Risk Management

(c) PROVENTUS.COMsulting

Risk management (cfr. Froot et. al, 1993) covers the assessment, the mitigation, and the monitoring of risks, based on a risk strategy. Optimally, it should cover all risks an organization is exposed to, such as:

 Financial Risk;

 Credit Risk;

 Operational Risk;

 Organizational Risk.

This list could be extended almost infinitely (insurance risk, etc.), or shortened to just Financial and Operational Risk as it appears to us that the former includes Credit Risk and the latter incorporates Organizational Risk. Some risks, such as reputational risk, may even transcend the most general categorization, as this risk in particular, for instance, may result from both internal errors (e.g. hiring of a convicted fraudster) and external factors attributable to market disruptions.

More important than these categorizations, however, appears to be the need for inclusion of each and every risk which might affect the organization, including risks as diverse as internal and external fraud, re-financing risks, natural hazards, and changes in (tax) legislation to name just a few.

Even more important is the pro-active management of those risks, rather than a reactive management (“fire-fighting”) of risks which have already materialized In truth, the latter should not even be considered “risk management” but rather called “workout”, given that risk, as seen above, implies the possibility of an event, not the dealing with an event which has already materialized. Although this is all quite obvious and self-explanatory – as it is clear that a fire department’s main task should be to avoid fires rather than to actually fight them –, reality shows that many organizations either have no structured risk management in place at all, or regard it as an obligation or “nice-to-have” option which above all is seen as a cost factor.

So, in order to achieve this organization-wide, pro-active management, a number of steps, which shall be presented in the following section, need to be taken – and regularly reviewed – to ensure that the likelihood of their occurrence is limited and that for the case of a hazardous event the relevant policies are in place and ready to be executed. The latter includes the proper distribution and training of those policies.

Risk Assessment

As a first step in the risk management process, all relevant risks have to be identified, which might actually be the hardest part as some risks may yet have to materialize for the first time, so that a mere dependence on past experience may be insufficient. Secondly, a clear measurement (assessment in the stricter sense) of the risks identified needs to take place, in order to be able to, thirdly, classify those risks in “Risk Classes”.

Risk Identification

In order to identify (almost) all risks which may potentially affect an organization during the course of its existence, all areas of actuation need to be identified. This must not be limited to the the core- and non-core-activities of the entity, but also to all internal and external activities, for example those related to human resources management as an internal activity, or the external relationship with public entities etc.

Once these areas of actuation have been defined, all inheritant risks need to be identified. This may well lead to the finding that some risks are cross-sectional, i.e. appear in various divisions, that risks in once section may mitigate or increase the risk in others – which leads us to the next section on the measurement of risk.

Risk Measurement

Risk measurement (cfr. Altmann et. al, 1998) is probably the most complex and difficult of the tasks covered in this part of the paper, given that it relates directly to the quantification of risk which has been discussed above and cannot be realistically separated from its qualification.

As such, serious, realistically applicable risk measurement will hardly ever be the result of an exact mathematical process, but rather involve the combination of various means, such as the mathematical models (Monte Carlos simulations etc.), personal experience and sector-specific knowledge.

To illustrate the measurement of risk a relatively simple, yet very important area of risk management shall be chosen: credit risk management. This excludes a priori many of the factors which make other areas, such as operational risk management, particularly complex as they may have multiple and/or cross-sectorial effects, which may increase or decrease each other. Also, by having a very measurable basis, namely credit as expressed in currency amounts (money), it has per se a more “measurable nature”.

At the same time, it is not limited to banks, as sometimes assumed, but actually applies to almost all organizations and even private persons: By granting payment terms or delivering goods or services without immediate payment, firms contract a credit risk. The same is true for private individuals who for instance make purchases for others, trusting that they will be reimbursed for the purchase price etc.

Neither is credit risk management incomparable to other areas of risk management. Actually, risk management is in essence quite comparable across the board, and findings from one area easily applicable for another.

Having said this, the very basics of credit risk management can be summarized as follows.

Default

The main (again, not the only) risk with regards to credits is that the terms of the same will not be complied with, be it in terms of repayment of the loan amount, payment of interest, compliance with (re-)payment dates, etc. Cumulatively, these “breaches of contract” are known as “default”.

Loss

While in operating a production plant, for example, one of the risks involved is the loss of property or the loss of lives, in credit operations the main risk is in fact the loss of money. This may be because the loan amount is not (fully) repaid or because it is repaid late, thus precluding other opportunities of earning money during that time.

Probability of Default (PD)

Probability of Default, or Default Probability is consequently understood asthe degree of likelihood that the borrower of a loan or debt will not be able to make the necessary scheduled repayments. Should the borrower be unable to pay, they are then said to be in default of the debt, at which point the lenders of the debt have legal avenues to attempt obtaining at least partial repayment. “Generally speaking, the higher the default probability a lender estimates a borrower to have, the higher the interest rate the lender will charge the borrower (as compensation for bearing higher default risk).” (www.investopedia.com)

When, for example, a home buyer obtains a mortgage loan on a piece of real estate, the lending bank makes an assessment of the buyer's default risk and estimates their default probability. Depending on the outcome, the loan application will either be rejected or accepted. Within the acceptance, the default probability may lead to the adaptation of the pricing to increase the return for the given risk, i.e. the higher this probability of default, the greater the interest rate applied to the loan.

