Overview of Risk Management
Risk management is a dynamic and well-established discipline practiced by many companies around the world. Traditional forms of risk management – loss control, loss financing and risk reduction, arranged through mechanisms such as insurance and derivatives – have been actively used by companies for many decades, and are an essential element of most corporate strategies.
But newer forms of risk protection – including those from the alternative risk transfer (ART) market, the combined risk management marketplace for innovative insurance and capital market solutions – often surface as viable, flexible and cost-efficient options.
In fact, some firms already use ART mechanisms to supplement their traditional risk management strategies; many others, however, have yet to take advantage of the benefits offered by the marketplace. Regardless of a firm’s specific approach to risk management, it should always consider ART-related solutions so that it has complete knowledge of all available options and can make the best, most informed, decisions possible.
Our discussion in this book is on the ART market, its function, participants and products, its advantages and disadvantages, and its future prospects. Before considering the specifics of the marketplace, however, we review some of the essential concepts of risk and risk management; this helps to provide a proper framework for the material that follows. In the remainder of this chapter we explore issues related to risk and return, general risk management processes and techniques, and fundamental risk concepts and measures.
1.1 RISK AND RETURN
Risk is a broad, complex and vitally important topic that touches on virtually all aspects of modern corporate operation. Although we shall consider matters in greater detail as we progress through the text, we begin by defining risk, in its most general form, as uncertainty associated with a future outcome or event.
To apply this more specifically to corporate activities, we can say that risk is the expected variance in profits, losses, or cash flows arising from an uncertain event. Other terms commonly associated with risk – such as peril and hazard – are often encountered in the risk management industry (indeed, we shall also use them throughout the text); they are, however, distinct.
A peril, for instance, is a cause of loss, while a hazard is an event that creates, or increases, peril. While both have a bearing on risk, risk itself is a broader concept. Companies are exposed to a wide range of risks that might, at any time, include such things as business interruption, catastrophic and non-catastrophic property damage, product recall/liability, directors and officers liability, credit default/loss, workers compensation, environmental liability, and so on.
These risks must be managed if the market value of the company is to be increased – or, at a minimum, if the probability of financial distress is be lowered. Some of the risks can be retained as part of core business operations, while others are best transferred elsewhere – but only when it is cost-effective to do so.
We shall consider risks in more detail later, but we begin by classifying them broadly as operating risks and financial risks:
- Operating risk The risk of loss arising from the daily physical (non-financial) operating activities of a firm.
- Financial risk The risk of loss arising from the financial activities of a firm.
Operating and financial risks can be decomposed further. For example, within the general category of operating risks we can consider subclasses such as personal liability and commercial property/casualty liability.
Within commercial property/casualty (P&C) liability we might differentiate between losses related to commercial property (direct/indirect), machinery, transportation (inland/marine), crime, commercial liability, commercial auto, workers compensation, and employers’ liability.
Similar decomposition is possible within the category of financial risks, where we might first divide exposures into credit risk, market risk, liquidity risk, and model risk. A category such as market risk might then be segregated into directional risk, volatility risk, time decay risk, curve risk, basis risk, spread risk, correlation risk, and so on.
We can also categorize financial and operating risks as being pure or speculative.
- Pure risk A risk that only has the prospect of downside, i.e., loss.
- Speculative risk A risk that has the possibility of upside or downside, i.e., gain or
Regardless of the taxonomy, the central point is that risk comes in many forms, a factor that becomes apparent and important in the risk management process.
A company creates goods and services that it sells to clients in order to generate returns. These returns are used to expand business (e.g., internal funding via retained earnings) and compensate equity investors who have supplied the equity risk capital needed to fund productive assets (e.g., factories, machinery, intellectual property). Investors must be compensated for supplying risk capital.
Generally speaking, they require returns related to the inherent riskiness of the company: the riskier the company, the greater the return (or risk premium) the investors demand. Whether a company is risky or not, however, investors will always seek the maximum possible return.
This means a key corporate goal is the maximization of enterprise value (EV), which we define as the sum of a firm’s expected future net cash flows (NCFs), discounted back to the present at an appropriate discount rate (e.g., risk-free rate plus relevant risk premium). We summarize this as:
where NCF(t) is the expected net cash flow at time t, and r is the discount rate, comprising a risk-free rate r(f) and a risk premium r(p).
We shall explore this in more detail in Chapter 2, but note for the moment that expected NCFs can be impacted by the expected size, timing, and variability of cash flows. Risk can also change all three dimensions, meaning that it can alter the value of the firm.
In fact, unexpected changes in NCF can be quite damaging to enterprise value, and protecting against such changes surfaces as one of the primary motivations for active risk management.
