In a previous article, we introduced the CFA Institute Investment Foundation Program (Read more here). It is a free program designed for anyone who wants to enter or advance within the investment management industry, including IT, operations, accounting, administration, and marketing. Candidates who successfully pass the online exam earn the CFA Institute Investment Foundations Certificate.
There are total of 20 Chapters in 7 modules, covering all the essential topics in finance, economics, ethics and regulations. This series of articles will highlight the core knowledge of each chapter.
Chapter 18 provides an overview of the risk management. The learning outcome of chapter 18 is as follows:
· Define risk and identify types of risk;
· Define risk management;
· Describe a risk management process;
· Describe risk management functions;
· Describe benefits and costs of risk management;
· Define operational risk and explain how it is managed;
· Define compliance risk and explain how it is managed;
· Define investment risk and explain how it is managed;
· Define value at risk and describe its advantages and weaknesses.
It is important to recognise that all companies must take risks in the course of their business activities to be able to create value. The restriction of activities to those that have no risk would not generate sufficient returns for shareholders or investors, who would thus be less willing to provide capital to companies or to invest their savings in the range of investments available.
Therefore, each company must determine the risks that should be exploited, which are often risks the company has expertise in dealing with and can benefit from. Companies must also determine the risks that should be mitigated or eliminated, which are often risks it has little or no expertise in dealing with. A risk management process that enables managers to distinguish between the risks that are most likely to provide opportunities and the risks that are most likely to be harmful helps companies generate superior returns. Risk response strategies can be classified into four “T” categories:
Tolerate. This strategy involves accepting the risk and its effect. In some cases, the risk is well understood and taking it provides opportunities to create value. In other cases, the risk must be taken because other risk response strategies are unavailable or too costly.
Treat. This strategy involves taking action to reduce the risk and its effect.
Transfer. This strategy involves moving the risk and its effect to a third party.
Terminate. This strategy involves avoiding the risk and its effect by ceasing an activity.
Risk management functions vary by company, but it is typical for companies in the investment industry to have a stand-alone risk management function with a senior head, often called the chief risk officer, who is capable of independent judgment and action. The chief risk officer often reports directly to the board of directors. The purpose of establishing a strong independent risk management function is to build checks and balances to ensure that risks are seriously considered and balanced against other objectives, such as profitability.
Despite the existence of specialist risk managers, risk management remains everyone’s responsibility. Risk managers assess, monitor, and report on risks, and in some cases, they may have an approval function or veto authority. But it is the members of the business functions, such as portfolio managers or traders, who “own” the risk of their deals. These employees have the most intimate knowledge of what they trade, and they must monitor their deals on a regular basis. The risk manager must ensure that all relevant risks are identified, but the final judgment on the business decision lies with the decision makers. Therefore, it is important for risk management to be part of the company’s corporate culture and to be fully integrated with core business activities.
Companies will often use a three-lines-of-defence risk management model, as illustrated below.
Front-line employees and managers, through their daily responsibilities, form the first line of defence. The risk management and compliance groups operate as a second line of defence, assisting and advising employees and managers while maintaining a certain level of independence. An internal audit function then forms the third line of defence. Internal audit is an independent function. Internal auditors follow risk-based internal audit programmes, delving into the details of business processes and ensuring that information technology and accounting systems accurately reflect transactions. Proactive auditors may also advise managers on how to improve risk management, controls, and efficiency. Best practice suggests that internal auditors should report directly to the audit committee of the board of directors to ensure their independence. Thus, risk and audit committees of the board will often hear presentations from the heads of risk management, compliance, and internal audit.
Risk management provides a wide range of benefits to a company. It can help by
· supporting strategic and business planning;
· incorporating risk considerations in all business decisions to ensure that the company’s risk profile is aligned with its risk tolerance;
· limiting the amount of risk a company takes, preventing excessive risk taking and potential related losses, and lowering the likelihood of bankruptcy;
· bringing greater discipline to the company’s operations, which leads to more effective business processes, better controls, and a more efficient allocation of capital;
· recognising responsibility and accountability;
· improving performance assessment and making sure that the compensation system is consistent with the company’s risk tolerance;
· enhancing the flow of information within the company, which results in better communication, increased transparency, and improved awareness and understanding of risk; and
· assisting with the early detection of unlawful and fraudulent activities, thus complementing compliance procedures and audit testing.