Business, Legal & Accounting Glossary
Risk management, as it is understood today, largely emerged during the early 1990s, but the term “risk management” was used long before this. Since the 1960s, it has been – and frequently still is – used to describe techniques for addressing insurable risks.
This form of “risk management” encompasses:
More recently, derivative dealers have promoted “risk management” as the use of derivatives to hedge or customize market-risk exposures. For this reason, derivative instruments are sometimes called “risk management products.”
The new “risk management” that evolved during the 1990s is different from either of the earlier forms. Often called “financial risk management,” it treats derivatives as a problem as much as a solution. It focuses on reporting, oversight and segregation of duties within organizations.
Gerald Corrigan (1992), then President of the New York Federal Reserve, set a tone for the new financial risk management in an addressed the New York Bankers Association:
… the interest rate swap market now totals several trillion dollars. Given the sheer size of the market, I have to ask myself how it is possible that so many holders of fixed or variable rate obligations want to shift those obligations from one form to the other. Since I have a great deal of difficulty in answering that question, I then have to ask myself whether some of the specific purposes for which swaps are now being used may be quite at odds with an appropriately conservative view of the purpose of a swap, thereby introducing new elements of risk or distortion into the marketplace – including possible distortions to the balance sheets and income statements of financial and nonfinancial institutions alike.
I hope this sounds like a warning because it is. Off-balance sheet activities have a role, but they must be managed and controlled carefully, and they must be understood by top management as well as by traders and rocket scientists.
Responding to spreading concerns about OTC derivatives, in July 1993, the Group of 30 published a 68-page report entitled Derivatives: Practices and Principles. It has come to be known as the G-30 Report. It describes then-current derivatives use by dealers and end-users. The heart of the study is 20 recommendations to help dealers and end-users manage their derivatives activities.
Topics addressed include:
With regard to the market risk faced by derivatives dealers, the report recommends that portfolios be marked-to-market daily, and that market risk be assessed with both value-at-risk and stress testing. It recommends that end-users of derivatives adopt similar practices as appropriate for their own needs.
Although the G-30 Report focuses on derivatives, most of its recommendations are applicable to the risks associated with other traded instruments. For this reason, the report largely came to define the new financial risk management of the 1990s.
In October 1994, following closely on the heels of the G-30 Report, JP Morgan launched its free RiskMetrics service. A public relations firm placed ads and articles in the financial press. Representatives of JP Morgan went on a multi-city tour to promote the service. Software vendors, who had received advance notice, started promoting compatible software. RiskMetrics got treasury professionals at non-financial firms talking about value-at-risk specifically and the new financial risk management generally.
RiskMetrics was released during a period of publicized financial losses, including:
By the mid-1990s, regulatory initiatives, concerns about OTC derivatives, the release or RiskMetrics, and publicized losses had created a flurry of interest in the new financial risk management and related techniques.
So what is this risk management? Risk management – or financial risk management, should we want to distinguish it from other uses of the word – can be defined as:
Practices by which a firm optimizes the manner in which it takes financial risk.
It includes monitoring of risk-taking activities, upholding relevant policies and procedures, and distributing risk-related reports.
Note that financial risk management is not about optimizing risk in some sense. That is the province of the board of directors and senior management, perhaps working with more tactical risk-takers such as traders or portfolio managers. No, financial risk management is about optimizing the manner in which risk is taken. Accordingly, financial risk management isn’t about managing anything. It is really about facilitating.
A related concept is enterprise risk management, which is the extension of financial risk management, in some sense, to non-financial contingencies. It is a somewhat elusive concept that means different things to different people. Firms have experimented with the concept, combining financial risk management, insurance purchasing, and contingency planning into a single business unit. A challenge has been the culture clash between the worlds of finance and insurance. Few professionals are expert in both.
Organizationally, financial risk management is implemented in different ways. There may be, within the board of directors, a risk committee. Usually, there is some sort of risk oversight committee, comprising senior managers. In practice, various names are given to these two committees. A senior manager, called the head of risk management or chief risk officer (CRO), reports to the risk oversight committee. This head of risk management may oversee a single department called the risk management department. Professionals working within that department, called risk managers, are responsible for facilitating the taking of applicable financial risks – market risks, credit risks and operational risks – by other departments within the firm. In larger organizations, there may be more specialization.
