk management

These distinct but overlapping categories  –  a particular objective can fall into more than one category  –

address different entity needs and may be the direct responsibility of different executives. This

categorization also allows distinctions between what can be expected from each category of objectives

Another category, safeguarding of resources, used by some entities, also is described.

7/28/2019 ERM Final Notes

http://slidepdf.com/reader/full/erm-final-notes 3/41

Because objectives relating to reliability of reporting and compliance with laws and regulations are within

the entity‘s control, enterprise risk management can be expected to provide reasonable assurance of

achieving those objectives. Achievement of strategic objectives and operations objectives, however, is

subject to external events not always within the entity‘s control; accordingly, for these objectives, enterprise

risk management can provide reasonable assurance that management, and the board in its oversight role, are

made aware, in a timely manner, of the extent to which the entity is moving toward achievement of theobjectives.

Components of Enterprise Risk Management 

Enterprise risk management consists of eight interrelated components. These are derived from the way

management runs an enterprise and are integrated with the management process. These components are:

• Internal Environment  – The internal environment encompasses the tone of an organization, and sets the

 basis for how risk is viewed and addressed by an entity‘s people, including risk management philosophy and

risk appetite, integrity and ethical values, and the environment in which they operate.

• Objective Setting  – Objectives must exist before management can identify potential events affecting their

achievement. Enterprise risk management ensures that Executive Summary

management has in place a process to set objectives and that the chosen objectives support and align with

the entity‘s mission and are consistent with its risk a ppetite.

• Event Identification  – Internal and external events affecting achievement of an entity‘s objectives must be

identified, distinguishing between risks and opportunities. Opportunities are channeled back to

management‘s strategy or objective-setting processes.

• Risk Assessment  – Risks are analyzed, considering likelihood and impact, as a basis for determining how

they should be managed. Risks are assessed on an inherent and a residual basis.

• Risk Response  – Management selects risk responses  – avoiding, accepting, reducing, or sharing risk  –

developing a set of actions to align risks with the entity‘s risk  tolerances and risk appetite.

• Control Activities  –  Policies and procedures are established and implemented to help ensure the risk

responses are effectively carried out.

• Information and Communication  – Relevant information is identified, captured, and communicated in aform and timeframe that enable people to carry out their responsibilities. Effective communication also

occurs in a broader sense, flowing down, across, and up the entity.

• Monitoring  –  The entirety of enterprise risk management is monitored and modifications made as

necessary. Monitoring is accomplished through ongoing management activities, separate evaluations, o

 both. Enterprise risk management is not strictly a serial process, where one component affects only the next

It is a multidirectional, iterative process in which almost any component can and does influence another.

7/28/2019 ERM Final Notes

http://slidepdf.com/reader/full/erm-final-notes 4/41

7/28/2019 ERM Final Notes

http://slidepdf.com/reader/full/erm-final-notes 5/41

as proceeding across the two dimensions of risk type and risk management processes.[1] The risk types and

examples include:

Hazard risk 

Liability torts, Property damage, Natural catastrophe

Financial risk 

Pricing risk, Asset risk, Currency risk, Liquidity risk Operational risk 

Customer satisfaction, Product failure, Integrity, Reputational risk 

Strategic risks

Competition, Social trend, Capital availability.

7/28/2019 ERM Final Notes

http://slidepdf.com/reader/full/erm-final-notes 6/41

 

The risk management process involves 

1.  Establishing Context: This includes an understanding of the current conditions in which the

organization operates on an internal, external and risk management context.

2.  Identifying Risks: This includes the documentation of  the material threats to the organization‘s

achievement of its objectives and the representation of areas that the organization may exploit for

competitive advantage.

3.  Analyzing/Quantifying Risks: This includes the calibration and, if possible, creation of probability

distributions of outcomes for each material risk.

4.  Integrating Risks: This includes the aggregation of all risk distributions, reflecting correlations and

 portfolio effects, and the formulation of the results in terms of impact on the organization‘s key

 performance metrics.

5.  Assessing/Prioritizing Risks: This includes the determination of the contribution of each risk to the

aggregate risk profile, and appropriate prioritization.

6.  Treating/Exploiting Risks: This includes the development of strategies for controlling and exploiting

the various risks.

7.  Monitoring and Reviewing: This includes the continual measurement and monitoring of the risk

environment and the performance of the risk management strategies.

The COSO ERM Framework has eight Components and four objectives categories. It is an expansion of

the COSO Internal Control-Integrated Framework published in 1992 and amended in 1994. The eight

components - additional components highlighted - are:

  Internal Environment

  Objective Setting 

  Event Identification 

  Risk Assessment

  Risk Response 

  Control Activities

  Information and Communication

  Monitoring

7/28/2019 ERM Final Notes

http://slidepdf.com/reader/full/erm-final-notes 7/41

The four objectives categories - additi onal components highl ighted - are :

  Strategy - high-level goals, aligned with and supporting the organization's mission

  Operations - effective and efficient use of resources

  Financial Reporting - reliability of operational and financial reporting

 Compliance - compliance with applicable laws and regulations

Implementing an ERM program 

Goals of an ERM program

Organizations by nature manage risks and have a variety of existing departments or functions ("risk

functions") that identify and manage particular risks. However, each risk function varies in capability and

how it coordinates with other risk functions. A central goal and challenge of ERM is improving this

capability and coordination, while integrating the output to provide a unified picture of risk forstakeholders and improving the organization's ability to manage the risks effectively.

Typical risk functions

The primary risk functions in large corporations that may participate in an ERM program typically

include:

  Strategic planning - identifies external threats and competitive opportunities, along with strategic

initiatives to address them

  Marketing - understands the target customer to ensure product/service alignment with customer

requirements

  Compliance & Ethics - monitors compliance with code of conduct and directs fraud investigations

  Accounting / Financial compliance - directs the Sarbanes-Oxley Section 302 and 404 assessment, which

identifies financial reporting risks

  Law Department - manages litigation and analyzes emerging legal trends that may impact the

organization

  Insurance - ensures the proper insurance coverage for the organization

  Treasury - ensures cash is sufficient to meet business needs, while managing risk related to commodity

 pricing or foreign exchange

  Operational Quality Assurance - verifies operational output is within tolerances

  Operations management - ensures the business runs day-to-day and that related barriers are surfaced for

resolution

  Credit - ensures any credit provided to customers is appropriate to their ability to pay

7/28/2019 ERM Final Notes

http://slidepdf.com/reader/full/erm-final-notes 8/41

  Customer service - ensures customer complaints are handled promptly and root causes are reported to

operations for resolution

  Internal audit - evaluates the effectiveness of each of the above risk functions and recommends

improvements

Common challenges in ERM implementationVarious consulting firms offer suggestions for how to implement an ERM program.[5] Common topics and

challenges include:

  Identifying executive sponsors for ERM.

  Establishing a common risk language or glossary.

  Describing the entity's risk appetite (i.e., risks it will and will not take)

  Identifying and describing the risks in a "risk inventory".

  Implementing a risk-ranking methodology to prioritize risks within and across functions.

  Establishing a risk committee and or Chief Risk Officer (CRO) to coordinate certain activities of the risk

functions.

  Establishing ownership for particular risks and responses.

  Demonstrating the cost-benefit of the risk management effort.

  Developing action plans to ensure the risks are appropriately managed.

  Developing consolidated reporting for various stakeholders.

  Monitoring the results of actions taken to mitigate risk.

  Ensuring efficient risk coverage by internal auditors, consulting teams, and other evaluating entities.

  Developing a technical ERM framework that enables secure participation by 3rd parties and remote

employees.

Cur rent issues in ERM 

The risk management processes of U.S. corporations are under increasing regulatory and

 private scrutiny. Risk is an essential part of any business. Properly managed, it drives growth and

opportunity. Executives struggle with business pressures that may be partly or completely beyond their

immediate control, such as distressed financial markets; mergers, acquisitions and restructurings; disruptive

technology change; geopolitical instabilities; and the rising price of energy.

1.  Sarbanes-Oxley Act requirements

Section 404 of the Sarbanes-Oxley Act of 2002 required U.S. publicly traded corporations to

utilize a control framework in their internal control assessments. Many opted for the COSO Interna

7/28/2019 ERM Final Notes

http://slidepdf.com/reader/full/erm-final-notes 9/41

Control Framework, which includes a risk assessment element. In addition, new guidance issued by

the Securities and Exchange Commission (SEC) and PCAOB in 2007 placed increasing scrutiny on top-

down risk assessment and included a specific requirement to perform a fraud risk assessment.[8] Fraud risk

assessments typically involve identifying scenarios of potential (or experienced) fraud, related exposure to

the organization, related controls, and any action taken as a result.

2.  NYSE corporate governance rulesThe New York Stock Exchange requires the Audit Committees of its listed companies to

"discuss policies with respect to risk assessment and risk management." The related commentary continues

"While it is the job of the CEO and senior management to assess and manage the company‘s exposure to

risk, the audit committee must discuss guidelines and policies to govern the process by which this is handled.

The audit committee should discuss the company‘s major financial risk exposures and the steps management

has taken to monitor and control such exposures. The audit committee is not required to be the sole body

responsible for risk assessment and management, but, as stated above, the committee must discuss guidelines

and policies to govern the process by which risk assessment and management is undertaken. Many

companies, particularly financial companies, manage and assess their risk through mechanisms other than the

audit committee. The processes these companies have in place should be reviewed in a general manner by the

audit committee, but they need not be replaced by the audit committee."

