Risk Management Responsibilities

Board of directors

The board of directors is ultimately responsible for the risk management process. The board needs to understand important risks faced by the enterprise and needs to provide guidelines on the enterprise’s risk appetite and risk management process. The board is responsible to continuously ensure that adequate risk management processes are in place. However, the actual risk management activities must be delegated to the risk management function.

Risk management environment

The risk management environment involves matters associated with people such as culture, philosophy, how people are trained and developed, how appropriate behaviour of employees is incentivized, reinforced and compensated.

Culture is an important part of the risk management environment. Endorsement of the appropriate risk management culture by all levels of management within the organization is vital for successful risk management processes. Such endorsement should be evident from management’s attitude as well as from resource allocation. The values of an organization need to reflect that risk management is important. Buy-in (acceptance) from all employees with regards to the importance of risk management is necessary. Accountability should be assigned to business units, divisions and employees for their required input into the risk management process.

Performance of employees should be aligned with risk management objectives. Only this way will employees will be enticed to bring their utmost effort in executing their contribution to ensure appropriate risk management. Adequate performance with regard to risk management objectives should contribute to rewards for the employee.


Enterprise Risk Management Process and Infrastructure

Enterprise risk management involves a process consisting of establishing the following:

  1. strategy
  2. appropriate infrastructure
    1. different kinds of structure established within an enterprise such as organizational structure, different kinds of systems such as information system which refer to how information is collected, used and shared, determination of accountability, responsibility, methodologies to be used, control procedures
  3. environment
    1. involves matters associated with people such as culture
  4. operating philosophy
    1. refers to command and control or empowering (centralized or decentralised), how people are trained and developed, how appropriate behaviour of employees are incentivized, reinforced and compensated)

Enterprise risk management provides organizations with knowledge which allows them to systematically manage risks in an enhanced manner.

Enterprise risk management infrastructure

ERM infrastructure refers to a type of structure within an organization which is required for a successful risk management process. It refers to different tools that risk management process can use to ensure its success and includes the following:

  1. An organizational structure
  2. Risk management systems
    1. An example of a risk management system is the information system which meets informational risk management needs throughout the enterprise. Information systems should be designed and managed in a way which ensures that the system is flexible, meaning that the way in which information presented will allow various users within the enterprise to use it for their specific informational needs. The information system must also be user friendly. This will ensure that employees within the enterprise can obtain the maximum value from the system. Information systems should allow for fast recording, evaluation, summary, consolidation and sharing of information. The informational system should also be efficient. This refers to the necessity for the system to be designed in an efficient way to ensure that no tasks are unnecessarily duplicated throughout the enterprise as well as to make sure that no unnecessary activities are performed
  3. Determination of accountability and responsibility
  4. Methodologies and techniques to be used in risk management:
    1. Established control procedures
    2. Risk management unit which is at the center of risk management within the organization
    3. Risk management policies and procedures – refers to the set of rules of how risk management is undertaken within the enterprise. A top-down approach should be used to develop risk management policies and procedures. A top-down approach will ensure consistency and alignment with the risk appetite (how much of risk the company wants to accept) and business strategy. Risk management policies and procedures must be developed with input from all levels of the management from all areas of the business to ensure their alignment as well as to incorporate their knowledge about specific risks faced by their areas. Risk management policies and procedures should also be understood by all employees
    4. Reporting on risk management process – the addressee of the reports on risk management process performance should be in close proximity to the risks to be able to take timely action.



Risk-adjusted return on capital (RAROC)

Risk-adjusted performance measures allow to measure risks and returns of investments to be able to rank investments systematically.

Risk-adjusted return on capital (RAROC) is an example of a risk-adjusted performance measure. RAROC was introduced and popularized by Bankers Trust in the late 1970s and 1980s as an enhancement of return on capital (ROC).

RAROC is often measured as a ratio. To find risk-adjusted return on capital (RAROC) we need to take expected revenue less expected expenses less expected losses (losses expected over the measurement period) and risk free rate of return divided by capital to be invested.

RAROC discount riskier cash flows against less risky cash flows.

When risk is quantified with the use of approaches such as Value at Risk (VaR), one of the ways to use quantified risk information is to evaluate the value of business activities versus their risk profiles. Two businesses with the same income but different risk levels have different value.

RAROC evaluates the risk of business activity and associated expected return from business activity. RAROC allows to evaluate how much more of the expected return is required for each degree of risk and whether there is enough funds available to cover potential risks.

To quantify risk we use probability distributions of return obtained from historical records. This should be consistent with Value at Risk (VaR) and other statistical models. The goal is to consolidate risk, price risk and allocate capital based on expected returns.