The same logic comes into play when investors buy and sell fixed-income securities (e.g. bonds) on the open market. Companies that are very liquid and have a low default probability will be able to issue debt at lower interest rates. Investors trading their bonds on the open market will price safer debt with a bit of a premium compared to riskier debt. If a company's financial health worsens over time, investors in the bond market will adjust to the increased risk and trade its bonds at lower prices. (investopedia.com)

Probability of Default is usually expressed in a percentage value, where:

PD=100% - certainty of default, i.e. borrower has defaulted on loan;

PD=0% - certainty of full compliance, i.e. borrower has already complied with all terms (i.e. fully repaid)

As an example, then, a PD of 10% implies that the specific borrower has a one in ten chance to default on his loan.

Loss Given Default (LGD)

Loss given Default is the amount of funds that is lost – or rather estimated to be lost - by an entity when a borrower defaults on a loan. Also here, the quantification, usually expressed in percentage, is a difficult task, for it depends on the point in time at which the borrower may default under any given loan, as parts of the loan may have been repaid (or not yet drawn) by that time. It further depends on the quality and liquidity of grated collateral etc. (www.investopedia.com)

In brief, LGD may be summarized as follows:

LGD=100% - all of the original amount will be lost, i.e. the lender will not recover anything (highest risk of loss);

LGD=0% - all of the original amount will be recovered, i.e. the lender will not loose anything even in a default situation, normally due to very valuable and liquid collaterals (lowest risk of loss);

As an example, then, an LGD of 50% implies that under a specific loan, the default of a borrower would result in the loss of half of the original amount (for example, the execution of a mortgage takes time, costs money, and in a forced sale process only part of the original loan amount can be recovered).

Expected Loss (EL)

Finally, the Expected Loss simply reflects the result of multiplying the LGD with the PD in order to obtain a final risk measure for a loan:

EL = PD x LGD

To apply above example, and given a Probability of Default of 10% and a Loss Given Default value of 50%, Expected Loss would in this case amount to 5%:

EL = 10% x 50% = 5%

Therefore, had a EUR 1 million loan be given, the Expected Loss would amount to EUR 50,000.

EL Values for individual loans may vary sharply, and usually a more important figure taken into account is the EL value of a whole portfolio of loans. This is then compared to the internal rate of return (IRR) of the relevant loan or portfolio.

Historical data over past losses in comparable portfolios provides for a comparable, but does not necessarily serve to change that vaue as (i) historical figures will usually have entered into the risk measurement process, thus leading to a double-accounting should they be taken into account, and (ii) changing (economic) environments may disturb the comparability of historical EL figures even in very comparable portfolios.

Risk Classification

As a final step of the risk assessment process, risks may be classified in order to simplify the subsequent risk mitigation process (thus however to some extend jeopardizing it) or rather to give a high-level risk overview.

Risk classes may be different from entity to entity as they should reflect all the risk groups and only those groups of risk the specific entity faces (or, at least, has identified).

Coning back on our above example, one way of classifying credit risk would be to establish EL-classes, e.g.:

EL=0-0.5% - ELC 1;

EL=>0.5%-1.0% - ELC 2;

….

In practice, this may be used to create sub-portfolios to subject them to different “intensities” of risk management, i.e. loans in higher (riskier) EL classes will be reviewed more frequently, handled by more experienced staff, moved into special (sub-)entities or sold off to venture funds etc.

Risk Mitigation

The aim of risk mitigation is to minimize risk by taking measures intended to reduce the probability of occurrence of the risks assessed as per above.

Again, there are innumerous forms and means of risk management, including:

 Hedging (interest rate, foreign exchange, etc.);

 Insurance (either directly or by taking a pledge over the same);

 Payment controls;

 …

These measures will typically address both the probability of loss generation and the amount of the expected loss.

Risk Monitoring

In adition to the above, ongoing risk monitoring and re-assessment is essential in order to ensure the timely relevance of all measures within the risk management framework. This includes legal and tax reviews as well as regular review of (risk-prone) processes.

In the cases where the realization of one or several risks is imminent or already partly materialized, special treatment such as intensive care or separation (e.g. into off-balance vehicles) to avoid contamination may be applied (“Workout”).

Risk Strategy

Risk Strategies are important management tools as they not only define the risk management process but also the “risk appetite” of the relevant organization. The should also depend on factors such as shocks to investment and financing opportunities. (Froot et. al, 1993).

Conclusions

Finance theory has contributed a great deal to the advancement of risk management by developing ever more testable and praxis-relevant theories and tools, including above-discussed CAPM and APT, as well as portfolio theory in general. Particularly for hedging mechanisms and insurance applications, these are extremely helpful as they allow to quantify a risk-return relationship which is essential to decision-making as to whether or not entering a market or transactions as well as for adequately pricing the calculated risk. Nonetheless, a main element of risk assessment depends on the “correct” estimation of probabilities which these tools can support, but they do not seem to be able to replace human experience and judgement (yet). PROVENTUS.COMsulting bridges the gap between technical applications and human input by an integrated risk assessment.

PROVENTUS.COMsulting

Corporate Services & Risk Management

References

Altmann, Credit risk measurement: Developments over the last 20 years, in: Journal of Banking & Finance, 21 (1998), p. 1721-1742.

Froot, Kenneth A., David S. Scharfstein & Jeremy C. Stein, Risk Management: Coordinating Corporate Investment and Financing Policies, in: The Journal of Finance, December 1993, p. 1629-1658.

(c) PROVENTUS.COMsulting