ERM and corporate debt ratings

Standard & Poor's (S&P), the debt rating agency, plans to include a series of questions about

risk management in its company evaluation process. This will rollout to financial companies in 2007. The

results of this inquiry is one of the many factors considered in debt rating, which has a corresponding impact

on the interest rates lenders charge companies for loans or bonds. On May 7, 2008, S&P also announced that

it would begin including an ERM assessment in its ratings for non-financial companies starting in 2009, with

initial comments in its reports during Q4 2008.

ISO 31000 : the new International Risk Management Standard

ISO 31000 is an International Standard for Risk Management which was published on 13

 November 2009. An accompanying standard, ISO 31010 - Risk Assessment Techniques, soon followed

 publication (December 1, 2009) together with the updated Risk Management vocabulary ISO Guide 73. 

7/28/2019 ERM Final Notes

http://slidepdf.com/reader/full/erm-final-notes 10/41

 

Companies I ncreasingly Focusing on ERM 

It is clear that companies recognize ERM as a critical management issue. This is demonstrated through the

 prominence assigned to ERM within organizations and the resources devoted to building ERM capabilities

In a 2008 survey by Towers Perrin,[22] at most life insurance companies, responsibility for ERM resides

within the C-suite. Most often, the chief risk officer (CRO) or the chief financial officer (CFO) is in charge

of ERM, and these individuals typically report directly to the chief executive officer. From their vantage

 point, the CRO and CFO are able to look across the organization and develop a perspective on the risk

 profile of the firm and how that profile matches its risk appetite. They act as drivers to improve skills, tools

and processes for evaluating risks and to weigh various actions to manage those exposures. Companies are

also actively enhancing their ERM tools and capabilities. Three quarters of responding companies said they

have tools for specifically monitoring and managing enterprise-wide risk. These tools are used primarily for

identifying and measuring risk and for management decision making. Respondents also reported that they

have made good progress in building their ERM capabilities in certain areas.

In this study, more than 80% of respondents reported that they currently have adequate or

 better controls in place for most major risks. In addition, about 60% currently have a coordinated process for

risk governance and include risk management in decision making to optimize risk adjusted returns.

In another survey conducted in May and June 2008, against the backdrop of the developing financial crisis,

six major findings came to light regarding risk and capital management among insurers worldwide:[23] 

  Embedding ERM is proving to be a significant challenge

  Company size matters

  European insurers are better positioned

  ERM is influencing important strategic decisions

  Economic capital standards are gaining ground

  Operational risk remains a weak spot

7/28/2019 ERM Final Notes

http://slidepdf.com/reader/full/erm-final-notes 11/41

 

BASEL: 

Basel I is the round of deliberations by central bankers from around the world, and in 1988, the Base

Committee on Banking Supervision (BCBS) in Basel, Switzerland, published a set of minimum capita

requirements for banks. This is also known as the 1988 Basel Accord, and was enforced by law in

the Group of Ten (G-10) countries in 1992 . Basel I is now widely viewed as outmoded. Indeed, the

world has changed as financial conglomerates, financial innovation and risk management have

developed. Therefore, a more comprehensive set of guidelines, known asBasel II are in the process of

implementation by several countries. New updates, Basel III, were developed in response to

the financial crisis. 

Basel I, that is, the 1988 Basel Accord, primarily focused on credit risk. Assets of banks were classified and

grouped in five categories according to credit risk, carrying risk weights of zero (for example home

country sovereign debt), ten, twenty, fifty, and up to one hundred percent (this category has, as an example,

most corporate debt). Banks with international presence are required to hold capital equal to 8% of the risk-

weighted assets. The creation of the credit default swap after the Exxon Valdez incident helped large banks

hedge lending risk and allowed banks to lower their own risk to lessen the burden of these onerous

restrictions.

Since 1988, this framework has been progressively introduced in member countries of G-10, currently

comprising 13 countries,

namely, Belgium, Canada, France, Germany, Italy, Japan,Luxembourg, Netherlands, Spain, Sweden, Switz

erland, United Kingdom and the United States of America. 

Basel II is the second of the Basel Accords, (now extended and effectively superseded by Basel III), which

are recommendations on banking laws and regulations issued by the Basel Committee on Banking

Supervision. 

Basel II, initially published in June 2004, was intended to create an international standard for banking

regulators to control how much capital banks need to put aside to guard against the types of financial and

operational risks banks (and the whole economy) face. One focus was to maintain sufficient consistency o

regulations so that this does not become a source of competitive inequality amongst internationally active

banks. Advocates of Basel II believed that such an international standard could help protect the international

financial system from the types of problems that might arise should a major bank or a series of banks

collapse. In theory, Basel II attempted to accomplish this by setting up risk and capital managemen

requirements designed to ensure that a bank has adequate capital for the risk the bank exposes itself to

through its lending and investment practices. Generally speaking, these rules mean that the greater risk to

which the bank is exposed, the greater the amount of capital the bank needs to hold to safeguard

its solvency and overall economic stability.

Politically, it was difficult to implement Basel II in the regulatory environment prior to 2008, and progress was

generally slow until that year's major banking crisis caused mostly by credit default swaps, mortgage-

7/28/2019 ERM Final Notes

http://slidepdf.com/reader/full/erm-final-notes 12/41

backed security markets and similar derivatives. As Basel III was negotiated, this was top of mind, and

accordingly much more stringent standards were contemplated, and quickly adopted in some key countries

including the USA

Objective

The final version aims at:

1. Ensuring that capital allocation is more risk sensitive;

2. Enhance disclosure requirements which will allow market participants to assess the capital adequacy

of an institution;

3. Ensuring that credit risk, operational risk and market risk are quantified based on data and forma

techniques;

4. Attempting to align economic and regulatory capital more closely to reduce the scope for regulatory

arbitrage. 

The accord in operationBasel II uses a "three pillars" concept – 

(1) Minimum capital requirements (addressing risk),

(2) Supervisory review and

(3) Market discipline. 

The Basel I accord dealt with only parts of each of these pillars. For example: with respect to the first Base

II pillar, only one risk, credit risk, was dealt with in a simple manner while market risk was an afterthought

operational risk was not dealt with at all.

7/28/2019 ERM Final Notes

http://slidepdf.com/reader/full/erm-final-notes 13/41

 

The first pillar 

The first pillar deals with maintenance of regulatory capital calculated for three major components of risk

that a bank faces: credit risk, operational risk, and market risk. Other risks are not considered fully

quantifiable at this stage.

The credit risk component can be calculated in three different ways of varying degree of sophistication

namely standardized approach, Foundation IRB, Advanced IRB and General IB2 Restriction. IRB stands fo

"Internal Rating-Based Approach".

For operational risk, there are three different approaches  – basic indicator approach or BIA, standardized

approach or STA, and the internal measurement approach (an advanced form of which is the advanced

measurement approach or AMA).

For market risk the preferred approach is VaR (value at risk).

 As the Basel II recommendations are phased in by the banking industry it will move from standardized

requirements to more refined and specific requirements that have been developed for each risk category by

each individual bank. The upside for banks that do develop their own bespoke risk measurement systems is

that they will be rewarded with potentially lower risk capital requirements. In future there will be closer links

between the concepts of economic and regulatory capital.

The second pillar 

The second pillar deals with the regulatory response to the first pillar, giving regulators much improved

'tools' over those available to them under Basel I. It also provides a framework for dealing with all the other

risks a bank may face, such as systemic risk, pension risk, concentration risk, strategic risk, reputationa

risk, liquidity risk and legal risk, which the accord combines under the title of residual risk. It gives banks apower to review their risk management system.

It is the Internal Capital Adequacy Assessment Process (ICAAP) that is the result of Pillar II of Basel I

accords.

The third pillar 

This pillar aims to complement the minimum capital requirements and supervisory review process by

developing a set of disclosure requirements which will allow the market participants to gauge the capita

adequacy of an institution.

Market discipline supplements regulation as sharing of information facilitates assessment of the bank by

others, including investors, analysts, customers, other banks, and rating agencies, which leads to good

corporate governance. The aim of Pillar 3 is to allow market discipline to operate by requiring institutions to

disclose details on the scope of application, capital, risk exposures, risk assessment processes, and the

capital adequacy of the institution. It must be consistent with how the senior management, including the

board, access and manage the risks of the institution.

7/28/2019 ERM Final Notes

http://slidepdf.com/reader/full/erm-final-notes 14/41

When market participants have a sufficient understanding of a bank's activities and the controls it has in

place to manage its exposures, they are better able to distinguish between banking organisations so that

they can reward those that manage their risks prudently and penalise those that do not.

These disclosures are required to be made at least twice a year, except qualitative disclosures providing a

summary of the general risk management objectives and policies which can be made annually. Institutions

are also required to create a formal policy on what will be disclosed and controls around them along with the

validation and frequency of these disclosures. In general, the disclosures under Pillar 3 apply to the topconsolidated level of the banking group to which the Basel II framework applies.

