LECTURE NOTES ON RISK MANAGEMENT

BY
DR PARVEEN NGUM N

CHAPTER ONE

GENERAL CONCEPTS

1.1 Introduction

Organizations of all kind face challenging natural, political, socio economic and
cultural influences that make their operating environment uncertain. These
influences may impact on the extent to which objectives can be met. The effect this
uncertainly has on the organization objectives is known as “RISK”.

1.2 DEFINITIONS

Risk management refers to the coordinated activities that an organization

takes to direct and control risk.

According to international risk management standard, the success of risk

management will depend on the effectiveness of the management framework
providing the foundations and arrangements that will embed it through the
organization at all levels.

Within the standard the expression “risk management” and “managing risk’ are
both used in general terms;

 Risk management refers collectively to the principles, framework

and process of managing risk affectively while
 Managing risks refers to the application of this principle, framework
and process to particular risk.

Risk management can be value enhancing or value protecting or

both.
 The action, processes and control put into place to manage risk that
affect the achievement of an organization’s strategy are value enhancing that is
they increase the potentials for achieving strategic outcomes that add value to
the organization.

The actions, processes and control put into place to manage risks that
have negative consequences are value protecting that is they protect the value
of the organization by protecting or minimizing the impact of negative events.

All business organizations are committed to effective and efficient

planning thinking and decision making. Management helps organizations
become more efficient and effective by improving forward planning and critical
thinking and enabling better informed decision making.

When the management of risk is effective, it generally goes

unnoticed. Conversely when it is absent or fails, the impact is often highly
visible and feet across the entire organization.

1.3 Why should organization adopt good risk

management?

Adopting good risk management ensures that an organization can

undertake activities in the knowledge that;

a) Appropriate and adequate measure are in place to maximize the

benefit and
b)Appropriate and adequate measure are in place to minimize the
negative or unanticipated effects of any of the risk or opportunities that are
presented in the course of achieving organizational objectives.

Before we proceed, a deep understanding of what risk is all about will

be very necessary so as to better understand how to manage them.

1.4 The concept of risk

What is risk?

Risk is a condition in which there exists a quantifiable dispersion in the possible

outcomes from any activity. It can be classified in a number of ways. (CIMA
2005).
Risk has also been defined as; “uncertain future events which could influence
the achievement of the organization’s strategic, operational and financial
objectives “(international federation of accountant, 1999)

In simply terms, a risk is a potential future harm that may arise from some
present action.

Risk in itself if is not bad; risk is essential to progress and failure is often a
key part of learning but we must learn to balance the possible negative
consequences of risk against the potential benefits of its associated opportunity
(Van Scoy 1992)
 Chapter Two

TYPEs OF RISK

There many types of risk that banks face. We will look at eight of the most important risks
which are credit risk, market risk operation risk, liquidity risk, business risk, reputational risk,
systemic risk and moral hazard.

Out of these eight risks, the first 3 are the 3 major risks. The 4 th, 5th, and 6th are other
important risks while systemic risk and moral hazard are unrelated to routine banking operations
but they do have a big bearing on a bank’s profitability and solvency.

All banks or organizations setup dedicated risk management departments to monitor,

manage and measure these risks. The risk management department helps the bank management
by continuously measuring the risk of its current portfolio of assets or loans, liabilities, or
deposition and other exposures. The department also communicates the bank’s risk profile to
other bank function and takes steps either directly or in collaboration with other bank function,
to reduce the possibility of loss or to mitigate the size of the potential loss .

Let’s discuss these risks in details;

1. CREDIT RISK / DEFAULT RISK

The Basel Committee on Banking Supervision (BCBS) defines credit risk as the potential
that a bank borrower will fail to meet its payment obligations regarding the term agreed with
the bank. It includes both uncertainty involve in repayment of the bank’s dues and repayment
of the dues on time. All banks face this type of risk.

Dimensions of credit risk

The default usually occurs because of inadequate income or business failure. But often it
maybe willful because the borrower is unwilling to meet its obligations despite having
adequate income.
Credit risk signifies a decline in the credit asset value before default that arises
from the deterioration in a portfolio or an individual’s credit quality, credit risk also
denotes the loss in the current and future earnings from the credit.
Banks create provisions at the time of disbursing loan. Net charge Off is the
difference between the amounts of loan gone bad minus any recovery on the loan. An
unpaid loan is a risk of doing the business. The bank should position itself to
accommodate the expected outcomes within profits and provisions, leaving equity capital
as the final cushion for the unforeseen catastrophe.
2. Market risk
BCBS defines market risk as the risk of losses in on or off-balance sheet position that
arises from movement in market price. Market risk is the most prominent for banks
present in investment banking.

