What is Risk Management?

Risk Management can be found in many forms. This was emphasized to me while I was Googling “risk management in financial firms.” What I found were hits covering risk management across a wide spectrum of activities, from risk assessment for projects large and small to mathematical modeling to understanding the credit worthiness of individuals and corporations. So, what is risk management?
Although not necessarily an original thought, an important point to highlight is that everyone in a firm, whether executive or staff member needs to be aware of the practices and principles of effective risk management. Increasingly, financial firms will express their plans in terms of a risk appetite, which connects their business strategy to their operational activities, such as a trading room buying and selling a variety of financial instruments and creating exposures in the trading book (the banking book covers the retail exposures) that need to be managed.

Understanding how to identify and treat risks in an organization, can protect against future difficulties and prepare managers and staff for unavoidable incidents. Preventing a problem from happening or reducing its impact is called mitigating the risk. In financial firms these risks are typically credit, market and operational risks and are seen as part of an enterprise risk management strategy. It is also important to be aware that most of these risks have a reward side. For example when a firm uses risk analysis to manage its credit risk, it can avoid customers who may default on credit payments and drive its resources to more profitable segments.

In today's global economy, it is critical to see risk as an integral part of the business ecosystem. In this new ecosystem, we are seeing the emergence of a new discipline referred to as governance risk and compliance (GRC). GRC is about taking the big picture view. Through the Open Compliance & Ethics Group (OCEG) Leadership Council, firms and technology vendors are coming together to agree upon guidelines to gauge the performance of corporate GRC programs. A failure in risk assessment, compliance and monitoring can result in major losses that hit both reputation and shareholder value, potentially resulting in a firm going out of business.

Risk Management Analytics
In the financial world, regulation has formalized many of the risks that firms should measure and report on. The Basel II regulatory guidelines, for example, provide definitions for credit, market and operational risks and outline calculations covering regulatory risk measurement and reporting and describe a comprehensive measure and minimum standard for capital adequacy.

Firms will also generate risk measurements as part of their economic activities with models supporting credit assessment, credit portfolio management, market risk and firmwide risk (aggregating the various risk measures into a holistic view of risks), effectively pricing risk to make critical decisions more transparent.

Many of the tools used to generate the regulatory values are also used to generate economic measures. Values such as probability of default (PD) and loss given default (LGD) that are generated from credit scoring processes will feed downstream systems that utilize these values in their assessment of risk within the firm.

In recent years, advancements in regulatory and economic models have created the need to gather more and more data from across the enterprise. This data gathering exercise has placed pressure on many firms’ infrastructure to support evolving risk analytics, which as they develop demand increasingly timely, accurate and voluminous amounts of information to feed them.

Paradoxically one of the largest risks an organization faces is model risk. Model risk can be caused by either implementing a model incorrectly or using the right model but analyzing bad data. Either way, the firm is at risk of the model not performing correctly and therefore exposing the organization to risk.

Top 3 recommendations to deploy enterprise risk management

1. Make risk management part of your organization’s culture
Firms must not only attain regulatory compliance, but embed risk management as part of their organizational culture.

2. Risk management should not be an island
Integrating GRC will bring benefits across all companies. Here risk analytics is seen as part of a wider ecosystem that impacts not only a firm’s risk management processes but also links it to compliance programs and a governance infrastructure.

3. Education - Immerse yourself in the evolving world of risk
There are countless books, journal articles and other published works that describe various ways an organization can calculate and manage risk. Additionally, take advantage of advancements through education, whether through academic financial engineering courses, industry led courses such as the SAS Business Knowledge Series or professional organizations such as RMA, PRMIA or GARP.

Parting thoughts: Benefits of Risk Management
The concept of risk management seems simple; perhaps that is why it is often taken for granted. But, the impact of poor risk management can be seen in serious financial losses, where valuable management time is taken in fire fighting and trying to avoid damage to a firm’s reputation.

So it is important that all firms look carefully at how they identify, measure and manage risk as part of an ongoing program, in all market conditions, not just when we are going through a volatile phase as in the last two years.

Learn more about what is shaping risk management’s future at the SAS Risk Management Knowledge Exchange.