RAROC allows to evaluate risk, return and to compare the performance of various enterprise’s units and activities each of which will have different risk portfolios. This will allow creating benchmarks. RAROC determines limits on different business activities such as trading or investing by adjusting return on an investment that accounts for capital at risk. RAROC allows comparing returns on a variety of projects with diverse levels of risk.

RAROC is a way to measure profitability in light of the degree of risk of the business activity.


Aggregation of Risk Measures

Consolidated risk management, which is also called enterprise-wide risk management, refers to synchronized management of total pool of risk in the enterprise. Consolidation of risks became possible due to advances in financial engineering and information technology.

Consolidation of risks is important for 5 main reasons:

  1. Consolidation of risks allows management to see the big picture of risk. Management able to see what is happening to the total pool of risk in the enterprise. Management can analyze if risks are increasing or decreasing and why such changes occur. Moreover, management is able to compare how such changes relate to the risk tolerance level of the enterprise.
  2. Since management is able to see the big picture, it is in a better position to make decisions on risk management which lead to improved performance of the enterprise risk management process.
  3. Improved performance of the enterprise risk management process leads to improved performance of the enterprise and enhanced owner’s wealth maximization, which is the ultimate objective of the enterprise.
  4. Consolidation of risks involves letting go of some particulars and allows to present risks in a straightforward and uncomplicated manner which facilitates effective management throughout the enterprise.
  5. Consolidation of risks involves analysis of the relationships between different risks. Thereafter, risks are categorized. This enhances quality of risk reporting, which in turn improves decisions associated with allocation of capital.

Approaches to consolidation of risks

Risks should be categorized into appropriate categories. If risks have the same drivers than risks are positively or negatively correlated. If risks do not have the same drivers than such risks are uncorrelated.

When risks are categorized, appropriate methods should be chosen to manage each category. Methods for managing categories of consolidated risks include:

  1. Managing it as a portfolio of risks
  2. Obtaining insurance for entire category or for each individual risk within category, whichever is less costly. Transfer costs for entire category will be more cost effective in cases when risks have low or negative correlation and high when risks have positive correlation.
  3. Hedging
  4. Using “natural hedges”. As an example, in 1984 a German airline Lufthansa signed a contract with American Boeing committing company to buy aircraft for $3 billion. The organization took forward contract for half of the amount (1.5 billion) to hedge itself against possible currency fluctuations. However, what was not taken into account is that Lufthansa’s cash flow was also essentially dollar-denominated. Therefore, Lufthansa had a “natural hedge” in this situation. Incidentally, the dollar depreciated by 30 percent in 1985 and Lufthansa incurred sizable foreign-exchange loss due to the forward contract which was unnecessary due to “natural hedge” that company had and which was overlooked.

Enterprise Risk Management Function

Enterprise risk management refers to the new strategic process of structured identification and evaluation of all the risks and opportunities of the enterprise, determination of appropriate ways of managing and controlling such risks, and monitoring of this risk management process.

History of risk management

The origin of risk management as a role within a company is attributed to Fayol who is regarded as a father of management. In his 1916 article he proposed 6 functions of management which included a security function. The security function was associated with protection of people and property. The current risk management function is much more comprehensive but Fayol’s security function was a first glimpse of the current risk management function. The importance of a proper risk management function was acknowledged in 1960s in USA and thereafter spread around the world.

The term “risk management” was formally used only from the 1950s. Initially, the risk management function was closely associated with insurance. This slowed down the development of the function. The first book on risk management was entitled “Risk management in the business enterprise” was written by Robert I Mehr.

Enterprise Risk Management and Culture

Enterprise risk management incorporates risk awareness into the culture of the organization. The risk culture of the organization significantly contributes to the success of the enterprise risk management. Employees need to see risk as an integral variable which needs to be managed, controlled and monitored. Each employee needs to understand their role in the risk management of the enterprise. Leadership support of the importance of risk management significantly contributes to adequate risk management culture.

Enterprise risk management uses advances in technology for management of risk.

Enterprise-wide in the enterprise-wide risk management refers to the elimination of barriers between functions, departments and other groupings within the organization.

Risk management infrastructure & risk management capabilities – To ensure effective enterprise risk management processes, organizations need to establish an adequate set of risk management capabilities. Risk management capabilities refer to the abilities of an organization that allow it to undertake effective risk management processes. It includes abilities which allow for identification, measurement, management and monitoring of risks.

An appropriate set of risk management capabilities allows the organization to have a clear understanding of how their risk management decisions affect the bottom line and long term wealth maximization of the shareholders, which is the ultimate objective of the enterprise.

