Chapter1: Types of Risk
Pure Risk:
 Pure risk is a category of risk that cannot be controlled and has two outcomes: complete loss or
no loss at all. There are no opportunities for gain or profit when pure risk is involved.
 Pure risk is generally prevalent in situations such as natural disasters fires, or death. These
situations cannot be predicted and are beyond anyone's control. Pure risk is also referred to as
absolute risk.
Speculative Risk:
 Speculative risk is a category of risk that,results in an uncertain degree of gain or loss.
 Speculative risks are made as conscious choices and are not just a result of uncontrollable
circumstances.
 Since there is the chance of a large gain despite the high level of risk, speculative risk is not a
pure risk, which entails the possibility of only a loss and no potential for gains.
 Almost all investment activities involve some degree of speculative risk, as an investor has no
idea whether an investment will be a blazing success or an utter failure. Some assets—such as an
options contract—carry a combination of risks, including speculative risk, that can be hedged or
limited.
Systematic Risk:
 Systematic Risk does not have a specific definition but is an inherent Risk existing in the stock
market.
 These risks are applicable to all the sectors but can be controlled.
 If there is an announcement or event which impacts the entire stock market, a consistent
reaction will flow in which is a systematic risk.
 E.g., if Government Bonds is offering a yield of 5% in comparison to the stock market, which
offers a minimum return of 10%.
Unsystematic Risk:
 Unsystematic Risk is an industry or firm-specific threat in each kind of investment.
 It is also known as “Specific Risk,” “Diversifiable risk,” or “Residual Risk.”
 These are risks which are existing but are unplanned and can occur at any point in causing
widespread disruption.
 E.g., if the staff of the airline industry goes on an indefinite strike, then this will cause risk to the
shares of the airline industry and fall in the prices of the stock impacting this industry.
(a) Business Risk:
 These are the risks that the bank willingly assumes to create a competitive advantage and
add value for shareholders. Business or operating risk pertains to the product market in
which the bank operates, and includes technological innovations, marketing and product
design. Products designed by the bank may be made superfluous by technological
advancement.
 An example would be door-to- door deposit marketing that could prove very costly in
comparison with internet driven banking. A bank with a pulse on the market and driven by
technology as well as a high degree of customer focus could be relatively protected against
this risk.
(b) Strategic Risk:
 This results from a fundamental shift in the economy or political environment. An example
for this would be the nationalization of Indian banks.
Types of Financial Risk:
 Credit Risk
 Market risk - Liquidity Risk, Interest Rate Risks, Foreign Exchange risk, Price risk, Settlement
risk
 Operational risk
 Credit risk Vs. Market Risk Vs. Operational risk.
 Inter relationship of risks
Types of Non-financial risks:
 Business Risk,
 Strategic Risk.
 Other types of risk:
 Compliance risk,
 Fraud Risk,
 Inter connection Risk,
 Reputation Risk,
 Transaction Risk
Chapter 2: The Purpose and Process of Risk Management
Benefits of Risk Management
 It's easier to spot projects in trouble.
 There are fewer surprises.
 Better quality data for decision making.
 Communication among stakeholders is elevated.
 Budgets rely less on guesswork.
 The expectation of success is set.
 The team remains focused.
How Risk management help reach organizational objectives?
 Ensure the management of risk is consistent with and supports the achievement of the strategic
and corporate objectives.
 Provide a high-quality service to customers.
 Initiate action to prevent or reduce the adverse effects of risk.
Risk Management Process:
Objectives of Risk Management:
 Ensure the management of risk is consistent with and supports the achievement of the strategic
and corporate objectives.
 Provide a high-quality service to customers.
 Initiate action to prevent or reduce the adverse effects of risk
 Minimize the human costs of risks, Where reasonably practicable.
 Meet statutory and legal obligations.
 Minimize the financial and other negative consequences of losses and claims.
 Minimize the risks associated with new developments and activities.
 Be able to inform decisions and make choices on possible outcomes.
The 5 Step Risk Management Process
 Identify potential risks.
 Measure frequency and severity.
 Examine alternative solutions.
 Decide which solution to use and implement it.
 Monitor results.
Chapter 3: Governance Risk and Compliance
Corporate Governance:
Corporate governance is the system of rules, practices and processes by which a firm is directed and
controlled.
A company's board of directors is the primary force influencing corporate governance.
It essentially involves balancing the interests of a company's stakeholders, such as shareholders,
senior management executives, customers, suppliers, financiers, the government, and the
community. It provides the framework for attaining a company's objectives, it encompasses
practically every sphere of management, from action plans and internal controls to performance
measurement and corporate disclosure, culture, and value systems.
Key Stakeholders:

Shareholders: Who provides capital.