Major components of market risks

The major components of market risks include:

 Interest rate risk. It is the potential loss due to movement in interest rates. This
risk arises because a bank’s assets usually have a significantly longer maturity than
its liabilities. In banking language management of interest rate risk is also called
asset - liability management
 Equity risk. It is the potential loss due to an adverse change in the stock price.
Banks can accept equity as collateral for loans and purchase ownership stakes in
other companies as investments from their free or investible cash. Any negative
change in stock price either leads to a loss or diminution in investments value.
 Commodity risk. It is the potential loss due to an adverse change in commodity
prices. These commodities include agriculture commodities, industrial commodities
(iron, copper and zinc) and energy commodity value fluctuate a great deal due to
changes in Demand and Supply. Any bank holding them as part of an investment is
exposed to commodity risk.
 Foreign exchange risk. It is the potential loss due to change in value of the bank’s
assets or liabilities resulting from the exchange rate fluctuation. Bank transact in
foreign exchange for their customers or for the bank’s own accounts. Any adverse
movement can diminish the value of the foreign currency and cause a loss to the
bank.

3. Operational risk
BCBS defines operational risk as ‘the risk of loss resulting from inadequate or failed
internal processes, people and systems or from external events”. Operational risk occurs
in all day to day bank activities. Operational risk examples include a check incorrectly
cleared or a wrong order punched into trading terminal.

Cause of operational risk

 There are many causes of operational risk which may occur from unknown and expected
source. Most operational risks arise from one of three sources;

a) People risk: Incompetency or wrong posting of personnel and misuse of powers.

b) Information technology risk: the failure of the information technology system,
the hacking of the computer network by outsiders and the programming errors
that can take place any time and can cause loss to the bank.
c) Process- related risk: possibilities of errors in information processing, data
transmission data retrieval and inaccuracy of result of output

Operational risk can lead to a bank’s collapse. The fall of one of Britain’s oldest banks,
Barings in 1995 is an example of operational risk leading to a bank’s collapse.

4. Liquidity risk
Liquidity by definition means a bank has the ability to meet Payment obligations
primarily from its depositors and has enough money to give loans. So liquidity risk is the
risk of the bank not being able to have enough cash to carry out its– day –to – day
operation.
Provision for adequate liquidity in a bank is crucial because a liquidity shortfall in
meeting commitments to other banks and financial institutions can have serious
repercussions on the bank’s reputation and the bank’s bond prices in the money market.
Liquidity risk can sometimes lead to a bank run, where depositors rush to
pull out their money from a bank which further aggravates a situation so banks have to
proactively manage their liquidity risk to stay healthy.

5. Reputational risk
Reputational risk is the risk of damage to a bank’s image and public standing
that occurs due to some dubious actions taken by the bank. Sometimes reputational risk
can be due to perception or negative publicity against the bank and without any solid
evidence of wrong doing. Reputational risk leads to the public loss of confidence in a
bank.
The bank’s failure to honor commitment to the government, regulators and the public at
large, lowers a bank’s reputations.
Reputational risk can also arise from any type of situation relating to mismanagement of
the bank’s affair or non-observance of the code of products under cooperate governance.
Risk emerging from suppression of facts and manipulation of records and
accounts are also instance of reputational risk. Bad customer’s service, inappropriate staff
 behavior and delay in decision create a bad bank image among the public and hamper
business development.

6. Business risk
Business risk is a risk arising from a bank’s long-term business strategy. It deals with
a bank not been able to keep up with changing competition dynamics and consequently
losing market share overtime and been closed or acquired. Business risk can also arise
from a bank choosing the wrong strategy which might leads to its failure.
The banks that have a sound strategy come out of the trouble stronger. Banks that want
to grow too fast and too soon beyond their means grow at a rapid pace for some time but
meet their doom sooner rather than later.

7. Systemic risk
Systemic risk refers to the risk that the entire financial system might come to a
standstill. It can also be stated as the possibility that default or failure by one financial
institution can cause domino effects among its counter parties and other, threatening the
stability of the financial system as a whole.

8. Moral hazard
You must have read or heard the phrase “too big-to-fail” in the media. Too big-to-
fail is nothing but moral hazard in a sense.
Moral hazard refers to a situation where a person, a group or an organization is
likely to have a tendency or a willingness to take a high – level risk even if it’s
economically unsound. The reasoning is that the person, group or organization knows that
the costs of such risk – taking , if it materializes, won’t be borne by the person ,group or
organization taking the risk.
Economists describe moral hazard as any situation in which one person makes the
decision about how much risk to take, while someone else bears the costs if thing go
badly.

