Categorising risk
Business Risk
A type of non-financial risk that relates to the positive and negative outcomes that are inherent in an organisation's operating environment such as a specific actions of its competitors and changes in economic or political conditions
Business risk is willingly assumed by organisations in order to gain a competitive advantage
Changes in consumer demand or supply chains (such as selling products and services online) fall under business risk as do changes in government or regulatory policy as they can have an effect on consumer demand or the cost of running a business
Examples include an increase in a minimum wage rate or a reduction of maximum leverage the UK spread betting industry can extend to retail clients, liming the extent of their activities and corresponding fee income
Can be grouped as external or internal, for example a mining company may identify a natural disaster as one (external) risk, and a premature or a complete failure of its key production equipment due to inadequate maintenance as another (internal) risk
Business risks are generally intangible risks, which are quite hard to quantify. Organisations manage these risks by conducting an assessment to identify key business risks. Each risk is then assessed in terms of severity and the likelihood of occurrence
Organisations will then usually try to reduce high impact, high probability business risks to an acceptable level by means of changes within the business itself by purchasing a relevant insurance policy or by a combination of both - in some cases there may be a legal requirement to take out insurance
Credit risk
Credit risk is the risk that a borrower or counterparty will suffer a real or perceived deterioration in its credit rating, or an outright default that will make that borrower or counterparty unable to meet its outstanding obligations
Credit risk is a financial risk
Credit risk is relevant to many types of financial instruments, including loans, securitiies, derivatives and financial guarantees
A borrower or counterparty's cash generation capacity, its level of indebtedness and the availiability of easy to sell assets are all significant factors in estimating credit risk exposure
In credit risk, exposure is measured as the amount of loss that would be realised if a borrower or counterparty actually defaults.
Credit risk and default risk terms are used interchangeably. Typically credit risk terms are used in relation to lending activities which either take the share of a direct loan (a bank extends a cash loan to a corporation) or an indirect loan through debt securities purchases (a bank holds debt securities issued by a corporation).
Concentration risk is the risk of any single exposure or a group of possibly connected single exposures that has a potential to result in losses that can threaten the ability of an organisation to maintain its core business activiites.
Credit risk that is specifically attributable to trading activities is called counterparty credit risk (CCR) and is concerned with default on trading obligations such as derivative contracts
Settlement risk is concerned with the risk of a trading transaction not settling as per pre-agreed terms and conditions in the first place such as when a counterparty fails to deliver securities against the payment
Depending on the type of exposure, credit risk is managed through a combination of:
Statistical models
Stress testing and scenario analysis
Risk appetite and limits
Credit underwriting and diversification standards
Qualitative assessments
Market Risk
Market risk measures the extent of change in the value of an investment due to changes in factors that affect the overall performance of the financial markets
Market risk is often referred to as systematic risk - that is, the risk inherent to the entire market or market segment, not just a particular investment
Market risk is another example of financial risk
In its simplest form, market risk is taken by individuals or organisations looking to make a return from an investment.
There are four major categories of market risk
Equity risk
Interest rate risk
Foreign exchange risk
Commodity price risk
Market risk can be relevant to both trading and non trading exposures - trading market risk is the risk of loss from a trading position
Non trading market risk usually arises from off balance sheet exposures such as equity compensation and pension scheme risk as well as structural interest rate or FX risk
Volatility (implied volatility) is the key driver of market risk. It represents the degree of dispersion of returns for a given investment: the higher the volatility, the higher the potential for an extreme loss or a gain. In statistical terms, volatility is estimated using standard deviation
Examples of market risk exposures that an organisation may face include
Financial institutions may have to manage market risk arising from a particular service sold to a client
Large charities and organisations with large investment portfolios may be exposed to market risk through their holdings
Organisations that produce commodities such as oil and electricity may be exposed to a degree of market risk when they sell some of their products in advance
Airliners and shipping companies may have exposure to market risk by trying to actively manage the cost of fuel through derivative contracts
Depending on the type of exposure, market risk is managed through a combination of
Statistical models
Stress testing and scenario analysis
Risk appetite and limits
Diversifcation and hedging strategies
Qualitative assessments
Liquidity risk
Another example of financial risk
Asset liquidity risk
An asset's degree of illiquidity
Funding liquidity risk
The risk that an organisation is unable to fulfil its payment obligations in a timely manner in normal or stressed market conditions
Depending on the type of exposure, liquidity risk is managed through a combination of a comprehensive assets and liabilities management framework, statistical models, stress testing and scenario analysis, risk appetite and limits, funding diversification and qualitative assessments, all of which form a part of the overall risk monitoring and reporting framework within an organisation
Operational Risk
The risk of loss resulting from inadequate or failed internal processes, people and systems or from external events
Operationl risks are generally pure risks that can only result in losses, these risks arise within the business as usual operations and are closely linked to factors such as orgnisational culture, the internal controls environment, contingency planning and crisis management
An organisations day to day operations can encompass a wide array of risks
Fraud by staff members, customers or third parties
Loss due to inadequate performance of a risk model
Damage to physical assets such as due to fire or flood
Business disruption events including power cuts, system failures and employees going on strike
Health and safety incidents
Customer service problems
Security breaches such as cyber attacks that compromise the integrity of organisational data and result in a prolonged operational disruption
Operational risk typically includes legal, regulatory compliance and data quality risks. Legal risk is the risk that an organisation will be unable to meet its obligations as required by law, examples of legal risk are regulatory fines or losses due to a legal action taken by private parties
Regulatory compliance risk arises when an organisation may be in violation of applicable laws and regulations. As a result, it may face severe consequences and penalties such as fines, higher capital requirements or negative media publicity
Data quality risk is the risk that data used to calculate internal or regulatory risk exposures is incomplete or incorrect. For example, the consequences for banks regularly submitting wrong regulatory risk exposures can be higher capital and liquidity requirements and increased regulatory scrutiny
Reputation risk
An example of strategic risk
Refers to a risk of loss resulting from damages to the reputation of an organisation, the value of its brand and perceived goodwill
Reputation: the level of trust, admiration, good feeling, and overall esteem a stakeholder has for that organisation
Reputation risk can be defined as an event that will negatively affect the relationship between an organisation and its stakeholders
Although reputation is an intangible asset, it can be very valuable. A good reputation gives an organisation a competitive advantage. It helps to attract more customers and high quality employees
Damage to reputation often corresponds with negative publiicity, increased regulatory scrutiny, litigation costs and loss of customers and key employees
Organisations manage reputation risk by examining their strategies, principal and emerging risks and other vulnerabilities to identify key drivers or reputation risk. A designated risk management framework can then be created to flag reputation threats
A range of contingency and crisis planning, training and testing activities needs to happen in the background. This is to ensure that contingency and crisis management teams are ready to respond to any reputation threat at any time
Preparation and response activities should be carried out by designated individuals who have the knowledge, skills, authority, agility and courage to rapidly respond to the unexpected.