Basel III (or the Third Basel Accord) is a global regulatory standard on bank capital adequacy, stress

testing and market liquidity risk agreed upon by the members of the Basel Committee on Banking

Supervision in 2010 –11, and scheduled to be introduced from 2013 until 2018.[1][2] The third installment of

the Basel Accords (see Basel I, Basel II) was developed in response to the deficiencies in financia

regulation revealed by the late-2000s financial crisis. Basel III strengthens bank capital requirements and

introduces new regulatory requirements on bank liquidity and bank leverage. The OECD estimates that theimplementation of Basel III will decrease annual GDP growth by 0.05 –0.15%.[3][4] Critics suggest that greate

regulation is responsible for the slow recovery from the late-2000s financial crisis,[5][6] and that the tighte

Basel III requirements may further negatively affect the stability of the financial system by increasing the

incentives of banks to game the regulatory framework.[7]

Basel III will require banks to hold 4.5% of common equity (up from 2% in Basel II) and 6% of Tier I

capital (up from 4% in Basel II) of risk-weighted assets (RWA). Basel III also introduces additiona

capital buffers, (i) a mandatory capital conservation buffer of 2.5% and (ii) a discretionary

countercyclical buffer, which allows national regulators to require up to another 2.5% of capital duringperiods of high credit growth. In addition, Basel III introduces a minimum leverage ratio and two

required liquidity ratios.[8]

 The leverage ratio is calculated by dividing Tier 1 capital by the bank's

average total consolidated assets;[9]

 the banks are expected to maintain the leverage ratio in excess of

3%. The Liquidity Coverage Ratio requires a bank to hold sufficient high-quality liquid assets to cover

its total net cash outflows over 30 days; the Net Stable Funding Ratio requires the available amount o

stable funding to exceed the required amount of stable funding over a one-year period of extended

stress.[10]

 

THE L IM I TS OF BASEL I I ACCORD 

In general the banks don‗t have to engage in transactions, in which the risks can not be identified and

controlled in an efficient manner. Each risk an institution of credit deals with must be identified, supervised

and limited its‗ effects. 

In the 1980s, because of the critical changes of interest rates, produced by the inflationary

Process and by the energetic crises, because of the significant changes of the exchange rates after the

7/28/2019 ERM Final Notes

http://slidepdf.com/reader/full/erm-final-notes 15/41

abolishment of the Bretton Woods system and because of the intensification of competition on the financia

services market, the instability becomes a characteristic of the environment in which the banks are operating

In this new situation, the bank‗s vulnerability and the number of bankruptcy increases. The Basel I Accord in

1988, emerged because of the banks insolvency in the 1980s, has lead to the banking system‗s recovery on

the account of the minimum capital adequacy. The Accord has also concurred to the international banking

system‗s stability due to the harmonization of international banks‗ practices and because of the eliminationof disloyal  bank competition. The stipulations of Basel I Settlement didn‗t have an imperative character

they were just merely given as a guide, but they were adopted by the majority of banks.

The risks on the international market are evolving and they are affecting the banks‗ activity, in 1996 the

Basel I Settlement was amended by the incorporation of market risk next to the credit risk in estimating the

adequacy capital. The Basel II Accord adopted in 2004 has a more flexible character, offering to the credit

institutions the freedom to choose their own methods of risk evaluation, but conserves the key elements of

Basel I Settlement, respectively the minimum of 8% capital adequacy.

The Basel I I Settlement has many advantages l ike:  

- the credit institutions take into consideration the operational risk next to the credit risk and market risk;

- The Global Risk Approach;

- The Internal Rating Systems;

- A Market Discipline Based On The Transparency Principle And A Detailed Reporting Offering Relevant

Credible, Opportune, Comparable And Comprehensible Information;724

- An Increased Competence For Supervision Authorities;

- The Creation Of A Solid Bank Industry;

- Contributes To The Harmonization Of Bank Practices Between East And West Europe;

- An Equitable Bank Competition;

- The Three Pillars Represent a whole unit;

- the internal methods of risk evaluation determine, that the weighting coefficients with which every risk

asset is being evaluated, are not the same for the whole banking sector, but the are being established

individual, by each institution, so that the risk is evaluated much more accurately, and the situations inwhich capital requirements are overestimated are being eliminated. So the banks will have more money for

giving credits, and they will have to make up fewer reserves.

The Basel II Convention introduces in the standard approach of credit risk an accessory forfeit for credits

given to the institution with an inferior rating. So, if the Basel I Accord the minimum requirement was 100%

from the exposure, in the Basel II for B  – ratings the weightin coefficient is 150%. The exposure classes

7/28/2019 ERM Final Notes

http://slidepdf.com/reader/full/erm-final-notes 16/41

and the weighting coefficients for credit risk increase from 4 to 8 categories: 0%, 10%, 20%, 35%, 50%

75%, 100%, 150%, which allows to detect more accurately the credit risk based on the nature of investment

for each bank. The weighting coefficients for each risk do not depend only on the class in which is being

 placed the exposure, but also on the credit quality, determined by the ratings given by the external

evaluation of credit/clients institutions.

The banks, which will make the most of the New Settlement, will be the ones that seriously invest in the

risk management and the ones that know to choose the right risk management method based on the result o

analyses made. In other words, the promotion of the internal risk management models will represent the

 banks‗ success key in developing the credit activity and managing the risks.

The implementation of Basel I I Agreement has revealed its‘limits, like 

- the implementation implies high costs regarding the training of staff, IT, especially for countries in Centra

and East Europe;

- the discrimination between bank (small and large banks);

- fewer loans for countries in the transitional period, especially for banks and companies with low rating;

- the increase of the bank concentration degree through fusions and acquisitions between banks in the

system;

- the variation of interest based on the quality of the credit applicant.

Due to its‗ complexity, the IRB method becomes very difficult to implement for banks, which don‗t have a

superior level of culture in credit risk management, so the standard approach appears to be the only

credible option for banks in Central and East Europe. In Romania this  process is easier because the whole

 banking system is owned by West Europe Banks, which passed this test, so they will be able to facilitate the

transition of the subsidiary to the new capital requirements. In some cases the mother banks will provide

their own internal risk evaluation models.. 

7/28/2019 ERM Final Notes

http://slidepdf.com/reader/full/erm-final-notes 17/41

Uni t 3: 

The Role of Credit Rating Agencies in the Governance of F inancial Markets 

Throughout the industrialized world governments play an important role in the regulation of financial market

risk. By protecting investors from fraud and by introducing preventive regulation to reduce the likelihood of

financial crisis, they have contributed to the markets‘ efficiency and growth. However, the state‘s role in

financial markets has become more difficult over the last two to three decades. The increasing global

integration of nationally contained financial markets means that a financial crisis can spread more easily

from one national system to another. Furthermore, the high mobility of capital makes the enforcement of

rules more difficult. These problems raise the question as to whether and how the management of risk in

financial markets takes place today.

In recent years credit rating agencies (CRA) have become increasingly important in the management of

financial market risk. CRA are commercial firms that receive payment for publishing an evaluation of the

creditworthiness of their clients. This information is especially useful when borrowing takes place through

the issue of securities, rather than by bank loans, since buyers of securities do not know the issuers as well as

 banks usually know their customers. CRA originated in the USA at the turn of the century and concentrated

on rating corporate bonds. Their activities subsequently increased in scope and scale. At present no major

type of security, issuer or geographic area is excluded. CRA now define a truly global benchmark for credit

risk. Published ratings are not only closely observed in the market place. They are significant for regulation

as well. Since the Great Depression the CRA‘s benchmark has also been used in the regulation of financial

markets. Banks or certain types of other investors, for example, are only allowed to hold lower risk securities

rated ‗investment grade‘. By referring to the market benchmark for credit risk, regulation remains in touch

with the changing credit risks in the market. As with the use of ratings in the market, their use as a regulatory

 benchmark is also spreading globally. Since CRA judgments define a globally uniform benchmark, they are

attractive as a reference for international regulatory standards as well. A good case in point is the recent

 proposition by the Bank for International Settlements to use ratings to calculate capital adequacy ratios for

 banks.

The increasing prominence of the CRA in risk management in the market place and in

regulation makes them an important element in coping with the risk of globally interconnected financial

markets. The question arising from this observation is: how effective are present rating-based risk

management strategies? Given the rapidly changing nature of financial market risk, how well do rating

agencies adapt to them? To answer this question, the dominant mode of action co-ordination between the

actors involved is to be analyzed. The question guiding the analysis will be whether rating-based risk

7/28/2019 ERM Final Notes

http://slidepdf.com/reader/full/erm-final-notes 18/41

management results in greater adaptability associated with networks or whether it will be limited to the trial

and error learning of markets and hierarchies.

Uni t 4: 

Risk Measurement: 

In financial mathematics, a risk measure is used to determine the amount of an asset or set of assets

(traditionally currency) to be kept in reserve. The purpose of this reserve is to make therisks taken

 by financial institutions, such as banks and insurance companies, acceptable to the regulator. In recent years

attention has turned towards convex and coherent risk measurement. 

Risk M anagement' 

The process of identification, analysis and either acceptance or mitigation of uncertainty in

investment decision-making. Essentially, risk management occurs anytime an investor or fund

manager analyzes and attempts to quantify the potential for losses in an investment and then

takes the appropriate action (or inaction) given their investment objectives and risk tolerance.

Inadequate risk management can result in severe consequences for companies as well as

individuals. For example, the recession that began in 2008 was largely caused by the loose

credit risk management of financial firms.

Risk management is a two-step process - determining what risks exist in an

investment and then handling those risks in a way best-suited to your investment objectives.

Risk management occurs everywhere in the financial world. It occurs when an investor buys

low-risk government bonds over more risky corporate debt, when a fund manager hedges

their currency exposure with currency derivatives and when a bank performs a credit check on

an individual before issuing them a personal line of credit.