If an evaluation established that additional risk management capabilities are required, it is important to undertake cost-benefit analyses to ensure that the cost of additional risk management capabilities will be more than offset by the benefits that it will bring.

Certain risk capabilities which are adequate in one company to manage specific risk may be inadequate for another company which attempts to manage the same risk. Each organization must select risk management capabilities suitable to its particular individual needs, based on the particular risk exposure.

Risk management process monitoring and adjustment

The existing business environment is very turbulent. Risk exposures and factors affecting risks may alter all the time. Therefore, ongoing risk monitoring and adjustment of risk management strategies become an increasingly important step in the enterprise risk management process.

An organization needs to gain a good understanding of the risk management process. The main goal of the risk management monitoring process is to assess how effective the risk management process is.

Why risk management monitoring is important?

The main goal of risk management monitoring is to determine effectiveness of the enterprise risk management process. If the risk management process is not adequately monitored, shortcomings of the process may negatively affect achievement of the strategic objectives of the enterprise.

Ongoing monitoring of the performance of the risk management process and risk management environment leads to continuous improvement of the entire enterprise risk management process.

To monitor risk management performance, risk management performance standards should be established against which performance can be measured. Such standards may include areas such as time tables within which certain goals should be achieved, budgets and specific areas of enterprise’s performance which is vital for organizational success. After performance standards are established, they must be monitored on an ongoing basis.

Risk Categories

There are two main risk categories, speculative risk and an event risk.

The ultimate goal of the firm is to maximize shareholder’s wealth. The environment is changing rapidly and any change may result in additional risks and losses. Therefore, effective enterprise risk management is essential to ensure achievement of the main objective of the enterprise, which is maximizing wealth of the shareholders. Both risk categories should be diligently managed.

Speculative risks can result in a gain or loss, such as fluctuating interest rates. An enterprise may protect itself from adverse effects of speculative risks by various techniques such as hedging. Speculative risks are further subdivided into core business risks and incidental risks.

Core business risks are part of the main business of the enterprise and reflected in the mission statement. Core business risks may negatively impact the operating profit of the enterprise. Core business risks can be specific (unsystematic) and market (systemic).  Specific risks include risks which impact only the enterprise and do not impact the economy as a whole. Specific risks include those associated with sales variability, operating leverage, resource risk, profit margin and turnover. Specific risks are also called diversifiable risk. Systemic risks are risks which impact the economy and the enterprise. Systemic risks entail occurrence of a negative market-wide event such as the risk of collapse of an entire market. It is also called un-diversifiable risk. Investors require higher returns for increases in systemic risk.

Incidental risks are risks that occur naturally in the business but are not part of the main business. However, control of such risks is vital to ensure survival of the enterprise.

Whether a risk is considered to be core or incidental sometimes depends on the activities of the enterprise. For example, interest rate risk will be a core business risk for financial institution and incidental business risk for a manufacturing enterprise.

Event risks can result in losses, such as fire, or can result in no loss but cannot result in any gain. A business may protect itself from adverse effects of event risks by various techniques such as insurance. Event risks can be fundamental or particular.

Fundamental event risks refer to impersonal losses on the macro level.

Particular event risks refer to personal losses on micro level such as a car accident.

Event risks are subdivided into operational and external downside risks:

Operational risks further subdivided into people, processes and systems risks. It refers to risks which occur due to failures during execution of operations.

External downside risks are risks that cannot be directly controlled by an enterprise and which can occur due to external factors. External downside risks are all risks that occur due to external factors that may have no affect or adverse effect on the enterprise. External downside risks are very difficult to manage. Examples of external downside risks include natural disasters, terrorist attacks, criminal threats and litigation.

Blogbschool.com is powered by www.firmsconsulting.com. Firmsconsulting is a training company that finds and nurtures tomorrow’s leaders in business, government and academia via bespoke online training to develop one’s executive presence, critical thinking abilities, high performance skill-set, and strategy, operations and implementation capabilities. Learn more at www.firmsconsulting.com.

Sign up to receive a 3-part FREE strategy video training series here.

What is Risk?

So what is risk? Risk is the possibility that actual results will differ from desired or expected results. It implies the presence of uncertainty (uncertainty about the occurrence of event and uncertainty that it will display a particular outcome).

The degree of risk is determined by 2 factors:

  1. How often an event will occur?
  2. What is the probability the particular outcome will occur?

In business, it is generally accepted that as the risk increases, the expected or required return should also increase. It is not good for businesses to eliminate all risk because with elimination of risk, profits will likely decrease.