The head of risk management might oversee three professionals:
Each would oversee a respective department. Other arrangements are also possible.
Functionally, there are four aspects of financial risk management.
Success depends upon:
It is a fact that an organization will only manage risk if its members want to manage risk. Regulators struggle with this every day. They can force a bank to implement a multi-million dollar value-at-risk system. They can require an insurance company to implement hundreds of pages of procedures. But they cannot force an institution to effectively manage risk.
It is individuals who decide whether or not they are going to manage organizational risk. Unfortunately, there is a big incentive for them to choose not to. The very sorts of behaviour which reduce organizational risk entail significant personal risk.
Risk management is about rocking the boat, asking questions and challenging the establishment. No one can manage risk if they are not prepared to take risk.
While individual initiative is critical, it is corporate culture which facilitates the process. Corporate culture defines what behaviour the members of an organization will condone – and what behaviour they will shun. Corporate culture plays a critical role in financial risk management because it defines the risks which an individual must personally take if they are going to help to manage organizational risks.
A positive risk culture is one which promotes individual responsibility and is supportive of risk-taking.
No risk culture is perfect. Fortunately, few are beyond repair. The challenge of financial risk management is to honestly assess an organization’s culture, and then work to improve it.
When you mention policies and procedures, people are likely to roll their eyes, as thoughts of red tape and bureaucracy flood their thoughts. This is unfortunate. Used correctly, procedures are a powerful tool of financial risk management.
The purpose of policies and procedures is to empower people. They specify how people can accomplish what needs to be done. It is only when policies and procedures are neglected or abused that they become an impediment.
The success of policies and procedures depends critically upon a positive risk culture. Hundreds of pages of procedures, neatly printed and sitting on a shelf, are useless if no one uses them. However, even a simple set of procedures can make an enormous difference for an organization if people believe in them and take personal responsibility for upholding them.
Procedures systematize the process of financial risk management. Consider market risk limits. These are a form of procedure which systematize oversight of market risk. They make explicit how much risk is too much risk for any given segment of a portfolio.
Without risk limits, someone would have to track the risks being taken by individual traders and apply their own subjective judgment as to how much is too much. Should they decide to act on their subjective judgment that a trader is taking too much risk, the affected trader may reasonably feel that the decision is arbitrary or unfair – she might ask: “what about the market opportunity I was pursuing or the client whose needs I was trying to meet?”
Whenever procedures do not exist, there is increased potential for disagreement, misunderstanding and conflict. A lack of procedures increases the personal risk that individuals must take if they are going to manage organizational risk. Accordingly, a lack of procedures tends to promote inaction.
Effective procedures, on the other hand, empower people. They layout specifically what people should do – and what they should not do – in a given situation. By reducing uncertainty – individual risk—they promote action.
Examples of procedures include:
An organization should have formal procedures for changing policies or procedures. Experienced risk managers know that proposals for an informal or hasty change to procedures sometimes indicate an effort to cover up something that existing procedures would otherwise highlight. Also, because procedures become outdated over time, it is easy for organizations to change how they operate without formally recognizing that the change is taking place. Informal practices evolve out of habit, instead of by a deliberate process. Because they may be adopted out of necessity or convenience – without considering how they impact organizational risk – they, too, are a source of risk.
Often, periods of change are a time of increased risk for an organization. Procedures for changing policies or procedures are an excellent mechanism that encourages people to recognize changes as they are taking place and formally address the risks that they pose.
The primary role technology plays in financial risk management is risk assessment and communication. Technology is employed to quantify or otherwise summarize risks as they are being taken. It then communicates this information to decision-makers, as appropriate. Technology might include a VaR system or portfolio credit risk system. It can include financial engineering technology for independently marking to market positions. It may include an interactive risk report that is electronically circulated to managers every day.
For many institutions, such as banks or securities firms, technology is a critical component of financial risk management. For other organizations, including some non-financial corporations or pension plans, technology plays a lesser role.
For institutions which rely heavily on technology, there is always a risk of the cart being placed before the horse, with technology becoming the focus of financial risk management. If an organization launches a risk management initiatives by first allocating money to the project and then issuing a request for proposal, that can be a warning sign.
A more staged approach starts off by recognizing that financial risk management is primarily about people – how they think and how they interact with one another. Technology is just a tool. In the wrong hands, it is worse than useless, but applied appropriately, it can transform an organization.