Principles of risk management

The International Organization for Standardization (ISO) identifies the following principles of risk 

management:[4]

 

Risk management should:

  create value  – resources expended to mitigate risk should be less than the consequence of inaction, or (as

in value engineering), the gain should exceed the pain

   be an integral part of organizational processes

   be part of decision making process

  explicitly address uncertainty and assumptions

7/28/2019 ERM Final Notes

http://slidepdf.com/reader/full/erm-final-notes 19/41

   be systematic and structured

   be based on the best available information

   be tailorable

  take human factors into account

   be transparent and inclusive

   be dynamic, iterative and responsive to change

   be capable of continual improvement and enhancement   be continually or periodically re-assessed

Process

 According to the standard ISO 31000 "Risk management – Principles and guidelines on

implementation,"[3] the process of risk management consists of several steps as follows:

1. Establishing the context

This involves:

1. identification of risk in a selected domain of interest

2. planning the remainder of the process

3. mapping out the following:

  the social scope of risk management

  the identity and objectives of  stakeholders 

  the basis upon which risks will be evaluated, constraints.

4. defining a framework for the activity and an agenda for identification

5. developing an analysis of risks involved in the process6. mitigation or solution of risks using available technological, human and organizational resources.

2. Identification

 After establishing the context, the next step in the process of managing risk is to identify potential risks.

Risks are about events that, when triggered, cause problems. Hence, risk identification can start with the

source of problems, or with the problem itself.

  Source analysis[citation needed ] - Risk sources may be internal or external to the system that is the target of 

risk management.

Examples of risk sources are: stakeholders of a project, employees of a company or the weather over an

airport.

  Problem analysis[citation needed ] - Risks are related to identified threats. For example: the threat of losing

money, the threat of abuse of confidential information or the threat of human errors, accidents and

casualties. The threats may exist with various entities, most important with shareholders, customers and

legislative bodies such as the government.

7/28/2019 ERM Final Notes

http://slidepdf.com/reader/full/erm-final-notes 20/41

When either source or problem is known, the events that a source may trigger or the events that can lead to

a problem can be investigated. For example: stakeholders withdrawing during a project may endanger 

funding of the project; confidential information may be stolen by employees even within a closed network;

lightning striking an aircraft during takeoff may make all people on board immediate casualties.

The chosen method of identifying risks may depend on culture, industry practice and compliance. The

identification methods are formed by templates or the development of templates for identifying source,

problem or event. Common risk identification methods are:

  Objectives-based risk identification[citation needed ] - Organizations and project teams have objectives. Any

event that may endanger achieving an objective partly or completely is identified as risk.

  Scenario-based risk identification - In scenario analysis different scenarios are created. The scenarios

may be the alternative ways to achieve an objective, or an analysis of the interaction of forces in, for 

example, a market or battle. Any event that triggers an undesired scenario alternative is identified as

risk – see Futures Studies for methodology used by Futurists. 

  Taxonomy-based risk identification - The taxonomy in taxonomy-based risk identification is a breakdown

of possible risk sources. Based on the taxonomy and knowledge of best practices, a questionnaire is

compiled. The answers to the questions reveal risks.[5] 

  Common-risk checking (help) - In several industries, lists with known risks are available.

Each risk in the list can be checked for application to a particular situation.[6] 

  Risk charting [7] - This method combines the above approaches by listing resources at risk, threats to

those resources, modifying factors which may increase or decrease the risk and consequences it is

wished to avoid. Creating a matrix under these headings enables a variety of approaches. One can

begin with resources and consider the threats they are exposed to and the consequences of each.

 Alternatively one can start with the threats and examine which resources they would affect, or one can

begin with the consequences and determine which combination of threats and resources would be

involved to bring them about.

3. Assessment

Once risks have been identified, they must then be assessed as to their potential severity of impact

(generally a negative impact, such as damage or loss) and to the probability of occurrence. These quantities

can be either simple to measure, in the case of the value of a lost building, or impossible to know for sure in

the case of the probability of an unlikely event occurring. Therefore, in the assessment process it is critical

to make the best educated decisions in order to properly prioritize the implementation of the risk

management plan. 

Even a short-term positive improvement can have long-term negative impacts. Take the "turnpike" example.

 A highway is widened to allow more traffic. More traffic capacity leads to greater development in the areas

surrounding the improved traffic capacity. Over time, traffic thereby increases to fill available capacity.

Turnpikes thereby need to be expanded in a seemingly endless cycles. There are many other engineering

examples where expanded capacity (to do any function) is soon filled by increased demand. Since

expansion comes at a cost, the resulting growth could become unsustainable without forecasting and

management.

7/28/2019 ERM Final Notes

http://slidepdf.com/reader/full/erm-final-notes 21/41

The fundamental difficulty in risk assessment is determining the rate of occurrence since statistical

information is not available on all kinds of past incidents. Furthermore, evaluating the severity of the

consequences (impact) is often quite difficult for intangible assets. Asset valuation is another question that

needs to be addressed. Thus, best educated opinions and available statistics are the primary sources of 

information. Nevertheless, risk assessment should produce such information for the management of the

organization that the primary risks are easy to understand and that the risk management decisions may be

prioritized. Thus, there have been several theories and attempts to quantify risks. Numerous different risk

formulae exist, but perhaps the most widely accepted formula for risk quantification is:

Rate (or probability) of occurrence multiplied by the impact of the event equals risk magnitude

4. Composite Risk Index

The above formula can also be re-written in terms of a Composite Risk Index, as follows:

Composite Risk Index = Impact of Risk event x Probability of Occurrence  

The impact of the risk event is commonly assessed on a scale of 1 to 5, where 1 and 5 represent the

minimum and maximum possible impact of an occurrence of a risk (usually in terms of financial losses).

However, the 1 to 5 scale can be arbitrary and need not be on a linear scale.

The probability of occurrence is likewise commonly assessed on a scale from 1 to 5, where 1 represents

a very low probability of the risk event actually occurring while 5 represents a very high probability of 

occurrence. This axis may be expressed in either mathematical terms (event occurs once a year, once

in ten years, once in 100 years etc.) or may be expressed in "plain english" – event has occurred here

very often; event has been known to occur here; event has been known to occur in the industry etc.).

 Again, the 1 to 5 scale can be arbitrary or non-linear depending on decisions by subject-matter experts.

The Composite Index thus can take values ranging (typically) from 1 through 25, and this range is

usually arbitrarily divided into three sub-ranges. The overall risk assessment is then Low, Medium or High, depending on the sub-range containing the calculated value of the Composite Index. For instance,

the three sub-ranges could be defined as 1 to 8, 9 to 16 and 17 to 25.

Note that the probability of risk occurrence is difficult to estimate, since the past data on frequencies are

not readily available, as mentioned above. After all, probability does not imply certainty.

Likewise, the impact of the risk is not easy to estimate since it is often difficult to estimate the potential

loss in the event of risk occurrence.

Further, both the above factors can change in magnitude depending on the adequacy of risk avoidance

and prevention measures taken and due to changes in the external business environment. Hence it is

absolutely necessary to periodically re-assess risks and intensify/relax mitigation measures, or as

necessary. Changes in procedures, technology, schedules, budgets, market conditions, political

environment, or other factors typically require re-assessment of risks.

7/28/2019 ERM Final Notes

http://slidepdf.com/reader/full/erm-final-notes 22/41

5. Risk Options

Risk mitigation measures are usually formulated according to one or more of the following major risk

options, which are:

1. Design a new business process with adequate built-in risk control and containment measures

from the start.

2. Periodically re-assess risks that are accepted in ongoing processes as a normal feature of 

business operations and modify mitigation measures.

3. Transfer risks to an external agency (e.g. an insurance company)

4. Avoid risks altogether (e.g. by closing down a particular high-risk business area)

Later research[citation needed ] has shown that the financial benefits of risk management are less dependent

on the formula used but are more dependent on the frequency and how risk assessment is performed.

In business it is imperative to be able to present the findings of risk assessments in financial, market, or 

schedule terms. Robert Courtney Jr. (IBM, 1970) proposed a formula for presenting risks in financial

terms. The Courtney formula was accepted as the official risk analysis method for the US governmentalagencies. The formula proposes calculation of ALE (annualised loss expectancy) and compares the

expected loss value to the security control implementation costs (cost-benefit analysis).

6. Potential risk treatments

Once risks have been identified and assessed, all techniques to manage the risk fall into one or more of 

these four major categories:[8] 

   Avoidance (eliminate, withdraw from or not become involved)

  Reduction (optimize – mitigate)

  Sharing (transfer  – outsource or insure)

  Retention (accept and budget)

Ideal use of these strategies may not be possible. Some of them may involve trade-offs that are not

acceptable to the organization or person making the risk management decisions. Another source, from

the US Department of Defense (see link), Defense Acquisition University, calls these categories ACAT,

for Avoid, Control, Accept, or Transfer. This use of the ACAT acronym is reminiscent of another ACAT

(for Acquisition Category) used in US Defense industry procurements, in which Risk Management

figures prominently in decision making and planning.

  Risk avoidanc e 

This includes not performing an activity that could carry risk. An example would be not buying

a property or business in order to not take on the legal liability that comes with it. Another would be not

flying in order not to take the risk that the airplane were to be hijacked. Avoidance may seem the answer

to all risks, but avoiding risks also means losing out on the potential gain that accepting (retaining) the

risk may have allowed. Not entering a business to avoid the risk of loss also avoids the possibility of 

earning profits. Increasing risk regulation in hospitals has led to avoidance of treating higher risk

conditions, in favour of patients presenting with lower risk.[9] 

7/28/2019 ERM Final Notes

http://slidepdf.com/reader/full/erm-final-notes 23/41

  Hazard prevent io n 

Main article: Hazard prevention 

Hazard prevention refers to the prevention of risks in an emergency. The first and most effective stage

of hazard prevention is the elimination of hazards. If this takes too long, is too costly, or is otherwise

impractical, the second stage is mitigation. 

