Enterprise Risk Management (ERM) inevitably starts with the question, “What is Risk?” the answer to which is, “Risk is anything that keeps an organisation (or an individual, for that matter) from attaining its declared objective(s).” Most definitions of risk also state that it is the occurrence or non-occurrence of events that could precipitate adverse outcomes. ERM proponents declare that risk exists in almost every aspect of an organisation’s activities and can never be totally eliminated. But they also believe that not all risk is bad; it depends on the objectives of the organisation.
Risks need management systems
What then is Market Risk, Credit Risk and Operational Risk? Market or systemic risk is a risk that results from the behaviour of an entire market or asset class, and includes pricing and liquidity risks. Credit risk, on the other hand, is the risk of loss due to debtors’ non-payment of a loan or other line of credit. Operational risk, as defined by the Basel Committee, is the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events. All organisations will experience one or more – or all three – of these risks, at some point in their operations.
Just dealing with risk may be an all-consuming exercise for companies; the situation becomes more complex when the firm’s risks are further broken down into market, credit and operational risks. But ERM offers practical ways of dealing with them, starting with measurement – because what can be measured, can be managed. Management of market risk is tied to the company’s strategy and therefore takes into consideration its long-term goals such as expansion, investment maturity and cash flow.
Market risk should be constantly measured
An effective and efficient way of measuring market risk can start with the preparation of daily reports that focus on risk, supported by risk model estimates and periodical business risk reports, back-end stress-tested for validity. The firm’s management culture, expertise and abilities should also be factored in. It should be noted that risk is temporal, which means that the information obtained is relative to a specific point in time – which makes documentation even more important because the decision(s) taken at that point will be based on the best information then available.
It’s about the money
Credit risk is an altogether different matter as it concerns the risk that a counterparty to a financial transaction will fail to fulfil their obligation. An example of this is the possibility of loss because of a bank customer’s inability to pay credit card charges or make payments on a mortgage or loan. The bank may try to mitigate this risk by allocating a credit rating or score to the individual customer, or setting a credit limit based on income. Where businesses are concerned, however, there may be credit risk when there is no up-front cash payment requirement for goods or services. In cases like these, the risk may be mitigated by assessing the customer’s credit worthiness before extending the credit line.
A continuous process
Operational risk, the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events, is a major risk faced by all organisations. Operational risk management (ORM), the oversight of operational risk, is defined as “a continual cyclical process which includes risk assessment, risk decision-making and implementation of risk controls, which results in acceptance, mitigation or avoidance of risk.” There are several approaches to ORM, depending on which environment a business is operating in but generally, ORM is applied because it has been found to reduce operational losses, lower compliance and auditing costs, improve and enhance production output, and reduce exposure to future risks.
These benefit the company, leading to improved reputation and increased stakeholder confidence. There are generally three steps to proper ORM which are:
- Efficient and effective maintenance of business infrastructure that includes information systems, security policy, internal controls and risk management;
- Effective internal audit function including assurance of the integrity of information systems, compliance, effective internal controls, assurance and effective internal audit;
- Pricing of ORM which includes measurement of losses, pricing of operational risks for each line of business and measuring capital allocation.
Why integrate market, credit and operational risks?
Integration is a practical move because there are many areas where overlap happens, such as the identification and measurement of risks for market risk and operational risk. The firm is essentially using the same resources to do it, so to undertake it separately for each of the risks may mean duplication of work and using more resources. Integration will also make it easier to align sometimes different approaches with the overall strategy of the firm. This will include evaluation and monitoring, which can be complex exercises, that can show causes and effects more explicitly when undertaken in an integrated manner.
Different firms may have their own reasons for integrating the three risks as well, which may be peculiar to the respective organisation, but integration also helps to pinpoint where sources of risk may meet – thus making them easier to mitigate.