Employees: Who work for the company.

Customers: who buy products.

Regulators/Government: who oversee functions of the company.

Suppliers/Vendors: who are support teams.

Society at large: who allow business to happen.
Governance, Risk and Compliance (GRC):
GRC refers to a strategy for managing an organization's overall governance,
enterprise risk management and compliance with regulations. It is a structured approach to
aligning it with business objectives, while effectively managing risk and meeting compliance
requirements

GRC is the integrated collection of capabilities that enable an organization to reliably achieve
objectives, address uncertainty and act with integrity.

The acronym GRC was invented by the OCEG (originally called the "Open Compliance and
Ethics Group") membership as a shorthand reference to the critical capabilities that must
work together to achieve Principled Performance — the capabilities that integrate the
governance, management and assurance of performance, risk, and compliance activities.
Structure of GRC
Board of Directors – Led by Chairman – can be a whole time/non-executive member of the board.
Board of Directors – whole time directors, part of top management
Board of Directors – Independent Directors (IDs) as defined under Companies Act 2013
Board of Director – Nominee Directors – Government or from regulators, share holder
representatives.
Sub-committees of the Board

Audit Committee

Risk Management

Customer Service

Technology management

Human Resources Management

Nomination Committee

Remuneration Committee
Internal Control framework by COSO:

The Committee of Sponsoring Organizations (COSO) has developed internal control
framework to help businesses establishment assess and enhance their internal control.

The importance of Internal Control in the Operations and Financial Reporting of an entity
cannot be over-emphasized as the existence or the absence of the process determines the
quality of output produced in the Financial Statements.

They are accurate and can be relied upon for informed decision making.
SOX Act 2002

The Sarbanes-Oxley (SOX) Act of 2002 is a law the U.S. Congress passed on July 30 of that
year to help protect investors from fraudulent financial reporting by corporations.

Also known as the SOX Act of 2002 and the Corporate Responsibility Act of 2002, it
mandated strict reforms to existing securities regulations and imposed tough new penalties
on lawbreakers.

The Sarbanes-Oxley Act of 2002 came in response to financial scandals in the early 2000s
involving publicly traded companies such as Enron Corporation, Tyco International plc, and
WorldCom.

The high-profile frauds shook investor confidence in the trustworthiness of corporate
financial statements and led many to demand an overhaul of decades-old regulatory
standards.
Regulation 49 of listing Agreement

In April 2008, Securities and Exchange Board of India (SEBI) amended Clause 49 of the Listing
Agreement to extent the 50% independent directors rule to all Boards of Directors where the
Non-Executive Chairman is a promoter of the Company or related to the promoters of the
company.
Companies Act – 2013 Laid more emphasis:

The Companies Act, 2013 (“Act”) took a major step in raising the bar on corporate
governance in India with the introduction of Internal Financial Controls (“IFC”).

The Act has imposed specific responsibilities on the Board, Audit committee, Management
as well as Auditors.

It requires the Board to state that they have laid down internal financial controls to be
followed by the company and that such controls are adequate and were operating
effectively.
Internal controls
Under the Management Audit and System Inspection (MA & SI), the inspection teams
examine, evaluate and report on the adequacy and reliability of the existing systems and
follow-up to ensure that laws, regulations, internal policies and procedures are meticulously
followed and the work is carried out as per defined
Role of Chief Risk Officer

A CRO leads efforts to reduce business risks that can put an organization's profitability and
productivity at risk.

CRO spearheads efforts related to enterprise risk management.

A Chief Risk Officer is responsible for implementing policies and procedures to minimize
or manage operational risks.

A chief risk officer (CRO) is an executive in charge of managing risks to the company.

It is a senior position that requires years of experience in accounting, economics, legal, or
actuarial backgrounds.