  Risk reduc t ion Risk reduction or "optimization" involves reducing the severity of the loss or the likelihood of the loss

from occurring. For example, sprinklers are designed to put out a fire to reduce the risk of loss by fire.

This method may cause a greater loss by water damage and therefore may not be suitable. Halon fire

suppression systems may mitigate that risk, but the cost may be prohibitive as astrategy. 

 Acknowledging that risks can be positive or negative, optimizing risks means finding a balance between

negative risk and the benefit of the operation or activity; and between risk reduction and effort applied.

By an offshore drilling contractor effectively applying HSE Management in its organization, it can

optimize risk to achieve levels of residual risk that are tolerable.[10] 

Modern software development methodologies reduce risk by developing and delivering software

incrementally. Early methodologies suffered from the fact that they only delivered software in the final

phase of development; any problems encountered in earlier phases meant costly rework and often

 jeopardized the whole project. By developing in iterations, software projects can limit effort wasted to a

single iteration.

Outsourcing could be an example of risk reduction if the outsourcer can demonstrate higher capability at

managing or reducing risks.[11] For example, a company may outsource only its software development,

the manufacturing of hard goods, or customer support needs to another company, while handling the

business management itself. This way, the company can concentrate more on business development

without having to worry as much about the manufacturing process, managing the development team, or 

finding a physical location for a call center.

  Risk shar ing 

Briefly defined as "sharing with another party the burden of loss or the benefit of gain, from a risk, and

the measures to reduce a risk."

The term of 'risk transfer' is often used in place of risk sharing in the mistaken belief that you can

transfer a risk to a third party through insurance or outsourcing. In practice if the insurance company or 

contractor go bankrupt or end up in court, the original risk is likely to still revert to the first party. As such

in the terminology of practitioners and scholars alike, the purchase of an insurance contract is often

described as a "transfer of risk." However, technically speaking, the buyer of the contract generally

retains legal responsibility for the losses "transferred", meaning that insurance may be described more

accurately as a post-event compensatory mechanism. For example, a personal injuries insurance policy

does not transfer the risk of a car accident to the insurance company. The risk still lies with the policy

holder namely the person who has been in the accident. The insurance policy simply provides that if an

accident (the event) occurs involving the policy holder then some compensation may be payable to the

policy holder that is commensurate to the suffering/damage.

7/28/2019 ERM Final Notes

http://slidepdf.com/reader/full/erm-final-notes 24/41

Some ways of managing risk fall into multiple categories. Risk retention pools are technically retaining

the risk for the group, but spreading it over the whole group involves transfer among individual members

of the group. This is different from traditional insurance, in that no premium is exchanged between

members of the group up front, but instead losses are assessed to all members of the group.

  Risk retent ion 

Involves accepting the loss, or benefit of gain, from a risk when it occurs. True self insurance falls in this

category. Risk retention is a viable strategy for small risks where the cost of insuring against the risk

would be greater over time than the total losses sustained. All risks that are not avoided or transferred

are retained by default. This includes risks that are so large or catastrophic that they either cannot be

insured against or the premiums would be infeasible. War  is an example since most property and risks

are not insured against war, so the loss attributed by war is retained by the insured. Also any amounts

of potential loss (risk) over the amount insured is retained risk. This may also be acceptable if the

chance of a very large loss is small or if the cost to insure for greater coverage amounts is so great it

would hinder the goals of the organization too much.

7. . Create a risk management plan

Select appropriate controls or countermeasures to measure each risk. Risk mitigation needs to be

approved by the appropriate level of management. For instance, a risk concerning the image of the

organization should have top management decision behind it whereas IT management would have the

authority to decide on computer virus risks.

The risk management plan should propose applicable and effective security controls for managing the

risks. For example, an observed high risk of computer viruses could be mitigated by acquiring and

implementing antivirus software. A good risk management plan should contain a schedule for control

implementation and responsible persons for those actions.

 According to ISO/IEC 27001, the stage immediately after completion of the risk assessment phaseconsists of preparing a Risk Treatment Plan, which should document the decisions about how each of 

the identified risks should be handled. Mitigation of risks often means selection of  security controls, 

which should be documented in a Statement of Applicability, which identifies which particular control

objectives and controls from the standard have been selected, and why.

8. Implementation

Implementation follows all of the planned methods for mitigating the effect of the risks. Purchase

insurance policies for the risks that have been decided to be transferred to an insurer, avoid all risks that

can be avoided without sacrificing the entity's goals, reduce others, and retain the rest.

9. Review and evaluation of the plan

Initial risk management plans will never be perfect. Practice, experience, and actual loss results will

necessitate changes in the plan and contribute information to allow possible different decisions to be

made in dealing with the risks being faced.

Risk analysis results and management plans should be updated periodically. There are two primary

reasons for this:

7/28/2019 ERM Final Notes

http://slidepdf.com/reader/full/erm-final-notes 25/41

1. to evaluate whether the previously selected security controls are still applicable and effective

2. to evaluate the possible risk level changes in the business environment. For example,

information risks are a good example of rapidly changing business environment.

Uni t 5: 

What is Risk Management

Risk management is an important concept mainly aims at identification, assessment, and prioritization of 

events that may have an adverse impact on the organization. It can be considered as a very powerful strategic

tool and has become more prevalent in recent decades due to rapid growth in industrial sector. Risks can be

uncertainty in financial markets, failure of projects, legal liabilities, credit risk, accidents of natural causes

and disasters, etc. Avoiding the risk, transferring the risk to another party, reducing the impact of the risk are

some strategies to manage risk.

Risk Management Definition

"Risk management is defined as the logical development and carrying out of a plan to deal with potential

losses. The purpose of the risk management programme is to manage an organization exposure to loss and to

 protect its assets." - Mark S. Dorsman 

Types of Risk Management

Assessment of the risk, obtaining options for handling the risk, and analyzing the risks in order to determine

the ways in which the same may change are some ways to deal with risk. There are different types of risks

and management must be aware of all the kinds. The risks can be financial risks, process risks, intangible

risks, time risks, human risks, legal risks, and physical risks. Brief notes on various types of risks;

7/28/2019 ERM Final Notes

http://slidepdf.com/reader/full/erm-final-notes 26/41

 

Systemic risk 

In finance, systemic risk is the risk of collapse of an entire financial system or entire market, as opposed to

risk associated with any one individual entity, group or component of a system.[1][2] It can be defined as

"financial system instability, potentially catastrophic, caused or exacerbated by idiosyncratic events or 

conditions in financial intermediaries".[3] It refers to the risks imposed

 by interlinkages and interdependencies in a system or market, where the failure of a single entity or cluster of

entities can cause a cascading failure, which could potentially bankrupt or bring down the entire system or 

market.[4] It is also sometimes erroneously referred to as "systematic risk ".

Explanation 

Systemic risk has been compared to a bank run which has a cascading effect on other banks which are owed

money by the first bank in trouble, causing a cascading failure. As depositors sense the ripple effects of 

default, and liquidity concerns cascade through money markets, a panic can spread through a market, with a

sudden flight to quality, creating many sellers but few buyers for illiquid assets. These interlinkages and the

 potential "clustering" of bank runs are the issues which policy makers consider when addressing the issue of 

 protecting a system against systemic risk .[1][5] Governments and market monitoring institutions (such as

the U.S. Securities and Exchange Commission (SEC), and central banks) often try to put policies and rules in

 place with the ostensible justification of safeguarding the interests of the market as a whole, claiming that the

trading participants in financial markets are entangled in a web of dependencies arising from their 

interlinkage. In simple English, this means that some companies are viewed as too big and too interconnected

to fail. Policy makers frequently claim that they are concerned about protecting the resiliency of the system,

rather than any one individual in that system.

Systemic risk should not be confused with market or price risk as the latter is specific to the item

 being bought or sold and the effects of market risk are isolated to the entities dealing in that specific item.

This kind of risk can be mitigated by hedging an investment by entering into a mirror trade.

7/28/2019 ERM Final Notes

http://slidepdf.com/reader/full/erm-final-notes 27/41

Insurance is often easy to obtain against "systemic risks" because a party issuing that insurance can

 pocket the premiums, issue dividends to shareholders, enter insolvency proceedings if a catastrophic event

ever takes place, and hide behind limited liability. Such insurance, however, is not effective for the insured

entity.

One argument that was used by financial institutions to obtain special advantages in bankruptcy for 

derivative contracts was a claim that the market is both critical and fragile.However, evidenceoverwhelmingly suggests that such special treatment, justified by arguments about systemic risk, actually

exacerbated systemic risk during the financial crisis and forced the government to bail out derivatives traders

Systemic risk can also be defined as the likelihood and degree of negative consequences to the larger 

 body. With respect to federal financial regulation, the systemic risk of a financial institution is the likelihood

and the degree that the institution's activities will negatively affect the larger economy such that unusual and

extreme federal intervention would be required to ameliorate the effects.

Unsystemati c Risk' 

Company or industry specific risk that is inherent in each investment. The amount of unsystematic risk can

 be reduced through appropriate diversification.

Also known as "specific risk," "diversifiable risk" or "residual risk.

For example, news that is specific to a small number of stocks, such as a sudden strike by the employees of a

company you have shares in, is considered to be unsystematic risk.