A good approach to implementing an enterprise risk management initiative is:
For financial risk management to succeed, risk managers must be independent of risk-taking functions within the organization.
Holton (2004) defines independence as comprising the following four criteria:
The first three items are straightforward. The fourth is more subtle – or perhaps, controversial. It speaks to the very heart of what constitutes financial risk management. Let’s briefly address the first three items and then proceed to the question: what is the role of financial risk management, anyway?
Enron’s experience with financial risk management is instructive. The firm maintained a risk management function staffed with capable employees. Lines of reporting were reasonably independent in theory, but less so in practice. The group’s mark-to-market valuations were subject to adjustment by management. The group had few career risk managers. Enron maintained a fluid workforce. Employees were constantly on the lookout for their next internal transfer. Those who rotated through risk management were no different. A trader or structurer whose deal a risk manager scrutinized one day might be in a position to offer that risk manager a new position the next. Astute risk managers were careful to not burn bridges. Even worse, risk managers were subject to Enron’s “rank and yank” system of performance review. Under that system, anyone could contribute feedback on anyone, and the consequences of a bad review were draconian. Risk managers who blocked deals could expect to suffer in “rank and yank.”
Of the above four criteria for independence, Enron was weak on the first but utterly failed to satisfy the second two. Despite the sophistication of individual employees, financial risk management at Enron was hollow.
Proceeding now to the fourth criteria for independence, we want to distinguish between risk-taking and risk management. Within firms, there are strategic and tactical risk-takers. The CEO and other senior managers are strategic risk-takers. They formulate a strategy for the firm that entails taking certain risks. They communicate the strategy to tactical risk takers—including traders, structurers, and asset managers—whose job it is to implement that strategy. This is how businesses have operated for hundreds of years, so where do risk managers fit in? While not typically acknowledged, there are two competing models.
According to one model, strategic and tactical risk-takers need help taking a risk. Under this theory, super risk takers – risk managers – are required to intervene. They identify risks that should be avoided and, in doing so, risks that should be taken. In this manner, risk managers help the less qualified strategic and tactical risk-takers do their jobs.
There is much wrong with this model. First, it is redundant. If strategic or tactical risk-takers are not capable of doing their jobs, the answer is not to hire a super risk taker to do it for them. Rather, it is to replace them with strategic and tactical risk-takers who are up to the task. Second, it undermines accountability. If a trade turns sour, is the trader at fault, or is the risk manager who failed to block the deal? Third, it leads to conflict. While strategic risk-takers will never feel threatened that a super risk taker might usurp their prerogatives, tactical risk-takers often do. At some firms, the result has been a cold war between the front and middle offices. Finally, risk managers are positioned to be used as scapegoats. With corporate scandals fresh in memory, we can understand why some senior executives may be all too happy ascribing full responsibility for risk-taking to a chief risk officer. With this model, risk management can become a device for executives to manage career risk as opposed to a device for managing corporate risk.
The alternative model is that risk managers are facilitators. Strategic and tactical risk-takers are responsible for deciding what risks to take. Risk managers facilitate the process by ensuring effective communication between the two groups. They help strategic risk-takers communicate through policies, procedures and risk limits. They help tactical risk-takers communicate by preparing risk reports that describe the risks they are taking. To avoid the pitfalls of the risk-managers-as-super-risk-takers model, risk managers must have no authority to take risk on the firm’s behalf. They do not advise on risk-taking issues because, if their advice is routinely followed, they will become de facto risk-takers. To avoid the semblance of giving advice, they express no opinions about the desirability of taking any particular risks. It is one thing for a risk manager to measure risk. It is entirely another for the risk manager to express an opinion that the risk is too large or otherwise not worth taking. With risk managers not expressing opinions, tactical risk-takers don’t feel threatened … so there is no cold war. With risk managers not responsible for taking risks, there is little possibility of shifting blame to them when things go wrong.
In light of the merits of the risk-managers-as-facilitators model, the very term “risk manager” seems a misnomer. Perhaps it would be more appropriate to describe them as “risk facilitators.”
To help you cite our definitions in your bibliography, here is the proper citation layout for the three major formatting styles, with all of the relevant information filled in.
Definitions for Financial Risk Management are sourced/syndicated and enhanced from:
This glossary post was last updated: 17th April, 2020 | 3 Views.