The role of the chief risk officer is constantly evolving, as technologies and business practices
change.
Role of Risk Manager

Risk management is a comprehensive multitask.

Risk managers possessing technical competence should be capable of analyzing implications
of developments in the macro and business environment.

The number of Risk Managers will depend upon the size of the organization.

Risk Managers have a senior role who should be in the league of succession planning to
eventually assume the role of CRO.
Role of Risk officer

Risk officers form the cadre at the bottom of the pyramid in the organizational set up of Risk
Management of an entity.

They should be well equipped to collect operational data – keep a track of what is envisaged
and how the results are ticking.

Should be able to analyze data and dissect information flowing from operations.

The team of risk officers should be able to assist the CRO in fulfilling his regulatory
responsibilities.
Risk Management Committee of the Board

It is mandatory for a board to form a Risk Management Committee of the board.

Members are drawn from Independent Directors depending upon the area of expertise to
guide the entity in managing organizational risks.

The CRO and top management people should assist the committee with right operational
information so that it is possible for the committee to keep track of risks.

It the is the apex policy making body and maintains relationship with the regulators and
keeps the board informed about the impending risks and how they are managed.
Relationship between Audit and Risk Management

Both internal and external audits are systemic controls in the organizations that work as the
eyes and ears of the risk management department and CRO.

There is a fiduciary and umbilical connection between the two.

One depends on the other in fulfillment of integrity and accuracy in projecting the right
balance sheet to the stakeholders.
Setting standards of Risk appetite and risk tolerance levels

Every organization has limitations to grow.

It has capacity in terms of SWOT analysis

Too much of growth ambitions could be self defeating.

The risk management committee of the board sets the tone and tenor of risk appetite.

But business cannot be done on dotted lines. Hence, many times, they need to deviate from
the risk appetite.

Hence tolerance levels are also set to facilitate risk taking
Chapter 4: Tools and Techniques of RM
What sort of information is needed - Internal information
Internal Data
•
Business disruptions
•
Disruptions and Supply chain failures
•
Third party liabilities – contracts/ receivables
•
Staff competencies – flight of talent
•
Physical damages to the assets
•
Volume of business inflows – deviations – reasons
•
Inventory holdings – excess of just in time data
•
Shop floor time management
Sources of internal information
•
Operational data as business keep happening – data bases
•
Technology alignment to capture data
•
Documents aligned to collect data – audit reports
•
People
•
Meetings/discussions/informal/ grapevine
•
Committees
•
Employees
•
Observations
Classification of data – external
•
Macroeconomic and business environment trends relevant to the entity.
•
Regulatory and legislative changes – amendments, interpretation.
•
Damage to reputation (if any), brand value and good will change.
•
Changes in market environment.
•
Identification of peer market players.
•
Market share – entry of new players – competitive products.
•
Mergers and acquisitions in the industry.
•
Disaster recovery plan.
Sources of external information
•
Mass media – Print/electronic – the organization has to be sensitive.
•
Peer entities – press communique, performance data
•
Conferences/ seminars/workshops
•
Stakeholder feed back – government, regulators
•
Company reports – peer organizations.
•
Business and professional institutes
•
Insurers and feed hack
•
Consultant reports
•
Data bases
•
Economic market intelligence data
Methods of risk Identification
•
Organizational structure/organizational charts
•
Flow charts/ cash flow statements
•
Checklists and questionnaires
•
Physical inspection
•
Brainstorming and workshops
•
Studies and organizational research
•
Through study of loss data
•
Fault trees – they are similar to flow charts but are aimed at different objectives – capturing
chain of events.
•
Hazards and operability studies
Chapter 5 Risk Models
What the concept of model?


A model is a system, quantitative method, or approach that relies on assumptions and economic,
statistical, mathematical, or financial theories and techniques. The model processes data inputs
into a quantitative-estimate type of output.
Organizations use financial models combined with business forecasts to test viability of longterm plans.
What is Stress Test?

Stress tests explore the effect of variations in individual parameters, for example how much can
income drop before profit is eroded or how much can particular asset values drop before
solvency is threatened.
Use of Risk Models

Some companies, such as banks, employ a model risk officer to establish a financial model risk
management program aimed at reducing the likelihood of the bank suffering financial losses due
to model risk issues.