1.2 ACTIVE RISK MANAGEMENT
Companies need to control their exposure to risk in the normal course of business. While speculative risks can bring gains or losses, pure risks generate only losses. In either case, failure to focus on the potential downside through active risk management means that firms face financial uncertainty – to the possible detriment of shareholders, creditors, and other stake- holders who might be economically impacted if a firm becomes insolvent.
Risk management is an important discipline because, unlike the world presented through pure corporate finance theory, shareholders cannot effectively manage a firm’s risks by themselves. Investors face information asymmetries, lack access to the same risk transfer mechanisms as a corporate entity (which faces lower friction costs), and cannot influence or control corporate investment policy. Accordingly, active risk management is not only desirable, but also necessary, if corporate value is to be maximized in practice.
There are, of course, many reasons why a company should actively, rather than passively, manage its risks. An active approach to risk management – centered on control, retention, transfer and/or hedging – can help to:
- provide funds when they are most needed, helping to ensure a liquid position and minimizing the possibility of financial distress – a state of financial weakness that might include a higher cost of capital, poorer supplier terms, lower liquidity, and departure of key personnel;
- lower cash flow volatility and minimize the disruption of investment plans;
- reduce the possibility of underinvestment, or the process of directing capital toward projects with lower returns and risks (to the benefit of creditors rather than equity investors);
- stabilize revenue streams and thus benefit from specific tax treatment (e.g., asymmetrical
tax structures where firms with more volatile revenue and profit performance pay greater
- create more stable earnings, which often helps to generate higher stock price valuations.
It is increasingly common in the corporate world of the twenty-first century for companies to implement a risk management process to control risks. It is important to stress at the outset that the exercise relates to controlling risks, not eliminating them.
This is an important distinction because risk is not inherently bad, and is not a variable that must be removed from corporate operations at any cost. As we shall see in subsequent chapters, there are times when it makes sense for a company to retain, and even increase, its risk exposure, as this helps to increase the value of the firm to shareholders. Instead, the focus is on controlling – that is, understanding and closely managing – risk exposures, so that stakeholders are fully aware of how the firm might be impacted.
The essential element of controlling risks is ensuring that no surprises arise. Losses are acceptable if the possibility that they may occur is understood by stakeholders, and if the appropriate economic evaluation occurs. Indeed, risk is a game of chance: speculative risks will produce favorable outcomes and losses, pure risk events only losses.
The risk-taking firm must expect both, and if it is controlling its exposures properly it is helping to increase its value. Unexpected losses that occur when the company and its stakeholders have no idea that the firm is exposed to particular types, or amounts, of risk, must be regarded as unacceptable; this essentially means that risk is not being controlled.
The development and use of a formalized risk management process must therefore be a central part of overall corporate operations and governance.
1.2.1 Risk management processes
The standard risk management process can be seen as a four-stage process centered on identification, quantification, management, and reporting. Each element is a vital link in the chain and must be implemented correctly in order to be effective.
- Risk identification The identification process centers on defining and identifying all of the firm’s actual, perceived, or anticipated risks. In a large firm, this might encompass dozens of financial and operating risk drivers, implying a significant degree of complexity. In some cases risks are readily identifiable, at other times they are more difficult to discern. For instance, a firm that produces goods in the US for dollars and sells them in Japan for yen is exposed to changes in the $/¥ foreign exchange rate, and identifying this risk is relatively simple. Likewise, a company that has a factory located in the path of hurricanes can easily identify potential exposure to catastrophic damage. Alternatively, a firm that has to purchase power in the spot electricity market when temperatures rise above 95 ◦F is actually exposed to the absolute level of, and correlation between, electricity prices and temperature; in this case the different dimensions of exposure are somewhat more difficult to identify. This stage of the process is vital, of course, as failure to properly identify all financial or operating risks impacting the firm may lead to surprise losses (e.g., those coming from an ‘unknown’ source).
- Risk quantification The quantification process determines the financial impact that risks can have on corporate operations. This is typically done through various quantitative tools. Returning to the $/¥ example, a company with a foreign exchange exposure will be interested in knowing, as precisely as possible, the impact of the risk on its profit and loss (P&L) account (e.g., a 5% decline in the value of the yen might produce a $5m loss). The company with a factory in the hurricane path may need to quantify a number of different types of scenarios, including smaller losses from temporary business interruption (e.g., if a hurricane causes damage that forces it to suspend operations for 2 months) to larger losses from total destruction (e.g., the hurricane destroys the facility beyond repair). Specific techniques for measuring the financial impact of risks vary widely, and depend largely on the nature of the underlying exposures. Some, such as credit and market risks, can be measured through financial mathematics based on analytic computation, closed-form pricing models, and simulation methods. Others, such as high-frequency insurance-related risks, can often be estimated by using actuarial techniques; certain low-frequency insurance exposures, such as catastrophic risks, may be modeled through simulation.