While systematic risk factors affect many firms in an economy, unsystematic risk factors affect either asingle firm or a group of firms. The risk that a firm loses its successful CEO is an example of an

unsystematic risk factor. While the loss can affect the firm's performance substantially, it would have very

little impact on other firms in the economy

Unsystematic risk is a concept in finance and portfolio theory that refers to the extent to which a

company's stock return is uncorrelated with the return of the overall stock market. This type of risk may be

thought of as industry-specific or company-specific risk. It is the opposite of systematic, which is

that risk inherent to an entire market.

It is commonly referred to as specific or  idiosyncratic risk , since unsystematic risk affects only a

relatively few firms rather than the overall market. For example, the risk of food poisoning is

unsystematic risk, since it applies only to firms handling human food. Key man risk is also unsystematic,

since few individual companies are likely to suffer a large drop in value if their leaders were to suffer 

unexpected incapacitation.

The unsystematic risk inherent in individual stocks is routinely quantified by professional investors using

statistical regression analysis. Like all forms of risk, it is measured as the volatility of returns, with returns

including both stock, or share, price appreciation and dividends.

From the point of view of an investor, all risk is a negative. Some risk is less negative than others, however,

and detracts less from the value of an asset. Unsystematic risk is preferable to systematic risk since its

7/28/2019 ERM Final Notes

http://slidepdf.com/reader/full/erm-final-notes 28/41

negative effect can be removed within the context of an overall portfolio. As a result, unsystematic risk is

also known as diversifiable risk . 

The concept of unsystematic and systematic risk is very helpful for investors seeking to construct a large,

diversified investment portfolio that mirrors the overall market. If constructed well, that portfolio will closely

track the market. If the market increases in value, the portfolio will also increase in value by the same

 percentage. If the overall market decreases in value, the portfolio will also go down.Adding a stock that is uncorrelated with the overall market to a portfolio will tend to decrease the volatility

of that portfolio's return. To that extent, the portfolio is said to become more efficient.

The unsystematic risk of the individual stock is removed through the diversification inherent in the overall

 portfolio.

The investment market does not reward investors for carrying unsystematic risk  — it does not allow

investors to be compensated for incurring the specific risk inherent in an individual stock. Competition in the

investment market drives down the price of a stock to a level that eliminates any compensation for this risk.

Efficient investors neutralize the negative impact ofunsystematic risk through efficient

 portfolio diversification.

What Are Unsystematic and Systematic Risks?

All investments are subject to risk. It is generally believed that investors are rewarded for taking risk.

However, some risk is not rewarded. Investors need to control or eliminate risks for which they are not

rewarded from their investment portfolio. Investment risks can be placed into two broad categories:

unsystematic and systematic risks.

Unsystematic risk (also called diversifiable risk) is risk that is specific to a company. This type of risk could

include dramatic events such as a strike, a natural disaster such as a fire, or something as simple as slumping

sales. Two common sources of unsystematic risk are business risk and financial risk. 

Diversification can greatly reduce unsystematic risk from a portfolio. It is unlikely that events such as the

ones listed above would happen in every firm at the same time. Therefore, by diversifying, one can reduce

their risk. There is no reward for taking on unneeded unsystematic risk.

On the other hand, some events can affect all firms at the same time. Events such as inflation, war, and

fluctuating interest rates influence the entire economy, not just a specific firm or industry.

Diversification cannot eliminate the risk of facing these events. Therefore, it is considered un-diversifiable

risk. This type of risk accounts for most of the risk in a well-diversified portfolio. It is called systematic

risk or market risk. However, the expected returns on their investments can reward investors for enduring

systematic risks.

Investors are induced to take risks for potentially higher returns. However, not all risks offer such potential

rewards. The wise investor identifies these risks and eliminates them from his or her portfolio through

7/28/2019 ERM Final Notes

http://slidepdf.com/reader/full/erm-final-notes 29/41

Difference between systematic risk and unsystematic risk 

Systematic Risk   Unsystematic Risk  

This type of risk affects over all securities in amarket. 

This type of risk is unique to a security or acompany. 

This risk is dependent of political or economic

factors. 

This risk is independent of political or 

economic factors. 

It is also known as Market Risk.  It is also known as Diversifiable Risk. 

This risk arises from management inefficiency,

unsuccessful planning etc. 

It occurs due to imbalance in the political

situation or fluctuation in the market etc. 

It can be reduced by holding large number of 

securities. 

It can be reduced by holding better portfolios

of company‘s securities. 

Systemati c Risk 

Systematic risk is risk associated with market returns. This is risk that can be attributed to broad factors. It is

risk to your investment portfolio that cannot be attributed to the specific risk of individual investments.Sources of systematic risk could be macroeconomic factors such as inflation, changes in interest rates,

fluctuations in currencies, recessions, wars, etc. Macro factors which influence the direction and volatility of 

the entire market would be systematic risk. An individual company cannot control systematic risk.

Systematic risk can be partially mitigated by asset allocation. Owning different asset classes with low

correlation can smooth  portfolio volatility  because asset classes react differently to macroeconomic factors.

When some asset categories (i.e. domestic equities, international stocks, bonds, cash, etc.) are increasing

others may be falling and vice versa.

I prefer using a tactical asset allocation because I want to adjust my asset allocation target according tovaluations. When mitigating systematic risk within a diversified portfolio, cash may be the most important

and underappreciated asset category.

Unsystemati c Risk Unsystematic risk is company specific or industry specific risk. This is risk attributable or specific to the

individual investment or small group of investments. It is uncorrelated with stock market returns. Other 

7/28/2019 ERM Final Notes

http://slidepdf.com/reader/full/erm-final-notes 30/41

names used to describe unsystematic risk are specific risk, diversifiable risk, idiosyncratic risk, and residual

risk.

Examples of risk that might be specific to individual companies or industries are business risk, financing

risk, credit risk, product risk, legal risk, liquidity risk, political risk, operational risk, etc. Unsystematic risks

are considered governable by the company or industry.

Investment diversification can nearly eliminate unsystematic risk. If an investor owns just one stock or bondand something negative happens to that company the investor suffers great harm. But if an investor owns a

diversified portfolio of 20, 30, or 40 individual investments, the damage done to the portfolio is minimized.

The important concept of unsystematic risk is that it is not correlated to market risk and can be nearly

eliminated by diversification.

Diversifiable risk (also known as unsystematic risk) represents the portion of an asset‘s risk that is associated

with random causes that can be eliminated through diversification. It‘s attributable to firm-specific events,

such as strikes, lawsuit, regulatory actions, and loss of a key account. Unsystematic risk is due to factors

specific to an industry or a company like labor unions, product category, research and development, pricing,

marketing strategy etc.

While the non-diversifiable risk (also known as systematic risk) is the relevant portion of an asset‘s risk 

attributable to market factors that affect all firms such as war, inflation, international incidents, and political

events. It cannot be eliminated through diversification and the combination of a security‘s non-diversifiable

risk and diversifiable risk is called total risk.

In the other word Systematic risk is due to risk factors that affect the entire market such as investment policy

changes, foreign investment policy, change in taxation clauses, shift in socio-economic parameters, global

security threats and measures etc. Systematic risk is beyond the control of investors and cannot be mitigated

to a large extent. In contrast to this, the unsystematic risk can be mitigated through portfolio diversification.

It is a risk that can be avoided and the market does not compensate for taking such risks.

Market risk 

Market risk is the risk  of losses in positions arising from movements in market prices.[1] Some market risks

include:

   Equity risk , the risk that stock  or  stock indexes (e.g. Euro Stoxx 50, etc. ) prices and/or their  implied

volatility will change.

   Interest rate risk , the risk that interest rates (e.g. Libor , Euribor , etc.) and/or their implied volatility will

change.

7/28/2019 ERM Final Notes

http://slidepdf.com/reader/full/erm-final-notes 31/41

  Currency risk , the risk that foreign exchange rates (e.g. EUR/USD, EUR/GBP, etc.) and/or their implied

volatility will change.

  Commodity risk , the risk that commodity prices (e.g. corn, copper , crude oil, etc.) and/or their implied

volatility will change.

Economic Risk 

  The possibility that an economic downturn will negatively impact an investment. For example,launching a luxury product immediately before or during a recession carries a great deal of economicrisk. Economic risk is closely related to  political risk  as government decisions impacting the economymay also affect an investment. For example, a central bank  may raise interest rates or the legislaturemay raise taxes, and this may result in economic conditions impacting an investment.

I nterest rate r isk, the risk that interest rates (e.g. Libor , Euribor , etc.) and/or their implied volatility will

change.

Interest rate risk is the risk  that arises for   bond owners from fluctuating interest rates. How much interest

rate risk a bond has depends on how sensitive its price is to interest rate changes in the market. The

sensitivity depends on two things, the bond's time to maturity, and the coupon rate of the bond.[1] 

The risk that an investment's value will change due to a change in the absolute level of interest rates, in

the spread between two rates, in the shape of the yield curve or in any other interest rate relationship.

Such changes usually affect securities inversely and can be reduced by diversifying (investing in fixed-

income securities with different durations) or hedging (e.g. through an interest rate swap).

Interest rate risk affects the value of bonds more directly than stocks, and it is a major risk to all

 bondholders. As interest rates rise, bond prices fall and vice versa. The rationale is that as interest rates

increase, the opportunity cost of holding a bond decreases since investors are able to realize greater 

yields by switching to other investments that reflect the higher interest rate. For example, a 5% bond is

worth more if interest rates decrease since the bondholder receives a fixed rate of return relative to the

market, which is offering a lower rate of return as a result of the decrease in rates.

