In a previous article, we introduced the
CFA Institute Investment Foundation Program (Read
more here). It is a free program
designed for anyone who wants to enter or advance within the investment
management industry, including IT, operations, accounting, administration, and
marketing. Candidates who successfully
pass the online exam earn the CFA Institute Investment Foundations Certificate.
There are total of 20 Chapters in 7
modules, covering all the essential topics in finance, economics, ethics and
regulations. This series of articles
will highlight the core knowledge of each chapter.
Chapter 18 provides an overview of the risk
management. The learning outcome of chapter 18 is as follows:
·
Define
risk and identify types of risk;
·
Define
risk management;
·
Describe
a risk management process;
·
Describe
risk management functions;
·
Describe
benefits and costs of risk management;
·
Define
operational risk and explain how it is managed;
·
Define
compliance risk and explain how it is managed;
·
Define
investment risk and explain how it is managed;
·
Define
value at risk and describe its advantages and weaknesses.
It is important to recognise that all
companies must take risks in the course of their business activities to be able
to create value. The restriction of activities to those that have no risk would
not generate sufficient returns for shareholders or investors, who would thus
be less willing to provide capital to companies or to invest their savings in
the range of investments available.
Therefore, each company must determine
the risks that should be exploited, which are often risks the company has
expertise in dealing with and can benefit from. Companies must also determine
the risks that should be mitigated or eliminated, which are often risks it has
little or no expertise in dealing with. A risk management process that enables
managers to distinguish between the risks that are most likely to provide
opportunities and the risks that are most likely to be harmful helps companies
generate superior returns. Risk response strategies can be classified into four
“T” categories:
Tolerate. This strategy involves accepting the
risk and its effect. In some cases, the risk is well understood and taking it
provides opportunities to create value. In other cases, the risk must be taken
because other risk response strategies are unavailable or too costly.
Treat. This strategy involves taking action to reduce the risk
and its effect.
Transfer. This strategy involves moving the risk
and its effect to a third party.
Terminate. This strategy involves avoiding the
risk and its effect by ceasing an activity.
Risk management functions vary by
company, but it is typical for companies in the investment industry to have a
stand-alone risk management function with a senior head, often called the chief
risk officer, who is capable of independent judgment and action. The chief risk
officer often reports directly to the board of directors. The purpose of establishing
a strong independent risk management function is to build checks and balances
to ensure that risks are seriously considered and balanced against other
objectives, such as profitability.
Despite the existence of specialist risk
managers, risk management remains everyone’s responsibility. Risk managers
assess, monitor, and report on risks, and in some cases, they may have an
approval function or veto authority. But it is the members of the business
functions, such as portfolio managers or traders, who “own” the risk of their
deals. These employees have the most intimate knowledge of what they trade, and
they must monitor their deals on a regular basis. The risk manager must ensure
that all relevant risks are identified, but the final judgment on the business
decision lies with the decision makers. Therefore, it is important for risk
management to be part of the company’s corporate culture and to be fully
integrated with core business activities.
Companies will often use a
three-lines-of-defence risk management model, as illustrated below.
Front-line employees and managers,
through their daily responsibilities, form the first line of defence. The risk
management and compliance groups operate as a second line of defence, assisting
and advising employees and managers while maintaining a certain level of
independence. An internal audit function then forms the third line of defence.
Internal audit is an independent function. Internal auditors follow risk-based
internal audit programmes, delving into the details of business processes and
ensuring that information technology and accounting systems accurately reflect
transactions. Proactive auditors may also advise managers on how to improve
risk management, controls, and efficiency. Best practice suggests that internal
auditors should report directly to the audit committee of the board of
directors to ensure their independence. Thus, risk and audit committees of the
board will often hear presentations from the heads of risk management,
compliance, and internal audit.
Risk management provides a wide range of
benefits to a company. It can help by
·
supporting
strategic and business planning;
·
incorporating
risk considerations in all business decisions to ensure that the company’s risk
profile is aligned with its risk tolerance;
·
limiting
the amount of risk a company takes, preventing excessive risk taking and
potential related losses, and lowering the likelihood of bankruptcy;
·
bringing
greater discipline to the company’s operations, which leads to more effective
business processes, better controls, and a more efficient allocation of
capital;
·
recognising
responsibility and accountability;
·
improving
performance assessment and making sure that the compensation system is
consistent with the company’s risk tolerance;
·
enhancing
the flow of information within the company, which results in better
communication, increased transparency, and improved awareness and understanding
of risk; and
·
assisting
with the early detection of unlawful and fraudulent activities, thus complementing
compliance procedures and audit testing.