Components of the program include establishing model governance and policies.

It also involves assigning roles and responsibilities to individuals who will develop, test,
implement, and manage the financial models on an ongoing basis.
Monte Carlo Simulations Model

Monte Carlo simulations are used to model the probability of different outcomes in a process
that cannot easily be predicted due to the intervention of random variables.

It is a technique used to understand the impact of risk and uncertainty in prediction and
forecasting models.

A Monte Carlo simulation can be used to tackle a range of problems in virtually every field such
as finance, engineering, supply chain, and science. It is also referred to as a multiple probability
simulation.
ALTMAN’s Z Score Model

The Altman’s Z Score forecasts the probability of a company entering bankruptcy within a 12month period.

The model combines five financial ratios using reported accounting information and equity
values to produce an objective measure of borrower’s financial health.
Value at risk model (VaR) model

The VaR method is employed to assess potential loss that could crystalize on trading position or
portfolio due to variations in market interest rates and prices, using a given confidence level,
usually 95% to 99%, within a defined period of time.

The VaR method should incorporate the market factors against which the market value of the
trading position is exposed.

The top management should put in place bank-wide VaR exposure limits to the trading portfolio
(including forex and gold positions, derivative products, etc.) which is then disaggregated across
different desks and departments.
Chapter 6: Risk financing, retention and transfer
Risk incidents
•
The likelihood that an incident could cause damage or loss multiplied by the size of that potential
damage or loss.
•
An incident is an event that could lead to loss of, or disruption to, an organization's operations,
services or functions.
•
Incident management (ICM) is a term describing the activities of an organization to identify,
analyze, and correct hazards to prevent a future re-occurrence.
•
Risk management, then, is the process of determining what level of risk is acceptable, and what
actions should be taken to mitigate the risks that the organization considers unacceptable.
Cost of risk incidents
•
Monetary – Loss in terms of money – Say cost overruns – Cash outgoings – Compensating for
cash outflows could be risky.
•
Time Schedule – Delay – Time overruns, penalties and regulatory adversities.
•
Administrative – lack of control on infrastructure and organizational resources or slackness in
the administration can cost dearly to the organization.
•
Opportunity – Loss events may detract from an organizations ability to achieve its business
and financial plans.
Risk Control Strategy: 4 T’s Process
Risk control is the process by which an organization reduces the likelihood of a risk event occurring or
mitigates the effects that risk should it occur. Our preferred way to determine your risk control
strategy is to use the four T’s Process:
1. Transferring Risk can be achieved through the use of various forms of insurance, or the payment to
third parties who are prepared to take the risk on behalf of the organization
2. Tolerating Risk is where no action is taken to mitigate or reduce a risk. This may be because the
cost of instituting risk reduction or mitigation activity is not cost-effective or the risks of impact are at
so low that they are deemed acceptable to the business. Even when these risks are tolerated they
should be monitored because future changes may make it no longer tolerable.
3. Treating Risk is a method of controlling risk through actions that reduce the likelihood of the risk
occurring or minimize its impact prior to its occurrence. Also, there are contingent measures that
can be developed to reduce the impact of an event once it has occurred.
4. Terminating Risk is the simplest and most often ignored method of dealing with risk. It is the
approach that should be most favored where possible and simply involves risk elimination. This can
be done by altering an inherently risky process or practice to remove the risk. The same can be used
when reviewing practices and processes in all areas of the business.
Four Risk Mitigation strategies
•
If an item presents a risk and can be changed or removed without it materially affecting the
business, then removing the risk should be the first option considered; rather than
attempting the treat, tolerate or transfer it.
•
After years of professional risk control planning, we’ve come across it all and have still
maintained these tried-and-true risk mitigation strategies. Once you’ve reviewed each
control option for each risk, you should have a complete risk mitigation strategy. Need
additional help? Look into our post on the four risk mitigation strategies.
Insurance as a measure of risk control
•
Insurance is frequently referred to as a risk transfer mechanism.
•
However, in the light of the evidence that insurance covers only a fraction of the total cost of
risk, it is clear that business organizations cannot "contract out" of the impact of risk by the
purchase of insurance, and the "risk transfer" label that is often attached to insurance
therefore seems misleading.
•
Even although it provides only partial indemnification, insurance is seen by virtually every
business organization to be a sensible - indeed an essential - purchase.
•
If, therefore, businesses see the sense in covering some of the total cost of their risks, does
it not make sense for them to likewise endeavour to control the other (usually the greater)
element - ie, the uninsured costs?
Business Continuity Management BCM).
•
Organizations have to recognize that some events cannot be either totally avoided or insured
so they need to plan what they are going to do if a major incident occurs.
•
That preparedness is Business continuity management (BCM)
•
The objective is to keep a system operational despite losses occurring and to restore it as
quickly as possible to its original state.
•
Plans and procedures are put in place to limit the extent of damage a significant event may
cause.
•
Each Major incident has unique circumstances that determine its eventual outcome.
Business Continuity Management is a 6-Step process
1. Setting up a BCM management structure
2. Analyzing the organizations survival priorities.
3. Determining Continuity Strategies
