Risk Management Process: Identification, Quantification, Management & Reporting
The standard risk management process can be seen as a four-stage process centered on identification, quantification, management, and reporting. Each element is a vital link in the chain and must be implemented correctly in order to be effective.
1. Risk Identification
The identification process centers on defining and identifying all of the firm’s actual, perceived, or anticipated risks. In a large firm, this might encompass dozens of financial and operating risk drivers, implying a significant degree of complexity. In some cases risks are readily identifiable, at other times they are more difficult to discern. For instance, a firm that produces goods in the US for dollars and sells them in Japan for yen is exposed to changes in the $/¥ foreign exchange rate, and identifying this risk is relatively simple.
Likewise, a company that has a factory located in the path of hurricanes can easily identify potential exposure to catastrophic damage. Alternatively, a firm that has to purchase power in the spot electricity market when temperatures rise above 95 F is actually exposed to the absolute level of, and correlation between, electricity prices and temperature; in this case the different dimensions of exposure are somewhat more difficult to identify. This stage of the process is vital, of course, as failure to properly identify all financial or operating risks impacting the firm may lead to surprise losses (e.g., those coming from an ‘unknown’ source).
2. Risk Quantification
The quantification process determines the financial impact that risks can have on corporate operations. This is typically done through various quantitative tools. Returning to the $/¥ example, a company with a foreign exchange exposure will be interested in knowing, as precisely as possible, the impact of the risk on its profit and loss (P&L) account (e.g., a 5% decline in the value of the yen might produce a $5m loss). The company with a factory in the hurricane path may need to quantify a number of different types of scenarios, including smaller losses from temporary business interruption (e.g., if a hurricane causes damage that forces it to suspend operations for 2 months) to larger losses from total destruction (e.g., the hurricane destroys the facility beyond repair). Specific techniques for measuring the financial impact of risks vary widely, and depend largely on the nature of the underlying exposures. Some, such as credit and market risks, can be measured through financial mathematics based on analytic computation, closed-form pricing models, and simulation methods. Others, such as high-frequency insurance-related risks, can often be estimated by using actuarial techniques; certain low-frequency insurance exposures, such as catastrophic risks, may be modeled through simulation.
3. Risk Management
After risks have been identified and quantified, they must be managed. Through the core process of active decision-making, a firm must decide whether it will control, retain, eliminate or expand its exposures. For instance, a firm may decide that it is comfortable retaining a potential loss (or gain) of $10mon its $/¥ foreign exchange exposure and will constrain it at that level; alternatively, if it wants to face zero chance of loss, it might eliminate the risk entirely (for a price). Similarly, the potential cost of sustaining partial or complete destruction as a result of a powerful hurricane may be too great for the firm, so it might decide to transfer the exposure entirely. Risk management in business decisions ultimately depend on several variables, including the financial resources of the firm, the operating philosophy of management, the expectations of shareholders, and the costs and benefits of various risk strategies. We consider these points in the section below.
4. Risk Monitoring
Once the firm has decided how it wants to manage its risk profile, it must actively monitor its exposures. This means regularly tracking and reporting both risks and risk decision experience, and communicating information internally and externally so that interested parties (e.g., executive management, board directors, regulators, creditors and investors) are aware of any possible upside or downside. Good monitoring is especially important for internal decision-makers, who require feedback in order to assess, and even adjust, their decisions. Thus, the $/¥ exposure that the firm has chosen to retain must be measured and reported regularly (e.g., daily, weekly) so that managers are aware of its size and potential impact as the market moves and the risk position changes. The catastrophic hurricane exposure, which is unlikely to change very often (unless the firm expands or contracts the size of its factories), must still be monitored and reported, but less frequently. An important by-product of the risk-monitoring process is the ability to change how risks are managed; without such visibility, a firm’s risk strategies remain static. Monitoring thus feeds back into management.
We shall revisit aspects of this generic risk process at greater length in the next few chapters, but for the moment let us expand on the third stage of the process below by considering specific management alternatives available to a company with financial risk management or operating risks.©