Ways to control Moral Hazard

Moral hazard can be controlled through a good organizational culture, giving credence to
high ethical standards. A bank must also have a strong board of directors to oversee
management and to take remedial measures when needed. A well crafted compensation
policy to avoid reckless risk taking would also help reduce this. Finally, strong regulations
would also help control moral hazard
9. Other RISKS
  LEGAL RISK
A bank can be exposed to legal risk. Legal risk can be in the form of financial loss arising
from legal suits filed against the bank or by a bank for applying a law wrongly.

 COUNTRY RISK
A bank that operates in many countries also faces country risk when there is a localized
economic problem in a certain country. In such a scenario the bank’s holding company
may need to bear losses in case it exceeds the capital of the subsidiary in an another
country. The holding company in certain cases may also need to provide capital. All large
banks that operate in many countries bear country risk.

CHAPTER THREE
 PRINCIPLES OF RISK MANAGEMENT

For any organization to manage its risks effectively, they should endeavor to implement
or follow the 11 principles of risk management. These principles are as follows;

1. CREATES AND PROCTECTS VALUE

Good risk management contributes to the achievement of an organization’s objectives

through the continuous review of its process and system. So as a good risk manager , the
risk must be manage effectively in such a way that it should either create value or protect
value.

2. BE AN INTEGRAL PART OF ORGANIZATIONAL PROCESEs

Risk management needs to be integrated with an organization’s governance framework
and become a part of its planning processes at both operational and strategic level.

3. BE PART OF DECISION MAKING.

The process of risk management assist decision makers to make informed choices,
identify priorities and select the most appropriate actions. Therefore it is always important
to include the decision makers in the risk management process so as for them to give in
their own contributions as per the areas of the decision that the risk can affect greatly.

4. Explicitly address uncertainty

By identifying potentials risks, organization can implement CONTROL and treat the
chance of gain while minimizing the chance of loss.

5. Be systematic, structure and timely

The process of risk management should be consistent across the organization to ensure
efficiency, consistency and the reliability of results.

6. BASED ON THE best available information

To effectively manage risk, it is important to understand and consider all available
information relevant to an activity and to be aware that there may be limitations on that
info. It is then important to understand how all this information informs the risk
management process.

7. Be tailored
 An organization risk management work needs to include its risk profile as well as take
into consideration its internal and external operating environment.

8. Take In to account human and cultural factors

Risk management needs to recognize the contribution that people and culture have on
achieving the organization objective.

9. Be transparent and inclusive

Engaging stakeholders both internal and external throughout the risk management process
recognizes that communication and consultation is key to identifying, analyzing and
monitoring risk.

10.Be dynamic and responsive to change

The process of managing risk needs to be flexible. The challenging environment we
operate in requires that the organization should consider the context for managing risk as
well as continuing to identify new risk that emerge and make allowances for those risk
that no longer exist.

11.Facilitate the continual improvement of organization

Organizations with a mature risk management culture are those that have invested
resources over time and are able to demonstrate the continual achievement of their
objectives.

CHAPTER FOUR
 Attributes to enhance risk management and the Risk
management processes

4.1 Attributes to enhance risk management

There are 5 essential attributes to enhance risk management.

1. Accountability
An organization should fully accept accountability for their risk and develop
comprehensive control and treatment strategies.

2. Set performance goals and review it on a continuous base

There is now an increased emphasis on continuous improvement in risk

management. Organization should set its performance goals, its measure and then
review and modify processes as required. An organization should also review and
modify it systems, resources and capability /skills to ensure continuous
improvement.

3. Put in place skilled personnel in charge of the risk management process.

Individuals with accountability for risk management are identified. These

individuals should be appropriately skilled, have adequate resources to check and
improve control and monitor risk and should have the ability to communicate
effectively with all stakeholders.

4. Appropriate decision making

Decision making in an organization is very important and such whatever the
level of importance and significance, it should include consideration of risk and the
application of the risk management process as appropriate.
5. Report performance frequently
Frequently reporting to all stakeholder of the organization risk management
performance should be included in the organization governance processes. This
reporting would be on going and highly visible.

4.2 Risk management processes

 Risk management is no longer special or optional: it is a necessary
consideration each time we make a decision whether to develop a relationship, start
a project or hold an event. It is require for good quality outcomes. We must
constructively align or activities and decision making with objectives and
outcomes that helps us reach our strategic goals or successfully execute our
operation plans. This is risk management. To manage risk we apply the standard in
the way we are going to describe here. The risk management process or steps
include: establish the context, identify the risk, analysis risk, evaluation and treat
the risk.

