Categorising risk

Business Risk

A type of non-financial risk that relates to the positive and negative outcomes that are inherent in an organisation's operating environment such as a specific actions of its competitors and changes in economic or political conditions

Business risk is willingly assumed by organisations in order to gain a competitive advantage

Changes in consumer demand or supply chains (such as selling products and services online) fall under business risk as do changes in government or regulatory policy as they can have an effect on consumer demand or the cost of running a business

Examples include an increase in a minimum wage rate or a reduction of maximum leverage the UK spread betting industry can extend to retail clients, liming the extent of their activities and corresponding fee income

Can be grouped as external or internal, for example a mining company may identify a natural disaster as one (external) risk, and a premature or a complete failure of its key production equipment due to inadequate maintenance as another (internal) risk

Business risks are generally intangible risks, which are quite hard to quantify. Organisations manage these risks by conducting an assessment to identify key business risks. Each risk is then assessed in terms of severity and the likelihood of occurrence

Organisations will then usually try to reduce high impact, high probability business risks to an acceptable level by means of changes within the business itself by purchasing a relevant insurance policy or by a combination of both - in some cases there may be a legal requirement to take out insurance

Credit risk

Credit risk is the risk that a borrower or counterparty will suffer a real or perceived deterioration in its credit rating, or an outright default that will make that borrower or counterparty unable to meet its outstanding obligations

Credit risk is a financial risk

Credit risk is relevant to many types of financial instruments, including loans, securitiies, derivatives and financial guarantees

A borrower or counterparty's cash generation capacity, its level of indebtedness and the availiability of easy to sell assets are all significant factors in estimating credit risk exposure

In credit risk, exposure is measured as the amount of loss that would be realised if a borrower or counterparty actually defaults.

Credit risk and default risk terms are used interchangeably. Typically credit risk terms are used in relation to lending activities which either take the share of a direct loan (a bank extends a cash loan to a corporation) or an indirect loan through debt securities purchases (a bank holds debt securities issued by a corporation).

Concentration risk is the risk of any single exposure or a group of possibly connected single exposures that has a potential to result in losses that can threaten the ability of an organisation to maintain its core business activiites.

Credit risk that is specifically attributable to trading activities is called counterparty credit risk (CCR) and is concerned with default on trading obligations such as derivative contracts

Settlement risk is concerned with the risk of a trading transaction not settling as per pre-agreed terms and conditions in the first place such as when a counterparty fails to deliver securities against the payment

Depending on the type of exposure, credit risk is managed through a combination of:

Statistical models

Stress testing and scenario analysis

Risk appetite and limits

Credit underwriting and diversification standards

Qualitative assessments

Market Risk

Market risk measures the extent of change in the value of an investment due to changes in factors that affect the overall performance of the financial markets

Market risk is often referred to as systematic risk - that is, the risk inherent to the entire market or market segment, not just a particular investment

Market risk is another example of financial risk

In its simplest form, market risk is taken by individuals or organisations looking to make a return from an investment.

There are four major categories of market risk

Equity risk

Interest rate risk

Foreign exchange risk

Commodity price risk

Market risk can be relevant to both trading and non trading exposures - trading market risk is the risk of loss from a trading position

Non trading market risk usually arises from off balance sheet exposures such as equity compensation and pension scheme risk as well as structural interest rate or FX risk

Volatility (implied volatility) is the key driver of market risk. It represents the degree of dispersion of returns for a given investment: the higher the volatility, the higher the potential for an extreme loss or a gain. In statistical terms, volatility is estimated using standard deviation

Examples of market risk exposures that an organisation may face include

Financial institutions may have to manage market risk arising from a particular service sold to a client

Large charities and organisations with large investment portfolios may be exposed to market risk through their holdings

Organisations that produce commodities such as oil and electricity may be exposed to a degree of market risk when they sell some of their products in advance

Airliners and shipping companies may have exposure to market risk by trying to actively manage the cost of fuel through derivative contracts

Depending on the type of exposure, market risk is managed through a combination of

Statistical models

Stress testing and scenario analysis

Risk appetite and limits

Diversifcation and hedging strategies

Qualitative assessments

Liquidity risk

Another example of financial risk

Asset liquidity risk

An asset's degree of illiquidity

Funding liquidity risk

The risk that an organisation is unable to fulfil its payment obligations in a timely manner in normal or stressed market conditions

Depending on the type of exposure, liquidity risk is managed through a combination of a comprehensive assets and liabilities management framework, statistical models, stress testing and scenario analysis, risk appetite and limits, funding diversification and qualitative assessments, all of which form a part of the overall risk monitoring and reporting framework within an organisation

Operational Risk

The risk of loss resulting from inadequate or failed internal processes, people and systems or from external events

Operationl risks are generally pure risks that can only result in losses, these risks arise within the business as usual operations and are closely linked to factors such as orgnisational culture, the internal controls environment, contingency planning and crisis management

An organisations day to day operations can encompass a wide array of risks

Fraud by staff members, customers or third parties

Loss due to inadequate performance of a risk model

Damage to physical assets such as due to fire or flood

Business disruption events including power cuts, system failures and employees going on strike

Health and safety incidents

Customer service problems

Security breaches such as cyber attacks that compromise the integrity of organisational data and result in a prolonged operational disruption

Operational risk typically includes legal, regulatory compliance and data quality risks. Legal risk is the risk that an organisation will be unable to meet its obligations as required by law, examples of legal risk are regulatory fines or losses due to a legal action taken by private parties

