Financial Engineering & Risk Management

Unit 1

An Overview of Risk Management

What is risk?

Risk is virtually anything that threatens or limits the ability of a community or

nonprofit organization to achieve its mission.

It can be unexpected and unpredictable events such as destruction of a building, the

wiping of all your computer files, loss of funds through theft or an injury to a member

or visitor who trips on a slippery floor and decides to sue. Any of these or a million

other things can happen, and if they do they have the potential to damage your

organisation, cost you money, or in a worst case scenario, cause your organisation to

close.

What is risk management?

Risk management is a process of thinking systematically about all possible risks,

problems or disasters before they happen and setting up procedures that will avoid the

risk, or minimise its impact, or cope with its impact. It is basically setting up a process

where you can identify the risk and set up a strategy to control or deal with it.

It is also about making a realistic evaluation of the true level of risk. The chance of a

tidal wave taking out your annual beach picnic is fairly slim. The chance of your

group's bus being involved in a road accident is a bit more pressing.

Risk management begins with three basic questions:

Apex Institute of Management and Research, Indore Page 2

1. What can go wrong?

2. What will we do to prevent it?

3. What will we do if it happens?

Why should we bother with risk management?

There are a number of reasons why a community or non-profit group should put some

time into considering risk management and it does go beyond the recent issue of

rising insurance premiums.

• For your own safety You want an atmosphere where everyone in your group

feels safe and secure and knows their safety and security is one of the

paramount considerations in every activity your group undertakes. A group that

does this is normally a group that boasts a happy, loyal and effective

membership or volunteer force.

• For the safety of the people you are trying to help The mission of most

community groups is to help people, not harm them. If you are providing

services for outside clients/groups the aim is to enhance their lives not do

something that causes them pain, either physical or mental.

• The threat of possible litigation In the current circumstances this is a very real

threat. Litigation is increasing according to the Insurance Council of Australia as

are the size of the payouts for people who successfully sue. Not every group has

faced legal action and not everyone who gets hurt then sues over it but by

setting up a risk management strategy you can reduce the chance of people

taking costly legal action against that will financially hurt your organisation.

Apex Institute of Management and Research, Indore Page 3

 RISK MANAGEMENT PROCESS

The risk management process include:

1. Establishing goals and context (i.e. the risk environment),

2. Identifying risks,

3. Analysing the identified risks,

4. Assessing or evaluating the risks,

5. Treating or managing the risks,

6. Monitoring and reviewing the risks and the risk environment regularly, and

7. Continuously communicating, consulting with stakeholders and reporting.

1.Establish goals and context

The purpose of this stage of planning enables to understand the environment in which

the respective organization operates, that means to thoroughly understand the

external environment and the internal culture of the organization. The analysis is

undertaken through:

− establishing the strategic, organizational and risk management context of the

organization, and

− identifying the constraints and opportunities of the operating environment.

Apex Institute of Management and Research, Indore Page 4

The establishment of the context and culture is undertaken through a number of

environmental analyses that include, e.g., a review of the regulatory requirements,

codes and standards, industry guidelines as well as the relevant corporate documents

and the previous year’s risk management and business plans.

Part of this step is also to develop risk criteria. The criteria should reflect the context

defined, often depending on an internal policies, goals and objectives of the

organization and the interests of stakeholders. Criteria may be affected by the

perceptions of stakeholders and by legal or regulatory requirements. It is important

that appropriate criteria be determined at the outset. Although the broad criteria for

making decisions are initially developed as part of establishing the risk management

context, they may be further developed and refined subsequently as particular risks

are identified and risk analysis techniques are chosen. The risk criteria must

Apex Institute of Management and Research, Indore Page 5

correspond to the type of risks and the way in which risk levels are expressed.

Methods to assess the environmental analysis are SWOT (Strength, Weaknesses,

Opportunities and Threats) and PEST (Political, Economic, Societal and Technological)

frameworks, typically shown as tables.