STEP ONE: Establish the context

Establish the context by identifying the objectives of the project, event or

relationship and then consider the internal and external parameters within which
the risk must be managed.

Any proposed partnership, project or initiative should actively consider risk

and document the assessment formally. The risk manager most always identify the
purpose and objectives right at the beginning; focus on this at the outset of the risk
assessment to avoid being overwhelmed by details and data.

The processes here include;

1. Set the scope for the risk assessment by identifying what you are assessing. It is
a new partnership, program, project or perhaps an event?
2. Define the broad objective. Here identify the reason for the risk assessment
perhaps a change in law, a request for an external auditor operational change or
view issues associated with not
3. Identify the relevant stakeholder. Here you should aim for an appropriately
inclusive process from the outset. Be sure to identify the areas that are or might
be, impark and seek to their input. Make sure that appropriate delegates are
been exercised even at this early stage.
4. Greater background information: having proper information is very
important. Ask the right people and identify the information that is available.
Sometime it is useful to identify the information that is available immediately
but might be necessary.
5. Establishing the context sets the framework within which the risk assessment
should be under taken ensure the reason for carry out the risk assessment are
clearly known and provides the back drop of circumstances against which risk
can be identify and assessed.

STEP TWO: Identify the risk

Identify the type of risk that might have an impact on achieving objective of the
company.
In this phase, identify source of the risk, areas of impact, event and their
causes and potential consequences. Describe those factors that might create,
enhance, prevent, degrade, accelerate or delay the achievement of your
objectives. Aim also to identify the issues associated with not pursuing an
opportunity that is the risk of doing nothing and missing an opportunity. In
identifying the risk, consider these kinds of question:
 What could happen: what might go wrong or what might prevent the
achievement of the relevant goals? What events or occurrences could
threaten he intended outcomes?
 How could it happen: is the risk likely to occur at all or happen again? If
so, what could cause the risk event to recur or contribute to it happening
again?
 Where could it happen: is the risk likely to occur anywhere or in any
environment/place? Or is it a risk that is dependent on the location, physical
area or activity?
 Why might it happen: what factors would need to be present for the risk to
happen or occur again? Understanding why a risk might occur or be repeated
is important if the risk is to be managed.
 What might be the impact: if the risk were to occur, what impact or
consequences would or might this have? Will the impact be felt
departmentally or will it impact on the whole organization.
 Who does or can influence this partnership, program, project or event?
How much is within the organization’s control or influence?
Make sure that those with delegation, control, resource and budget are at
least informed if no actively involved. This becomes more important when
considering the treatment for the risk. Where ever possible, provide
quantitative and or qualitative data to assist in describing the risk or to
support the risk rating. Sources of information may include past records,
staff expertise etc
Step 3: analyze the risk

In this phase, it is required to develop a detailed understanding of the risk. Once

the risk has been identified and the context, causes, contributing factors and
consequences have been described, look at the strength and weaknesses of existing
systems and processes designed to help control the risk. Knowing what controls are
already in place and whether they are effective, helps to identify what if any further
action is needed

The processes here include;

1. Identify the existing controls: here determine what controls are already in
place to mitigate the impact of the risk. Controls may include legislation,
policies or procedures, staff training etc.
2. Once the controls have been identified, and their effectiveness analyzed, an
assessment is made of the likelihood of the risk occurring and the
consequence if the risk were to occur. This produces an accurate assessment
of the level of risk and it also help to determine whether risk are acceptable
or need further treatment.
3. Assess the likelihood: the likelihood of the risk occurring is described as
rare, unlikely, possible, likely or almost certain to occur.
4. Assess the consequence: the consequences or potential if the risk event
occurred are described as insignificant, minor, moderate, major or extreme.
5. The assessment of likelihood and consequence is mostly subjective but can
be informed by data or information collected audits inspections, personal
experience, and a range of other available internal and external information.
6. Rate the level of risk.it is very important to rate the level of risk to see if the
risk is low, medium, high or extreme.

Step 4: evaluate the risk

Decide whether the risk is acceptable or unacceptable. Use your understanding of

the risk to make decisions about future actions.

