Every business faces risks that present threats to its success. In its broadest sense, the risk is the possible harm associated with a situation – the product of impact and probability.
Risk management is using processes, methods and tools for quantifying and managing these risks and uncertainties.An essential aspect of the financial services sector is managing financial risk on behalf of both customers and owners. To discuss the risks a financial services firm faces is, therefore, to address one of the core reasons for its existence. For risk management practitioners, that is what gives the disciplines within risk management their importance – and their intellectual appeal.
The basic concepts are not difficult to grasp, as will be seen as we progress through this workbook, but understanding their interrelationship is sometimes less straightforward.
The diagram below shows a financial services firm – for example, an asset manager, broker or bank – in the context of the risk environment within which it operates. Detailed definitions will be provided as we meet each element in its relevant chapter, but an initial overview will help set the scene.
- Credit, market and liquidity risks are at the centre of the diagram because the management of these risks lies at the heart of the complex financial transactions performed by the industry. These transactions include: increasing the long-term wealth of investors and entrepreneurs by making investors’ assets available to those in the global economy who can put them to the best, most productive use enabling long-term mortgages and corporate or sovereign financing using short-term sources of funding, such as retail deposits providing the payment and safe-keeping mechanisms that underpin a modern wealth-creating economy.
- Investment risk – the credit, market and liquidity risks referred to above are managed for the firm’s benefit – its owners and clients. Many of these clients are investors whose funds are governed by the firm. We refer to the combination of risks involved in providing the ‘right’ level of return to these investors as ‘investment risk’.
- Operational risk – the act of managing credit, market, liquidity and investment risk are itself subject to a different set of risks. These emerge from the people, processes, systems and external events that the firm needs to manage in running its business. These are four key factors that are collectively referred to as operational risk.
- Enterprise risk – understanding the different risks to which a financial services firm is subject is key to its success. Therefore, risk information is regularly reported up the chain of command. Separate reporting mechanisms have traditionally been used for the separate risk types, but, increasingly, firms find it helpful to group the risk types and report on them collectively. This provides the ‘risk equivalent’ of the firm’s accounting tools, where the balance sheet, profit and loss account, and cash flow statement enable a focused view of the firm’s finances. Enterprise risk management provides the firm with a succinct view of all its vital risk information, thus allowing the senior team to make balanced, firm-wide risk decisions.
- Strategic risk (internal) – the firm does not exist in isolation and interacts with global financial markets and the ‘real’ economy. These interactions with the real economy give rise to the sorts of strategic risks that every firm faces, regardless of its industry. Some of the more critical internal drivers of strategic risk stem from a firm’s chosen strategy translation and execution of its strategy into its business (or operational) model, its financial management and its internal compliance with externally imposed regulations and laws.
- Strategic risk (external) – arises from unforeseen changes in the global economy, the political arena, the competitive environment, social and market forces, and technological innovation.
- Corporate governance and risk oversight – there are both tactical and strategic risk-takers within the organisation. The strategic risk-takers – chief executive officer (CEO), directors and senior managers – formulate a strategy for the firm that requires certain risks to be taken and others expressly to be avoided. They communicate the strategy to the traders, asset managers and research analysts, whose job is to manage the tactical risks involved in implementing it. For this communication process to function correctly and to enable the strategic risk-takers to monitor the subsequent progress in the strategy’s implementation, there needs to be a set of robust methods for ensuring that the firm is appropriately governed to formulate and implement the strategy implementing a coherent firm-wide risk framework to enable oversight of the strategic and tactical risks that will allow the anticipated returns to be generated and unnecessary losses or impairment of the company’s value to be minimised.
Having gained an understanding of the broad spectrum of risks to which financial services firms are potentially exposed and the underlying drivers of each type, a firm needs to address the various ways in which its actual risks can be managed. A ‘risk register’ of risk types (eg, operational) and specific risks (eg, failure of the customer relationship management system) is compiled and used by firms so that the risks and the associated mitigating actions and controls can be understood and owned and monitored.
The firm then needs to decide how much risk it is willing to take, a concept known as risk appetite, and make sure that this appetite is not exceeded through formal controls and high-quality risk reporting. In addition to controls and risk reporting, the so-called risk culture of the firm also plays a crucial role in enabling the risk appetite set by the board to be understood and adhered to at all levels of the organisation.