2. Identify the risks

Using the information gained from the context, particularly as categorised by the SWOT

and PEST frameworks, the next step is to identify the risks that are likely to affect the

achievement of the goals of the organization, activity or initiative. It should be

underlined that a risk can be an opportunity or strength that has not been realised.

Key questions that may assist your identification of risks include:

− For us to achieve our goals, when, where, why, and how are risks likely to occur?

− What are the risks associated with achieving each of our priorities?

− What are the risks of not achieving these priorities?

− Who might be involved (for example, suppliers, contractors, stakeholders)?

The appropriate risk identification method will depend on the application area (i.e.

nature of activities and the hazard groups), the nature of the project, the project

phase, resources available, regulatory requirements and client requirements as to

objectives, desired outcome and the required level of detail.

The use of the following tools and techniques may further assist the identification of

risks:

− Examples of possible risk sources,

Apex Institute of Management and Research, Indore Page 6

− Checklist of possible business risks and fraud risks,

− Typical risks in stages of the procurement process,

− Scenario planning as a risk assessment tool ,

− Process mapping, and

− Documentation, relevant audit reports, program evaluations and / or research

reports.

Specific lists, e.g. from standards, and organizational experience support the

identification of internal risks. To collect experience available in the organization

regarding internal risks, people with appropriate knowledge from the different parts of

the organization should be involved in identifying risks. Creativity tools support this

group process.

The identification of the sources of the risk is the most critical stage in the risk

assessment process. The sources are needed to be managed for pro-active risk

management. The better the understanding of the sources, the better the outcomes of

the risk assessment process and the more meaningful and effective will be the

management of risks.

Key questions to ask at this stage of the risk assessment process to identify the impact

of the risk are:

− Why is this event a risk?

− What happens if the risk eventuates?

− How can it impact on achieving the objectives/outcomes?

Apex Institute of Management and Research, Indore Page 7

Risk identification of a particular system, facility or activity may yield a very large

number of potential accidental events and it may not always be feasible to subject each

one to detailed quantitative analysis. In practice, risk identification is a screening

process where events with low or trivial risk are dropped from further consideration.

However, the justification for the events not studied in detail should be given.

Quantification is then concentrated on the events which will give rise to higher levels of

risk. Fundamental methods such as Hazard and Operability (HAZOP) studies, fault

trees, event tree logic diagrams and Failure Mode and Effect Analysis (FMEA) are tools

which can be used to identify the risks and assess the criticality of possible outcomes.

3. Analyse the risk

Risk analysis involves the consideration of the source of risk, the consequence and

likelihood to estimate the inherent or unprotected risk without controls in place. It also

involves identification of the controls, an estimation of their effectiveness and the

resultant level of risk with controls in place (the protected, residual or controlled risk).

Qualitative, semi-quantitative and quantitative techniques are all acceptable analysis

techniques depending on the risk, the purpose of the analysis and the information and

data available.

Often qualitative or semi-quantitative techniques can be used for screening risks

whereas higher risks are being subjected to more expensive quantitative techniques as

required. Risks can be estimated qualitatively and semi-quantitatively using tools such

as hazard matrices, risk graphs, risk matrices or monographs but noting that the risk

matrix is the most common.

Apex Institute of Management and Research, Indore Page 8

Applying the risk matrix, it is required to define for each risk its profile using

likelihood and consequences criteria. Typical definitions of the likelihood and

consequence are contained in the risk matrix.

Using the consequence criteria provided in the risk matrix, one has to determine the

consequences of the event occurring (with current controls in place). To determine the

likelihood of the risk occurring, one can apply the likelihood criteria (again contained

in the risk matrix). As before, the assessment is undertaken with reference to the

effectiveness of the current control activities.