Whether a risk is acceptable or unacceptable relates to a willingness to

tolerate the risk, i.e the willingness to bear the risk after it is treated in order to
achieve the desired objectives. The attitude , appetite and tolerance for risk is likely
to vary over time across the organization as a whole.
  Risk Attitude: it is an organization’s approach to assess and eventually
pursue, retain or turn away from risk.
 Risk Appetite: It is the amount and type of risk that an organization is
willing to pursue or retain.
 Risk Tolerance: it is an organization’s readiness to bear the risk after risk
treatment in order to achieve its objectives.

A risk may be acceptable or tolerable in the following circumstances;

 No treatment is available
 Treatment cost are prohibitive
 The level of risk is low and does not warrant using resources to treat it
 The opportunities involved significantly outweigh the threats.

It is important to remember that regarding a risk as acceptable or tolerable does not

imply that the risk is insignificant. Risk that are considered acceptable or tolerable
risk may still need to be monitored.

Step five: treat the risk

Risk treatment is simply the process taken to modify the risk. The organization
need to ensure that effective strategies are put in place to minimize the frequency
and severity of the identified risk. Develop actions and implement treatment that
aim to control the risk treatments that aim to control the risk.

Once the risk assessment phase is complete, identify the options for
treatment if there are any otherwise tolerates the risk. Where options for treatment
are available and appropriate, record these treatment options as part of the risk
treatment plan.

Treatment options not applied to the source or root cause of a risk are likely
to be ineffective and can promote a false belief within the organization that the risk
is controlled.

The process here involve;

a) Decide if specific treatment is necessary or whether the risk can be adequately

treated in the course of standard management procedure and activities, i.e embed
the treatment into day to day practices or processes.
b) Work out what kind of treatment is desirable for this risk , here determine
what the goal is in treating this particular risk, i.e it is to avoid it completely or
reduce the likelihood or consequence or transfer the risk to someone else such as
the insurer or contractor or accept the level or risk based on existing information.
The type of risk treatment chosen will often depend on the nature for that risk.

c) Identify and design a preferred treatment option once the goal of treatment is
known. The various treatment options include;

 Avoid the risk by not starting or continuing an activity

 Take or increase risk in order to pursue an opportunity
 Remove the risk source
 Change the consequence
 Share the risk e.g through insurance
 Retain the risk by informed decisions

d) Evaluate treatment options and assess their feasibility relative to the tolerance
for risk.

e) Document the risk plan; once the treatment options have been identified, a risk
treatment plan should be prepared

f) Implement agreed treatment; once any option requiring approval for

resourcing, funding or other actions have been approved, treatments should be
implemented by those identified as having the responsibility to do so.

h) Once the risk has been treated, assess the level of residual risk. Even when a
risk has been treated and the controls are in place, the risk may not be completely
eliminated. The level of residual risk refers to the likelihood and consequence of
the risk occurring after the risk has been treated. Once implemented, the treatments
provide or modify the controls. The residual risk rating is generally lower than the
original risk should be documented, monitored and reviewed where appropriate,
further treatment might be prudent. Having a good awareness of residual risk is
important in monitoring and reviewing risk on an ongoing basis.

Once these 5 steps have been implemented, it is very important thereafter to

monitor or review the risk and then communicate and consult as discussed below;

Monitor and review

Monitor changes to the source and context of risk, the tolerance for certain risks
and the adequacy of controls. Ensure processes are put in place to review and
report on risk regularly.

To ensure structured reviews and regular reporting occurs, each department in an

organization is encouraged to identify a process that allows key risks within their
areas to be monitored.

Given the diverse and dynamic nature of business organization’s environment, it is

important to be alert to emerging risk as well as monitoring known risks.

The process here is as follows;

Continuous monitoring: once risks have been identified, recorded, analyzed and
the agreed treatments have been implemented, an appropriate monitoring and
reporting regime needs to be established to provide assurance that the treatment
has been effective and now helps to control the risk

Departmental management review; Managers need to ensure there is a process

of reviewing risk profile and activities in their areas of responsibility.

Internal Audit: the organization internal audit program provides for a review of
systems, policies and process assurance and compliance.

External Audit; the external auditing should not just cover areas of finance,
governance and contracting but should also cover all the areas of risk as well.

Communicate and consult

Effective communication and consultation is essential to ensure that those

responsible for implementing risk management should understand the basis on
which decisions are made and the reasons why particular treatment options are
selected.

Communicate and consult with internal and external stakeholders during any and
all stages of the risk management process particularly when plans are being first
considered and when significant decisions need to be made.

Risk management is enhanced through effective communication and consultation

when all parties understand each other’s perspective and where appropriate are
actively involved in decision making.
Methods of communication and consultation may include; meetings, distribution of
minutes, reports, new letters, flow charts, education session/staff training etc