- Risk management After risks have been identified and quantified, they must be managed. Through the core process of active decision-making, a firm must decide whether it will control, retain, eliminate or expand its exposures. For instance, a firm may decide that it is comfortable retaining a potential loss (or gain) of $10m on its $/¥ foreign exchange exposure and will constrain it at that level; alternatively, if it wants to face zero chance of loss, it might eliminate the risk entirely (for a price). Similarly, the potential cost of sustaining partial or complete destruction as a result of a powerful hurricane may be too great for the firm, so it might decide to transfer the exposure entirely. Risk management decisions ultimately depend on several variables, including the financial resources of the firm, the operating philosophy of management, the expectations of shareholders, and the costs and benefits of various risk strategies. We consider these points in the section below.
- Risk monitoring Once the firm has decided how it wants to manage its risk profile, it must actively monitor its exposures. This means regularly tracking and reporting both risks
and risk decision experience, and communicating information internally and externally so that interested parties (e.g., executive management, board directors, regulators, creditors and investors) are aware of any possible upside or downside. Good monitoring is especially important for internal decision-makers, who require feedback in order to assess, and even adjust, their decisions. Thus, the $/¥ exposure that the firm has chosen to retain must be measured and reported regularly (e.g., daily, weekly) so that managers are aware of its size and potential impact as the market moves and the risk position changes. The catastrophic hurricane exposure, which is unlikely to change very often (unless the firm expands or contracts the size of its factories), must still be monitored and reported, but less frequently. An important by-product of the risk-monitoring process is the ability to change how risks are managed; without such visibility, a firm’s risk strategies remain static. Monitoring thus feeds back into management.
We shall revisit aspects of this generic risk process (summarized in Figure 1.1) at greater length in the next few chapters, but for the moment let us expand on the third stage of the process below by considering specific management alternatives available to a company with financial or operating risks.
1.2.2 Risk management techniques
A company with any degree of risk exposure is wise to develop a philosophy that explicitly indicates its approach to risk and the resources it is willing to allocate (and potentially lose) in its endeavors.
Best practice governance calls for a firm’s board of directors to clearly express risk tolerance (or appetite) by relating exposures to overall corporate goals, stakeholder expectations, and financial/technical resources.
Firms that are in business primarily to take risks, and have the financial resources to support potentially large losses, might choose to take a large amount of financial and operating risk. For instance, a bank might assume a considerable amount of credit and market risk as the core of its operation; given sufficient financial resources and proper controls, it should be able to actively retain and manage such exposures.
Those that are in business primarily to produce goods or services that are not based on active risk- taking, or those that lack sufficient financial resources to absorb large losses, are unlikely to favor significant risk exposure. For instance, a company that produces automobiles might be exposed to a series of input risks, such as steel and rubber; these form part of the core business and the board might wish to manage them by retaining them or hedging a portion of them.
However, in order not to be distracted from its primary operations, it may not want to assume any risks related to non-core business activities, such as foreign exchange risk from sourcing raw materials or selling completed automobiles in other countries; these might not only be a distraction, but they might fall outside the firm’s technical expertise.
Assuming that the costs of doing so are consistent with its risk/return goals, the company may eliminate non-core risks. It is common to consider three broad approaches to the management of risks, including loss control, loss financing, and risk reduction.
- Loss control Under this process (sometimes also referred to as loss prevention) a firm takes necessary precautions in order to reduce the threat of a particular risk. For instance, to diminish the likelihood of financial damage arising from a fire within a factory, a company might install a sprinkler system.Alternatively, a company dealing with hazardous material might reduce the chance of worker injury by introducing a comprehensive safety program. Loss control techniques vary by form of risk and potential threat, but typically involve an upfront investment and/or ongoing cost (e.g., paying for the sprinkler system, training personnel in safety procedures). As we shall see, the costs and benefits must be weighed in order to arrive at an appropriate decision.
- Loss financing This broad category of risk techniques, which involves the transfer, retention, or hedging of exposures, is primarily concerned with ensuring the availability of funds in the event of a loss. For instance, rather than installing a sprinkler system, a firm may choose to protect against potential fire damage by transferring risk through the purchase of an insurance policy that provides compensation if a fire occurs. Alternatively, the company exposed to $/¥ foreign exchange risk might purchase a currency option as a hedge. Or, if a company feels that its risk exposures are particularly ‘well-behaved’ – reasonable in size and predictable with some degree of certainty – it may retain a portion. There are special instances where a company might choose to bundle together various techniques to produce a hybrid, or customized, solution. For instance, it might want to retain a portion of its $/¥ risk and transfer the balance through a hedge, or it might wish to combine disparate risks – such as its property exposure from fire risk and its $/¥ risk – into a single transfer mechanism. In fact, the hybrid management of risk is a cornerstone of the ART market, as well shall discover in later chapters. Regardless of the specific technique used, the relative costs of retention, transfer, hedging, or some hybrid must be weighed against possible benefits before a decision can be made.