4. Developing emergency response system within the organization
5. Exercising reviewing and maintain plans
6. Embedding BCM in the organization’s culture of management
Risk financing options – I
•
It is important that an organization recognizes all sources of indirect costs and understands
clearly the full extent of losses that may be faced during operations.
•
With this understanding, the organization can begin to make realistic decisions about:
1. Weather to retain a risk internally
2. Weather to establish funding for risk incidents and the size of such a fund as a contingency
fund.
3. Insurance and the limits of indemnity to be negotiated within insurance contracts.
The best combination of financing arrangements
Risk Financing Options – II
•
Risk financing is the determination of how an organization will pay for loss events in the most
effective and least costly way possible.
•
Risk financing involves the identification of risks, determining how to finance the risk, and
monitoring the effectiveness of the financing technique that is chosen.
•
Risk financing is designed to help a business align its desire to take on new risks to grow, with
its ability to pay for those risks. Businesses must weigh the potential costs of their actions
and whether the action will help the business reach its objectives.
•
The business will examine its priorities to determine whether it is taking on the appropriate
amount of risk to achieve its objectives.
•
It'll also examine whether it is taking the right types of risks and whether the costs of these
risks are being accounted for financially.
Risk Impact limits - Discounted cash flow approach
•
In order to decide how important individual losses are, we need to know how much loss an
organization can afford to absorb without significant impact on its own operations.
•
It will need risk impact assessment that will measurement of retained losses and covered
losses
•
Often the dilemma is resolved by evaluating alternative proposals to see which promises the
best monetary return or investment.
Insurance as a risk transfer mechanism
•
Risk transfer refers to a risk management technique in which risk is transferred to a third
party.
•
In other words, risk transfer involves one party assuming the liabilities of another party.
•
Purchasing insurance is a common example of transferring risk from an individual or entity to
an insurance company.
•
But the evaluation of trade off between risks and costs in insuring has to be taken into
consideration
Risk Transfer – How it works
•
Risk transfer is a common risk management technique where the potential loss from an
adverse outcome faced by an individual or entity is shifted to a third party.
•
To compensate the third party for bearing the risk, the individual or entity will generally
provide the third party with periodic payments.
•
The most common example of risk transfer is insurance. When an individual or entity
purchases insurance, they are insuring against financial risks.
•
For example, an individual who purchases car insurance is acquiring financial protection
against physical damage or bodily harm that can result from traffic incidents.
Challenges in transferring risk
- Costs of insurance Vs risk dynamics
•
Some insurers specializes in providing one or two-types of insurance while others may cover
a wider market
•
Cost-effective insurance is not always readily obtainable and there could be lot of fine
prints/conditions incidental to the contract.
•
Insurers are becoming progressively more global, thus enabling them to better meet clients’
needs
•
Challenge is to keep the premiums within the pre-arranged costs while the risks are dynamic
in work environment
Privity of disclosures between Insured and Insurer
•
The disclosures must be made in a manner that would be reasonably clear and accessible to
an insurer
•
Duty to disclose riskiness of activities
•
Transparency and fair sharing of information
•
Honesty in protecting the insurer
•
Development of mutual trust and confidence
Other risk financing options
– Risk retention
•
In large organizations losses could be absorbed at group level or alternatively by individual
subsidiaries.
•
Self funding and risk retention can also be planned if the company has clarity on :
•
Identifiability of Potential risks
•
Is the business a familiar activity
•
Is it hazardous
Will it hit hard to erode the net worth
Merits of Risk retention
- Propagates culture of risk management
•
Risk fund – corpus is retained within the organization for use until needed
•
Reduces administrative costs of managing insurance outsourcing and its related paper work
•
Line managers are encouraged to own and manage risks efficiently and will be more
conscious about managing them
•
Self-Insurance Programs - A risk Retention strategy
•
Insurance arrangements that covers only part of a risk are known as self – Insurance and is
structured to balance the risks and costs as a retention strategy.
•
It may benefit an organization to arrange a funding mechanism – in house by setting up risk
fund
•
This will sensitize the management to be well balanced in measuring and managing risks on
day to day basis
It can partly provide relief to organizations
Alternative risk transfer -I
•
It is adopting a non-traditional risk transfer other than by way of an insurance contract.
•
It is form of transferring risks to professional risk carriers that are more flexible and cost
effective than insurance
•
Financial risk transfer is about spreading financial risk across a large number of entities with
multiple options instead of just buying an insurance product
Alternate Risk Transfer – II
•
Insurance Derivatives are a development replacing the fixed insurance contracts. They are a
contract to pay an amount of money once a certain level of loss incident is reached. Often
that level of loss is not one just within the organization but a level dictated by an external
agency.
•
For example, an earthquake in excess of say 7.1 on richer scale occurring within the
predefined latitude and longitude and with a defined period might trigger a payment on this
type of contract.
Alternate risk transfer – III
•
Catastrophe (CAT)bonds – They are investment bonds that provide a return based on
insurance type events rather than financial market developments.
•
A Trigger mechanism will be determined for the cat bond. Larger Cat bond losses are rarely
indemnity based because of the complexity in settling claims.
Unit – 7
Grading of risks
Heat maps to measure the risks – A powerful visualization tool