Alternative approaches to risk categorisation
Three risk categorisation
Kaplan and Mikes developed an alternative risk categorisation framework that segregates all organisation risk into three categories
Preventable risks
Strategy risk
External risks
Internal risks faced by organisations that are contrallable
Ideally, organisations should look to entirely eliminate or avoid such risks
An organisation may choose to have tolerance levels for risks that cannot be managed at a 100% elimination rate as the high cost might outweigh the incremental benefit
Best maanaged through active prevention: monitoring risk activities and guiding human behaviour within an organisation
Assumed by organisations willingly in order to gain a competitive advantage and to achieve their objectives
Eg
Credit risk
R&D risk
Risks associated with merging two organisations
Undertaking a major change project
Not explicitly undesirable and cannot be managed via rules based control model
Best managed through a framework designed to minimise the actual materialisation of risks and to enhance the overall organisational ability to contain and respond to such risks should they occur
Risks external to an orgaisation and are beyond its influence or control
Best managed through identification and mitigation actions. An organisation may manage the impact of external risk events through effective business continuity and contingency planning programmes.
UK Tresury Orange Book Classification
Business
Commerical
Risks arising from weaknesses in the management of commercial partnerships, supply chains and contract requirements resulting in poor performance, inefficiency, poor value for money, fraud and/or failure to meet business requirements/objectives
Strategy
Risks arising from identifying and pursuing a strategy that is poorly defined, is based on flawed or inaccurate data or fails to support the delivery of commitments, plans or objectives due to a changing macro environment
Financial
Financial
Risks arising from not managing finances in accordances with requirements and financial constraints resulting in poor returns from investments, failure to manage assets/liabilities or to obtain value for money from the resources deployed and/or non compliant financial reporting
Operational
Governance
Risks arising from unclear plans, priorities, authorities and accountabilities, and/or ineffective or disproportionate oversight of decision making and/or performance
Information
Risks arising from a failure to produce robust, suitable and appropriate data/information and to exploit data/infomration to its full potential
Legal
Risks arising from a defective transaction, a claim being made or some other legal event occurring that results in a liability or other loss or a failure to take appropriate measures to meet legal or regulatory requirements to to protect assets
Operations
Risks arising from inadequate, poorly designed or ineffective/ineficent internal processes resulting in fraud, error, impaired customer service (quality and/or quantity of service), non-compliance and or/poor value for money
People
Risks arising from ineffective leadership and engagement, suboptimal culture, inappropriate behaviours, the unavailability of sufficient capacity and capability, industrial action and/or non compliance with relevant employment legilsation/HR policies resulting in negative impact on performance
Property
Risks arising from property deficiencies or poorly designed or ineffective/inefficient safety management resulting in non-compliance and/or harm and suffering to employees, contractors, service users or the public
Security
Risks arising from a failure to prevent unauthorised and/or inappropriate access to the estate and information, including cyber security and non compliance with GDPR
Project
Project
Risks that change programmes and projects are not aligned with strategic priorities and do not successfully and safely deliver requirements and intended benefits to time, cost and quality
Reputation
Risks arising from adverse events, including ethical violations, a lack of sustainability, systemic or repeated failures or poor quality or a lack of innovation, leading to damages to reputation and o destruction of trust and relations
Risk of internal control failure
Internal control risks are related to the governance and internal control activiites
Any organisation with employees and managers may find that they do not always act in the best interests of the organisation and its stakeholders
Internal control risks may arise from the processes, systems and controls that an organisation has in place to manage its employees and managers
Poorly designed processes, systems and controls may increase the potential for innocent mistakes and can facilitate less innocent activiities
Weaknesses in policies, procedures and staff training can increase the risk of internal control failures where employees and managers are unclear about their roles and responsibilities
The role of the board
The board is ultimately responsible for overseeing the effectiveness of risk management practices within an organisation as well as compliance with all relevant regulations
The board is encouraged to exercise this oversight by defining the process for ongoing monitoring and review of risks, including the scope and frequency of reporting and assurance
Typically key risks are regularly communicated to the board through a dedicated risk dashboard