- Risk reduction In some instances the risks may be too idiosyncratic or misaligned for a company to consider loss control or loss-financing methods. Accordingly, it might employ risk reduction techniques that involve partial or complete withdrawal from a business with particular characteristics or the diversification of exposures through a pooling or portfolio concept. Either can lead to a reduction in risk levels. Again, the risk reduction process has an associated cost and must therefore be considered in the cost/benefit framework before a decision is taken.
Risk exposures that are not eliminated must be managed through retention, transfer or financing (while loss control measures may be beneficial, they are generally applied to risks that are retained, e.g., loss control measures are more likely to be dependent on retention levels rather than vice versa).
In fact, the general category of loss financing is a major focus of active risk management. Loss-financing techniques – including use of retained earnings, self-insurance, captives, contingent capital, and so on – can be managed from an internal or external perspective and may be funded or unfunded prior to a loss.
We shall discuss a number of these techniques in subsequent chapters, as they form an essential part of the ART market. Figure 1.2 summarizes some common risk management techniques.
In practice, financial and non-financial corporations can turn to a range of instruments to execute active risk management strategies. Firms often use a combination of tools and may even bundle them together in order to produce a more efficient and cost-effective solution.
For instance, an insurance company, which is in the business of underwriting risks, must manage its own risk profile actively and continuously, and may do so by:
- retaining some amount of risk, after having assessed the likelihood of loss and charged an
appropriate premium (that covers expected losses and provides a fair return);
- identifying risks where it feels it must raise premiums in order to compensate for increased
- ceasing to underwrite risks where it does not feel it is earning a proper return;
- creating additional reserves to cover unexpected losses;
- diversifying its portfolio further by expanding its underwriting efforts into new, uncorrelated,
and profitable markets;
- purchasing reinsurance cover for portions of its portfolio from a reinsurer;
- issuing an insurance-linked security or structuring a contingent capital facility to provide additional funded or unfunded cover.
There are obviously many possibilities to consider that are applicable to both industrial and financial corporations, and most sectors enjoy access to multiple risk management solutions.
Each scheme has specific costs and benefits, but many can be applied in the structuring of an appropriate risk management program. In many cases it takes time to reshape the risk characteristics of a portfolio of businesses, and although some solutions can be enacted quickly, processes such as increasing premium rates, diversifying a portfolio or issuing an insurance- linked security might take several months (or longer). Therefore, companies must always be aware of the time dimension of the risk management process.
A convenient “rule of thumb” related to risk management techniques suggests that core risks – those that are central to a firm’s daily business – should be retained, while non-core risks – those that are a byproduct of daily business – should be transferred or hedged.
The premise is that a company has information and expertise regarding its core risks and, therefore, greater ability to manage its exposures intelligently (e.g., safely, efficiently, and cost-effectively). Exposure to risks where it lacks knowledge or competitive advantage can be more dangerous and costly. The generalization is interesting, but is complex and often nebulous.
For instance, should an aircraft manufacturer view the price of steel, one of its key inputs, as a core or non- core risk? If it is a core risk should it actively retain and manage the exposure by dedicating resources and time to the effort? Should it transfer, hedge or eliminate a core risk if there is a remote possibility of an excessively large loss? If it is a non-core risk should the firm ignore the price of steel by simply locking in a price for future steel delivery, or should it be more dynamic about its hedging? Many other issues can obviously influence the decision, so the rule of thumb may be seen as somewhat simplistic.
In fact, while the core/non-core distinction may be applicable in some instances, it may not necessarily result in the best decision for every company in every scenario. The risk management decision process is complicated and must generally be considered through a rigorous analytical framework, such as a cost/benefit analysis.
This can help a company to determine how it should manage its individual and aggregate risk exposures in order to maximize value (which, as we shall note in Chapter 2, is a general corporate goal). The cost/ benefit tradeoff, characteristic of every risk-related decision a firm must make, is straight- forward:
- Pay a cost and gain a benefit by eliminating or reducing NCF uncertainty.
- Pay nothing but accept the NCF uncertainty and remain exposed to potential cash flow
Since every risk has a theoretical price, it is possible to create a risk-free company by paying all the costs associated with eliminating every aspect of risk (e.g., through premiums, safety measures, diversification, withdrawal from businesses, and so on); the uncertainty associated with expected NCFs will then be eliminated.
This, as we shall note later, is likely to be prohibitively expensive and impractical, and will almost certainly not result in a maximization of enterprise value. Accordingly, risk management solutions, consistent with the firm’s appetite and philosophy, must focus on the tradeoffs between costs and benefits; only when this is thoroughly understood can a solution that leads toward enterprise value maximization be developed.