A risk heat map is a tool used to present the results of a risk assessment process visually and
in a meaningful and concise way.

Whether conducted as part of a broad-based enterprise risk management process or more
narrowly focused internal control process, risk assessment is a critical step
in risk management.
Grading of risk

Negligible – that can be managed with regular risk management tools

Marginal - Needs some attention of the line managers to manage it

Critical – Requires the attention of the top management – Defense -3 level intervention to
prevent the damage or manage it if it manifests.

Catastrophic – The entire organization has to galvanize its force like the ongoing pandemic.
Even government and UN agencies can also plunge into action in managing it.
How measurement is done

No of past such risk events are mapped to visualize the probability of its occurrence,

The preparedness teams are formed to come into action if it manifests.

Business continuity plans (BCPs) are drawn to ensure smooth functioning of the unit despite
the risks.

Or plans are worked to restore normalcy with minimum loss of time
Risk events to be plotted:
Risk Ranking

When risk information is to be discussed with top management or presented, grading of risks
and its presentation becomes critical to ensure proper level of intervention.

Risk factor indicating the probability of its occurrence has to be ascertained.

A risk factor is is determined by multiplying probability by potential loss to find the
quantified measures.
Risk Comparison

A risk comparison helps in prioritizing risk management

Risks can be a combination of several risks to which the organization at any point of time is
exposed.

A comparative account of likely losses on account of each figment of risk will enable
segregation and action orientation. So that resources are allocated accordingly.
Fukushima disaster – I

Risk comparison is essential for effective societal and individual decision-making.

After the Fukushima disaster, studies compared radiation and other disaster-related risks to
determine the effective prioritizing of measures for response.

Evaluating the value of risk comparison information can enable effective risk communication.

In this review, the value of risk comparison after the Fukushima disaster for societal and
individual decision-making is discussed while clarifying the concept of radiation risk
assessment at low doses.
Fukushima disaster – II

The objectives of radiation risk assessment are explained within a regulatory science
framework, including the historical adoption of the linear non-threshold theory.

An example of risk comparison (i.e. radiation risk versus evacuation-related risk in nursing
homes) is used to discuss the prioritization of pre-disaster measures.

The effective communication of risk information by authorities is discussed with respect to
group-based and face-to-face approaches.

Furthermore, future perspectives regarding radiation risk comparisons are discussed.