When thinking about risk and uncertainty the following description may help. Risk is binary. There is either risk or there is no risk. It’s either a yes or no. The degree of risk is the uncertainty. So we can say that yes, there is a risk it will rain in Paris today. We think there is high certainty it will happen. We are 80% confident it will happen. So there is either a risk (1) or no risk (0). The degree of risk (uncertainty) can be any number from 0 to 1. Risk is a possibility while uncertainty is a probability.

What is needed for an effective risk management process?

Risk management processes refer to the procedures that consist of systematic control activities and monitoring of risk management performance to ensure that risks in the organization are adequately managed.

According to Lore and Borodobsky, risk management have 3 dimensions:

  1. Upside management – taking advantage of opportunities where the business has very good chances to achieve success.
  2. Downside management – controls must be implemented to prevent or decrease losses due to operating environment.
  3. Uncertainty management – using techniques and methods to decrease deviations from expected results.

For effective risk management, organizations must deploy consistent risk measures, identify and manage all important risks, undertake proper management controls and support management of risks through performance evaluation on the business unit and organizational level.

Certainty and uncertainty

Certainty occurs when the outcome is 100% going to happen as expected. For example, the sun will rise tomorrow.

Uncertainty occurs when one does not have knowledge about future outcomes. Uncertainty is not the same as risk.There are different degrees of uncertainty, from almost certain to completely uncertain. Uncertainty increases the further into the future we attempt to plan. One’s access to information and ability to use available information in the decision making process determines the perceived degree of uncertainty.


Risk Adjusted Discount Rate: Dealing with Risk in Capital Budgeting

Breakeven cash inflow analyses, risk adjusted discount rate (RADR) and scenario analyses are tools that facilitate better insight into managing risk in capital budgeting.

Risk in capital budgeting especially refers to variability of the returns (variability of cash inflows), because the initial investment is more or less known with some level of confidence. Therefore, we need to ensure that present value (PV) of cash inflows will be large enough to ensure that project is acceptable.

To adjust the present value of future cash inflows for risk embodied in particular project, we can either adjust cash inflow directly or we can adjust the discount rate. Because adjusting cash inflow is highly subjective, we will rather adjust discount rate. This is when risk adjusted discount rate technique comes into play.

RADR is a discount rate that must be earned to compensate an investor for the risk undertaken. Under RADR the value of the firm must be at least maintained or must increase. Risk adjusted discount rate is the most popular risk adjustment technique that utilize NPV.

The higher is the risk of specific project, the higher RADR will be.

The deployment of RADR is best illustrated by the use of an example:


Amanda can invest in two shares, A and B. Both shares presently cost $50 and Amanda wants to hold shares for 4 years. Annual dividends from share A expected to be $7. Annual dividends from share B are expected to be $12. However, shares B are more risky. In 4 years time Amanda expects to be able to sale shares A for $55 each and shares B for $70 each. Amanda’s required return is 8%. However, for shares B she adjusts her return so that her risk adjusted discount rate becomes 12%. Calculate risk adjusted net present values (NPVs) of shares A and B and recommend which shares should Amanda purchase.


We will use financial calculator to find risk adjusted net present values (NPVs) of shares A and B.

Risk adjusted NPV of shares A:

Clear calculator: second function, C ALL

CFo: -50

CF1: 7

CF2: 7

CF3: 7

CF4: 62 (7+55)

I: 8

Second function, NPV: $15.38

Risk adjusted NPV of shares B:

Clear calculator: second function, C ALL

CFo: -50

CF1: 12

CF2: 12

CF3: 12

CF4: 82 (12+70)

I: 12

Second function, NPV: $30.94

Since investment in shares B offers higher risk adjusted NPV, Amanda should choose to invest in shares B.

The main difficulty in using risk adjusted discount rate (RADR) technique is in determining level of risk and approximating an appropriate risk adjusted discount rate (RADR). There is currently no systematic way to adjust required return to risk adjusted discount rate (RADR). Management usually determines risk adjusted discount rate (RADR) subjectively.

Sometimes risk index is determined which reflects risk adjusted discount rate (RADR) for every subsequent level of risk. For example, risk can be categorized into below average, average, above average and very high. Past experience and CAPM can be used to subjectively determine the risk adjusted discount rate (RADR) appropriate for each subsequent level (category) of risk.

Blogbschool.com is powered by www.firmsconsulting.com. Firmsconsulting is a training company that finds and nurtures tomorrow’s leaders in business, government and academia via bespoke online training to develop one’s executive presence, critical thinking abilities, high performance skill-set, and strategy, operations and implementation capabilities. Learn more at www.firmsconsulting.com.

Sign up to receive a 3-part FREE strategy video training series here.