4. Evaluate the risk

Once the risks have been analysed they can be compared against the previously

documented and approved tolerable risk criteria. When using risk matrices this

tolerable risk is generally documented with the risk matrix. Should the protected risk

be greater than the tolerable risk then the specific risk needs additional control

measures or improvements in the effectiveness of the existing controls.

The decision of whether a risk is acceptable or not acceptable is taken by the relevant

manager. A risk may be considered acceptable if for example:

− The risk is sufficiently low that treatment is not considered cost effective, or

− A treatment is not available, e.g. a project terminated by a change of government, or

− A sufficient opportunity exists that outweighs the perceived level of threat.

If the manager determines the level of risk to be acceptable, the risk may be accepted

with no further treatment beyond the current controls. Acceptable risks should be

Apex Institute of Management and Research, Indore Page 9

monitored and periodically reviewed to ensure they remain acceptable. The level of

acceptability can be organizational criteria or safety goals set by the authorities.

5. Treat the risk

An unacceptable risk requires treatment. The objective of this stage of the risk

assessment process is to develop cost effective options for treating the risks.

Treatment options which are not necessarily mutually exclusive or appropriate in all

circumstances, are driven by outcomes that include:

− Avoiding the risk,

− Reducing (mitigating) the risk,

− Transferring (sharing) the risk, and

− Retaining (accepting) the risk.

• Avoiding the risk - not undertaking the activity that is likely to trigger the risk.

• Reducing the risk - controlling the likelihood of the risk occurring, or

controlling the impact of the consequences if the risk occurs.

Factors to consider for this risk treatment strategy include:

− Can the likelihood of the risk occurring be reduced? (through preventative

maintenance, or quality assurance and management, change in business systems and

processes), or

− Can the consequences of the event be reduced? (through contingency planning,

minimizing exposure to sources of risk or separation/relocation of an activity and

resources).

Apex Institute of Management and Research, Indore Page 10

Examples for the mitigation activity effectiveness are described in (Wirthin 2006).

Transferring the risk totally or in part - This strategy may be achievable through

moving the responsibility to another party or sharing the risk through a contract,

insurance, or partnership/joint venture. However, one should be aware that a new risk

arises in that the party to whom the risk is transferred may not adequately manage the

risk!

Retaining the risk and managing it - Resource requirements feature heavily in this

strategy.

The next step is to determine the target level of risk resulting from the successful

implementation of the preferred treatments and current control activities.

The intention of a risk treatment is to reduce the expected level of an unacceptable

risk. Using the risk matrix one can determine the consequence and likelihood of the

risk and identify the expected target risk level.

6. Monitoring the risk

It is important to understand that the concept of risk is dynamic and needs periodic

and formal review.

The currency of identified risks needs to be regularly monitored. New risks and their

impact on the organization may to be taken into account.

This step requires the description of how the outcomes of the treatment will be

measured.

Milestones or benchmarks for success and warning signs for failure need to be

identified.

Apex Institute of Management and Research, Indore Page 11

The review period is determined by the operating environment (including legislation),

but as a general rule a comprehensive review every five years is an accepted industry

norm. This is on the basis that all plant changes are subject to an appropriate change

process including risk assessment.

The review needs to validate that the risk management process and the documentation

is still valid. The review also needs to consider the current regulatory environment and

industry practices which may have changed significantly in the intervening period.

The organisation, competencies and effectiveness of the safety management system

should also be covered. The plant management systems should have captured these

changes and the review should be seen as a ‘back stop’.

The assumptions made in the previous risk assessment (hazards, likelihood and

consequence), the effectiveness of controls and the associated management system as

well as people need to be monitored on an on-going basis to ensure risk are in fact

controlled to the underlying criteria. For an efficient risk control the analysis of risk

interactions is necessary.

7. Communication and reporting

Clear communication is essential for the risk management process, i.e. clear

communication of the objectives, the risk management process and its elements, as

well as the findings and required actions as a result of the output.