Regulatory compliance risk arises when an organisation may be in violation of applicable laws and regulations. As a result, it may face severe consequences and penalties such as fines, higher capital requirements or negative media publicity

Data quality risk is the risk that data used to calculate internal or regulatory risk exposures is incomplete or incorrect. For example, the consequences for banks regularly submitting wrong regulatory risk exposures can be higher capital and liquidity requirements and increased regulatory scrutiny

Reputation risk

An example of strategic risk

Refers to a risk of loss resulting from damages to the reputation of an organisation, the value of its brand and perceived goodwill

Reputation: the level of trust, admiration, good feeling, and overall esteem a stakeholder has for that organisation

Reputation risk can be defined as an event that will negatively affect the relationship between an organisation and its stakeholders

Although reputation is an intangible asset, it can be very valuable. A good reputation gives an organisation a competitive advantage. It helps to attract more customers and high quality employees

Damage to reputation often corresponds with negative publiicity, increased regulatory scrutiny, litigation costs and loss of customers and key employees

Organisations manage reputation risk by examining their strategies, principal and emerging risks and other vulnerabilities to identify key drivers or reputation risk. A designated risk management framework can then be created to flag reputation threats

A range of contingency and crisis planning, training and testing activities needs to happen in the background. This is to ensure that contingency and crisis management teams are ready to respond to any reputation threat at any time

Preparation and response activities should be carried out by designated individuals who have the knowledge, skills, authority, agility and courage to rapidly respond to the unexpected.

Alternative approaches to risk categorisation

Three risk categorisation

Kaplan and Mikes developed an alternative risk categorisation framework that segregates all organisation risk into three categories

Preventable risks

Strategy risk

External risks

Internal risks faced by organisations that are contrallable

Ideally, organisations should look to entirely eliminate or avoid such risks

An organisation may choose to have tolerance levels for risks that cannot be managed at a 100% elimination rate as the high cost might outweigh the incremental benefit

Best maanaged through active prevention: monitoring risk activities and guiding human behaviour within an organisation

Assumed by organisations willingly in order to gain a competitive advantage and to achieve their objectives

Eg

Credit risk

R&D risk

Risks associated with merging two organisations

Undertaking a major change project

Not explicitly undesirable and cannot be managed via rules based control model

Best managed through a framework designed to minimise the actual materialisation of risks and to enhance the overall organisational ability to contain and respond to such risks should they occur

Risks external to an orgaisation and are beyond its influence or control

Best managed through identification and mitigation actions. An organisation may manage the impact of external risk events through effective business continuity and contingency planning programmes.

UK Tresury Orange Book Classification

Business

Commerical

Risks arising from weaknesses in the management of commercial partnerships, supply chains and contract requirements resulting in poor performance, inefficiency, poor value for money, fraud and/or failure to meet business requirements/objectives

Strategy

Risks arising from identifying and pursuing a strategy that is poorly defined, is based on flawed or inaccurate data or fails to support the delivery of commitments, plans or objectives due to a changing macro environment

Financial

Financial

Risks arising from not managing finances in accordances with requirements and financial constraints resulting in poor returns from investments, failure to manage assets/liabilities or to obtain value for money from the resources deployed and/or non compliant financial reporting

Operational

Governance

Risks arising from unclear plans, priorities, authorities and accountabilities, and/or ineffective or disproportionate oversight of decision making and/or performance

Information

Risks arising from a failure to produce robust, suitable and appropriate data/information and to exploit data/infomration to its full potential

Legal

Risks arising from a defective transaction, a claim being made or some other legal event occurring that results in a liability or other loss or a failure to take appropriate measures to meet legal or regulatory requirements to to protect assets

Operations

Risks arising from inadequate, poorly designed or ineffective/ineficent internal processes resulting in fraud, error, impaired customer service (quality and/or quantity of service), non-compliance and or/poor value for money

People

Risks arising from ineffective leadership and engagement, suboptimal culture, inappropriate behaviours, the unavailability of sufficient capacity and capability, industrial action and/or non compliance with relevant employment legilsation/HR policies resulting in negative impact on performance

Property

Risks arising from property deficiencies or poorly designed or ineffective/inefficient safety management resulting in non-compliance and/or harm and suffering to employees, contractors, service users or the public

Security

Risks arising from a failure to prevent unauthorised and/or inappropriate access to the estate and information, including cyber security and non compliance with GDPR

Project

Project

Risks that change programmes and projects are not aligned with strategic priorities and do not successfully and safely deliver requirements and intended benefits to time, cost and quality

Reputation

Risks arising from adverse events, including ethical violations, a lack of sustainability, systemic or repeated failures or poor quality or a lack of innovation, leading to damages to reputation and o destruction of trust and relations

Risk of internal control failure

Internal control risks are related to the governance and internal control activiites

Any organisation with employees and managers may find that they do not always act in the best interests of the organisation and its stakeholders

Internal control risks may arise from the processes, systems and controls that an organisation has in place to manage its employees and managers

Poorly designed processes, systems and controls may increase the potential for innocent mistakes and can facilitate less innocent activiities

Weaknesses in policies, procedures and staff training can increase the risk of internal control failures where employees and managers are unclear about their roles and responsibilities

The role of the board

The board is ultimately responsible for overseeing the effectiveness of risk management practices within an organisation as well as compliance with all relevant regulations

The board is encouraged to exercise this oversight by defining the process for ongoing monitoring and review of risks, including the scope and frequency of reporting and assurance

Typically key risks are regularly communicated to the board through a dedicated risk dashboard