Foreign exchange risk 

Foreign exchange risk (also known as exchange rate risk or currency risk ) is a financial risk   posed by an

exposure to unanticipated changes in the exchange rate  between two currencies.[1][2] Investors and

multinational businesses exporting or importing goods and services or making foreign investments

7/28/2019 ERM Final Notes

http://slidepdf.com/reader/full/erm-final-notes 32/41

throughout the global economy are faced with an exchange rate risk which can have severe financial

consequences if not managed appropriately.[3][4] 

1. The risk of an investment's value changing due to changes in currency exchange rates.

2. The risk that an investor will have to close out a long or short position in a foreign currency at a loss due to

an adverse movement in exchange rates. Also known as "currency risk" or "exchange-rate risk".

This risk usually affects businesses that export and/or import, but it can also affect investors makinginternational investments. For example, if money must be converted to another currency to make a certain

investment, then any changes in the currency exchange rate will cause that investment's value to either 

decrease or increase when the investment is sold and converted back into the original currency.

Credit r isk 

Credit risk refers to the risk that a borrower will default on any type of debt by failing to make payments

which it is obligated to do.[1] The risk is primarily that of the lender and include lost  principal and interest, 

disruption to cash flows, and increased collection costs. The loss may be complete or partial and can arise ina number of circumstances.[2] For example:

  A consumer may fail to make a payment due on a mortgage loan, credit card, line of credit, or other loan

  A company is unable to repay amounts secured by a fixed or  floating charge over the assets of the

company

  A business or consumer does not pay a trade invoice when due

  A business does not pay an employee's earned wages when due

  A business or government  bond issuer does not make a payment on a coupon or principal payment when

due

  An insolvent insurance company does not pay a policy obligation

  An insolvent  bank  won't return funds to a depositor 

  A government grants  bankruptcy  protection to an insolvent consumer or business

To reduce the lender's credit risk, the lender may perform a credit check  on the prospective borrower, may

require the borrower to take out appropriate insurance, such as mortgage insurance or 

seek  security or  guarantees of third parties, besides other possible strategies. In general, the higher the risk,

the higher will be the interest rate that the debtor will be asked to pay on the debt.

Types of credit risk  

Credit risk can be classified in the following way:

  Credit default risk - The risk of loss arising from a debtor being unlikely to pay its loan obligations in full

or the debtor is more than 90 days past due on any material credit obligation; default risk may impact all

credit-sensitive transactions, including loans, securities and derivatives. 

7/28/2019 ERM Final Notes

http://slidepdf.com/reader/full/erm-final-notes 33/41

  Concentration risk  - The risk associated with any single exposure or group of exposures with the

 potential to produce large enough losses to threaten a bank's core operations. It may arise in the form of 

single name concentration or industry concentration.

  Country risk  - The risk of loss arising from a sovereign state freezing foreign currency payments

(transfer/conversion risk) or when it defaults on its obligations (sovereign risk).

L iquidity risk The risk that arises from the difficulty of selling an asset. An investment may sometimes need to

 be sold quickly. Unfortunately, an insufficient secondary market may prevent the liquidation or limit

the funds that can be generated from the asset. Some assets are highly liquid and have low liquidity risk 

(such as stock of a publicly traded company), while other assets are highly illiquid and have high liquidity

risk (such as a house) 

Liquidity is generally defined as the ability of a financial firm to meet its debt obligations without incurring

unacceptably large losses. An example is a firm preferring to repay its outstanding one-month commercial

 paper obligations by issuing new commercial paper instead of by selling assets. Thus, "funding liquidity risk"

is the risk that a firm will not be able to meet its current and future cash flow and collateral needs, both

expected and unexpected, without materially affecting its daily operations or overall financial condition.

Financial firms are especially sensitive to funding liquidity risk since debt maturity transformation (for 

example, funding longer-term loans or asset purchases with shorter-term deposits or debt obligations) is one

of their key business areas.In response to this well-known risk, financial firms establish and maintain liquidity management systems to

assess their prospective funding needs and ensure the funds are available at appropriate times. A key element

of these systems is monitoring and assessing the firm's current and future debt obligations and planning for 

any unexpected funding needs, regardless of whether they arise from firm-specific factors, such as a drop in

the firm's collateral value, or from systemic (economy-wide) factors. To balance its funding demand, both

expected and unexpected, with available supply, a firm must also incorporate its costs and profitability

targets.

Financial firms can meet their liquidity needs through several sources ranging from existing assets to debt

obligations and equity. The most readily available is operating cash flows arising from interest and principal

 payments from existing assets, service fees, and the receipt of funds from various transactions. For example,

active management of the timing and maturity of firms' asset and liability cash flows can enhance liquidity.

In addition, firms may sell assets that are near-term cash equivalents, such as government securities. This is

typically done on a contingency basis to meet unexpected cash needs, and such liquidity reserves must be

7/28/2019 ERM Final Notes

http://slidepdf.com/reader/full/erm-final-notes 34/41

actively managed, since the assets must be unencumbered (that is, not pledged as collateral for any other 

transaction) and easy to liquidate under potentially adverse market conditions.

Operational r isk 

An operational risk is defined as a risk incurred by an organisation's internal activities.

Operational risk is the broad discipline focusing on the risks arising from the people, systems and processesthrough which a company operates. It can also include other classes of risk, such as fraud, legal risks, 

 physical or environmental risks.

A widely used definition of operational risk is the one contained in the Basel II [1] regulations. This

definition states that operational risk is the risk of loss resulting from inadequate or failed internal processes,

 people and systems, or from external events.

Operational risk management differs from other types of risk, because it is not used to generate profit

(e.g. credit risk  is exploited by lending institutions to create profit, market risk  is exploited by traders and

fund managers, and insurance risk is exploited by insurers). They all however manage operational risk tokeep losses within their risk appetite - the amount of risk they are prepared to accept in pursuit of their 

objectives. What this means in practical terms is that organisations accept that their people, processes and

systems are imperfect, and that losses will arise from errors and ineffective operations. The size of the loss

they are prepared to accept, because the cost of correcting the errors or improving the systems is

disproportionate to the benefit they will receive, determines their appetite for operational risk.

The Basel II Committee defines operational risk as:

"The risk of loss resulting from inadequate or failed internal processes, people and systems or from external

events."

However, the Basel Committee recognizes that operational risk is a term that has a variety of meanings and

therefore, for internal purposes, banks are permitted to adopt their own definitions of operational risk,

 provided that the minimum elements in the Committee's definition are included.

Legal Risk 

The potential loss that may occur to an investment as a result of insufficient, improperly applied, or simply

unfavorable legal proceedings in the country in which the investment is made. For example, a country may

have inadequate  bankruptcy  protection or, in an extreme circumstance, the government may be able to

seize  property without provocation. On the other hand, legal risk exists even in countries that operate under 

the rule of law: a court, for instance, may find against a company in a given lawsuit, creating a precedent for 

other companies with similar operations.

7/28/2019 ERM Final Notes

http://slidepdf.com/reader/full/erm-final-notes 35/41

Legal risk is a type of risks that means that a counterparty is not legally able to enter into a contract. Another

legal risk relates to regulatory risk, i.e., that a transaction could conflict with a regulator's policy or, more

generally, that legislation might change during the life of a financial contract.

A description of the potential for loss arising from the uncertainty of legal proceedings, such as bankruptcy, 

and potential legal proceedings.

Regulatory Risk'  

Exposure to financial loss arising from the probability that regulatory agencies will make changes in

the current rules (or will impose new rules) that will negatively effect the already-

taken trading positions. 

The risk that a change in laws and regulations will materially impact a security, business, sector 

or market. A change in laws or regulations made by the government or a regulatory body can increase

the costs of operating a business, reduce the attractiveness of investment and/or change the competitive

landscape.

For example, utilities face a significant amount of regulation in the way they operate, including

the quality of infrastructure and the amount that can be charged to customers. For this reason, these

companies face regulatory risk that can arise from events - such as a change in the fees they can charge

- that may make operating the business more difficult.

Another type of regulatory risk would be a change by the government in the amount of margin that

investment accounts are able to have. While this is an unlikely change, if it were to be changed, the

impact on the stock market would be material as this would force investors to either meet the new

margin requirements or sell off their margined positions.

Poli tical ri sk 

The risk that an investment's returns could suffer as a result of political changes or instability in a country.

Instability affecting investment returns could stem from a change in government, legislative bodies, other 

foreign policy makers, or military control.

Political risk is also known as "geopolitical risk," and becomes more of a factor as the time horizon of an

investment gets longer.

7/28/2019 ERM Final Notes

http://slidepdf.com/reader/full/erm-final-notes 36/41

Political risks are notoriously hard to quantify because there are limited sample sizes or case studies when

discussing an individual nation. Some political risks can be insured against through international agencies or 

other government bodies.

The outcome of a political risk could drag down investment returns or even go so far as to remove the ability

to withdraw capital from an investment 

The risk  of  loss when investing in a given country caused by changes in a country's

 political structure or   policies, such as tax laws, tariffs, expropriation of  assets, 

or  restriction in repatriation of   profits. For example, a company may suffer from such loss in the case of 

expropriation or tightened foreign exchange repatriation rules, or from increased credit risk  if 

the government changes policies to make it difficult for the company to pay creditors. 

Political risk is a type of  risk  faced by investors, corporations, and governments. It is a risk that can be

understood and managed with reasoned foresight and investment.