Risk management is an integral element of organization´s management. However, for

its successful adoption it is important that in its initial stages, the reporting on risk

management is visible through the framework. The requirements on the reporting have

Apex Institute of Management and Research, Indore Page 12

to be fixed in a qualified and documented procedure, e. g., in a management

handbook.

Documentation is essential to demonstrate that the process has been systematic, the

methods and scope identified, the process conducted correctly and that it is fully

auditable. Documentation provides a rational basis for management consideration,

approval and implementation including an appropriate management system.

A documented output from the above sections (risk identification, analysis, evaluation

and controls) is a risk register for the site, plant, equipment or activity under

consideration. This document is essential for the on-going safe management of the

plant and as a basis for communication throughout the client organisation and for the

on-going monitor and review processes. It can also be used with other supporting

documents to demonstrate regulatory compliance.

Derivative

A derivative is a financial instrument which derives its value from the value of

underlying entities such as an asset, index, or interest rate—it has no intrinsic value in

itself. Derivative transactions include a variety of financial contracts,

including structured debt obligations and deposits, swaps, futures, options, caps,

floors, collars, forwards, and various combinations of these.

Example

The value of the derivative is set out in a derivative contract, which can either be

traded on an exchange, in what is called exchange-traded contracts, or traded off-

exchange, in the over-the-counter market.

Apex Institute of Management and Research, Indore Page 13

Those traded on exchanges, such as interest rate futures, allow traders to speculate on

the future direction of interest rates, and those privately negotiated between two

parties are known as over-the-counter (OTC) derivatives.

Forward Contract

In finance, a forward contract or simply a forward is a non-standardized contract

between two parties to buy or sell an asset at a specified future time at a price agreed

upon today. This is in contrast to a spot contract, which is an agreement to buy or sell

an asset today. The party agreeing to buy the underlying asset in the future assumes

a long position, and the party agreeing to sell the asset in the future assumes a short

position. The price agreed upon is called the delivery price, which is equal to the

forward price at the time the contract is entered into.

The price of the underlying instrument, in whatever form, is paid before control of the

instrument changes. This is one of the many forms of buy/sell orders where the time

and date of trade is not the same as the value date where the securities themselves are

exchanged.

The forward price of such a contract is commonly contrasted with the spot price, which

is the price at which the asset changes hands on the spot date. The difference between

the spot and the forward price is the forward premium or forward discount, generally

considered in the form of a profit, or loss, by the purchasing party.

Forwards, like other derivative securities, can be used to hedge risk (typically currency

or exchange rate risk), as a means of speculation, or to allow a party to take advantage

of a quality of the underlying instrument which is time-sensitive.

Apex Institute of Management and Research, Indore Page 14

A closely related contract is a futures contract; they differ in certain respects. Forward

contracts are very similar to futures contracts, except they are not exchange-traded, or

defined on standardized assets.Forwards also typically have no interim partial

settlements or "true-ups" in margin requirements like futures – such that the parties

do not exchange additional property securing the party at gain and the entire

unrealized gain or loss builds up while the contract is open. However, being

traded over the counter (OTC), forward contracts specification can be customized and

may include mark-to-market and daily margining. Hence, a forward contract

arrangement might call for the loss party to pledge collateral or additional collateral to

better secure the party at gain.

Hedging

A hedge is an investment position intended to offset potential losses/gains that may

be incurred by a companion investment. In simple language, a hedge is used to reduce

any substantial losses/gains suffered by an individual or an organization.

A hedge can be constructed from many types of financial instruments,

including stocks,exchange-traded funds, insurance, forward contracts, swaps, options,

many types of over-the-counter and derivative products, and futures contracts.

Public futures markets were established in the 19th century to allow transparent,

standardized, and efficient hedging of agricultural commodity prices; they have since

expanded to include futures contracts for hedging the values of energy, precious

metals, foreign currency, and interest rate fluctuations.

Apex Institute of Management and Research, Indore Page 15