Broadly, political risk refers to the complications businesses and governments may face as a result of what

are commonly referred to as political decisions —or ―any political change that alters the expected outcome

and value of a given economic action by changing the probability of achieving business

objectives‖.[1] Political risk faced by firms can be defined as ―the risk of a strategic, financial, or personnel

loss for a firm because of such nonmarket factors as macroeconomic and social policies (fiscal, monetary,

trade, investment, industrial, income, labour, and developmental), or events related to political instability

(terrorism, riots, coups, civil war, and insurrection).‖[2] Portfolio investors may face similar financial losses.

Moreover, governments may face complications in their ability to execute diplomatic, military or other 

initiatives as a result of political risk.

A low level of political risk in a given country does not necessarily correspond to a high degree of political

freedom. Indeed, some of the more stable states are also the most authoritarian. Long-term assessments of 

 political risk must account for the danger that a politically oppressive environment is only stable as long as

top-down control is maintained and citizens prevented from a free exchange of ideas and goods with the

outside world.[3] 

Understanding risk partly as probability and partly as impact provides insight into political risk. For a

 business, the implication for political risk is that there is a measure of likelihood that political events may

complicate its pursuit of earnings through direct impacts (such as taxes or fees) or indirect impacts (such as

opportunity cost forgone). As a result, political risk is similar to an expected value such that the likelihood of 

a political event occurring may reduce the desirability of that investment by reducing its anticipated returns.

There are both macro- and micro-level political risks. Macro-level political risks have similar impacts across

all foreign actors in a given location. While these are included in country risk analysis, it would be incorrect

to equate macro-level political risk analysis with country risk as country risk only looks at national-level

7/28/2019 ERM Final Notes

http://slidepdf.com/reader/full/erm-final-notes 37/41

risks and also includes financial and economic risks. Micro-level risks focus on sector, firm, or project

specific risk.

Reputational r isk  Reputational risk , often called reputation risk , is a type of risk related to the trustworthiness of business.

Damage to a firm's reputation can result in lost revenue or destruction of  shareholder value, even if the

company is not found guilty of a crime. Reputational risk can be a matter of corporate trust, but serves also

as a tool in crisis prevention.[1] 

This type of risk can be informational in nature or even financial. Extreme cases may even lead

to  bankruptcy (as in the case of  Arthur Andersen). Recent examples of companies include: Toyota, Goldman

Sachs, Oracle Corporation,  NatWest and BP. The reputational risk may not always be the company's fault as

 per the case of the Tylenol cyanide panic after seven people died in 1982.[2] 

Reputational risk 

A company‘s reputation is perhaps its most valuable asset. Reputational risk is the possible loss of the

organisation‘s reputational capital. Imagine that the company has an account similar to a bank account thatthey are either filling up or depleting. Every time the company does something good, its reputational capital

account goes up; every time the company does something bad, or is accused of doing something bad, the

account goes down.

The commercial bank examination, which is a supervisory manual published by the Federal Reserve Board

in the US to provide guidance in bank inspections, defines reputational risk as the potential loss in

reputational capital based on either real or perceived losses in reputational capital. In fact, the manual states

very clearly that a company can lose its reputation whether allegations are true or not.

Some corporations try to understand what the potential risks are to the company‘s reputation and either 

 prepare crisis management responses or solutions.

Many of the leading experts in the field of communication and strategy believe that being able to assess and

manage a company‘s reputational risk is one way to attain a competitive edge, especially in an increasingly

negative global business environment as shown in polls describing people's feelings toward business, such as

the Edelman Trust Barometer.

Example 

The pharmaceutical company, Merck knew that side effects from the drug Vioxx could lead to heart

 problems in some patients. In fact, after the company faced law suits related to the complications from taking

this drug, a memo was discovered showing that executives within the company knew about the side effectsand had warned senior managers about the dangers associated with taking Vioxx in some patients.

These warnings were ignored. If the company had understood the risk to its reputation, it would have

understood that in the long term, the money it was making selling the drug was not worth the potential loss in

reputational capital to the organization as a whole.

7/28/2019 ERM Final Notes

http://slidepdf.com/reader/full/erm-final-notes 38/41

Project r isk 

A project risk is an uncertain event that, if it occurs, has a positive or negative effect on the prospects of 

achieving project objectives

Three aspects of the definition are especially important:

  Uncertain event: something may or may not happen, e.g. somebody becomes ill or the temperature drops

 below a certain point making a chemical process impossible.

  Positive or negative effect: project risk is not necessarily negative (increased costs, decreased quality etc.);

It can also be positive (new valuable product features due to the use of new technology or opening up a new

market segment due to some project adjustments).

  Project objectives: the project goals are at stake if a risk occurs. Severe negative risks can lead to the

cancellation of a project whereas minor risks may slightly increase the completion time of a project.

Strategy risk 

Exposure to loss resulting from a strategy that turns out to be defective or inappropriate.

Strategic risk is the risk of losses of the credit organization as a result of mistakes made (imperfections)

in taking decisions defining the strategy of the Bank‘s activity and development (strategic management) and

resulting non-consideration or insufficient consideration of possible threats to the Bank‘s activity, inadequate

or insufficiently substantiated definition of prospective business lines where Bank could gain advantage over 

its competitors, absence or incomplete provision of necessary resources (financial, material and technical,

human) and organizational measures (managerial decisions) that must provide the achievement of strategicobjectives the credit organization

The major goal of strategic risk management is to maintain the risks taken by the Bank at levels determined

in accordance with its strategic tasks and to ensure safety of assets and capital by minimization of possible

losses.

The Bank uses the following methods of strategic risk management:

   business planning;

  financial planning;  monitoring of approved plans implementation;

  market analysis;

  Readjustment of plans

Demographic factors 

7/28/2019 ERM Final Notes

http://slidepdf.com/reader/full/erm-final-notes 39/41

Socioeconomic characteristics of a population expressed statistically, such as

age, sex, education level, income level, marital status, occupation, religion, birth rate, death

rate, average size of a family, average age at marriage. A census is a collection of the

demographic factors associated with every member of a population.

Unit 6:

Risk assessment

Risk assessment is the determination of quantitative or qualitative value of risk related to a concrete

situation and a recognized threat (also called hazard). Quantitative risk assessment requires calculations of 

two components of risk (R):, the magnitude of the potential loss (L), and the probability (p) that the loss will

occur. In all types of engineering of complex systems sophisticated risk assessments are often made

within Safety engineering and Reliability engineering when it concerns threats to life, environment or 

machine functioning. The nuclear, aerospace, oil, rail and military industries have a long history of dealing

with risk assessment. Also, medical, hospital, and food industries control risks and perform risk assessments

on a continual basis. Methods for assessment of risk may differ between industries and whether it pertains to

general financial decisions or environmental, ecological, or public health risk assessment.

Value at risk:

In financial mathematics and financial risk management, Value at Risk (VaR) is a widely used risk 

measure of the risk of loss on a specific portfolio of financial assets. For a given portfolio, probability and

time horizon, VaR is defined as a threshold value such that the probability that the mark-to-market loss on

the portfolio over the given time horizon exceeds this value (assuming normal markets and no trading in the

 portfolio) is the given probability level. [clarification needed] 

For example, if a portfolio of stocks has a one-day 5% VaR of $1 million, there is a 0.05 probability that the

 portfolio will fall in value by more than $1 million over a one day period if there is no trading. Informally, a

loss of $1 million or more on this portfolio is expected on 1 day out of 20 days (because of 5% probability).

A loss which exceeds the VaR threshold is termed a ―VaR break.‖ Thus, VaR is a piece of jargon favored in

7/28/2019 ERM Final Notes

http://slidepdf.com/reader/full/erm-final-notes 40/41

the financial world for a percentile of the predictive probability distribution for the size of a future financial

loss. In other words if you have a record of portfolio value over time then the VaR is simply the negative

quantile function of those values.

VaR has four main uses in finance: 

  Risk management, 

  Financial control, 

  Financial reporting and

  Computing regulatory capital. 

VaR is sometimes used in non-financial applications as well

Operation r isk management: 

The term Operational Risk Management (ORM) is defined as a continual cyclic process which

includes risk assessment, risk decision making, and implementation of risk controls, which results in

acceptance, mitigation, or avoidance of risk. ORM is the oversight of  operational risk , including the risk  of 

loss resulting from inadequate or failed internal processes and systems; human factors; or external events.

Four Principles of ORM

The U.S. Department of Defense summarizes the principles of ORM as follows:

  Accept risk when benefits outweigh the cost.

  Accept no unnecessary risk.

7/28/2019 ERM Final Notes

http://slidepdf.com/reader/full/erm-final-notes 41/41

  Anticipate and manage risk by planning.

  Make risk decisions at the right level.

Three Levels of ORM

In Depth

In depth risk management is used before a project is implemented, when there is plenty of time to

 plan and prepare. Examples of in depth methods include training, drafting instructions and

requirements, and acquiring personal protective equipment.

Deliberate

Deliberate risk management is used at routine periods through the implementation of a project or 

 process. Examples include quality assurance, on-the-job training, safety briefs, performance reviews,

and safety checks.

Time Critical

Time critical risk management is used during operational exercises or execution of tasks. It is defined

as the effective use of all available resources by individuals, crews, and teams to safely and

effectively accomplish the mission or task using risk management concepts when time and resources

are limited. Examples of tools used includes execution check-lists and change management. This

requires a high degree of  situational awareness. 

\