*******************************************************************************************
​
​
************************************************************************************
​
​
Risk management is part of everyone’s job
​
For decades, risk management was viewed as a finance function, with the CFO playing the role of risk measurer, assessor and punisher (for those who crossed defined risk limits). In keeping with this definition, risk management become focused entirely on risk assessment and risk hedging. The elevation of strategic risk management or enterprise risk management in businesses, with its willingness to consider the upside of risk, has come with one unfortunate side cost.
​
Many firms have a person or group in charge of risk management, given primary responsibility for coordinating and managing risk through the organization. While we applaud the recognition given to risk management, it has also led others in the firm, especially in the other functional areas, to think that the existence of a risk management group has relieved them of the responsibility of having to play a role in managing risk.
​
​
[Aswath Damodaran, "Strategic Risk Taking: A Framework for Risk Management", 2007].
************************************************************************************
​
************************************************************************************
Steve Bell, "Quantitative Finance for Dummies", Wiley, 2016.
************************************************************************************
We conduct statistical analysis using the best data and methodologies and resources available. The approach is not like addition or long division, in which the correct technique yields the “right” answer and a computer is always more precise and less fallible than a human. Statistical analysis is more like good detective work (hence the commercial potential of CSI: Regression Analysis). Smart and honest people will often disagree about what the data are trying to tell us.
​
Although the field of statistics is rooted in mathematics, and mathematics is exact, the use of statistics to describe complex phenomena is not exact. That leaves plenty of room for shading the truth. Mark Twain famously remarked that there are three kinds of lies: lies, damned lies, and statistics.
Charles Wheelan, “Naked Statistics: Stripping the Dread from the Data”,
Publisher: W. W. Norton & Company; First Edition (January 7, 2013).
************************************************************************************
Philippe Jorion, Financial Risk Manager Handbook - FRM PART I / PART II, 6th Edition, Wiley Finance, 2011.
************************************************************************************
‘‘The art of risk management is not just in responding to anticipated events, but in building a culture and organization that can respond to risk and withstand unanticipated events. In other words, risk management is about building flexible and robust processes and organizations.’’
‘‘Overconfidence in numbers and quantitative techniques, in our ability to represent extreme events, should be subject to severe criticism, because it lulls us into a false sense of security.’’
Thomas S. Coleman (Author), Bob Litterman (Foreword), "Quantitative Risk Management - A Practical Guide to Financial Risk", Wiley, 1st edition, May 8, 2012.
************************************************************************************
************************************************************************************
Identifying and documenting risk
Because the risk register will contain a great many different risks, it is important to focus on the most important ones. We want to construct some sort of priority rating – giving the overall level of risk. This then provides a tool so that management can focus on the most important risk events and then determine a risk treatment plan to reduce the level of risk. The most important risks are those with serious consequences that are relatively likely to occur. We need to combine the likelihood and the impact and Figure 1.1 shows the type of diagram that is often used to do this, with risk levels labeled L = Low; M = Medium; H = High; and E = Extreme.
Figure - Calculating risk level from likelihood and impact
This type of diagram of risk levels is sometimes called a heat map, and often red is used for the extreme risk boxes; orange for the high risks; and yellow for the medium risks. It is a common tool and is recommended in most risk management standards. It should be seen as an important first step in drawing up a risk management plan, prior to making a much fuller investigation of some specific risks, but nevertheless there are some significant challenges associated with the use of this approach.
Edward J. Anderson, “Business Risk Management - Models and Analysis”, John Wiley & Sons, Ltd, 2014.
************************************************************************************
Fallacies and traps in risk management
It is appropriate to give some ‘health warnings’ about the practice of risk management. These are ideas about risk management that can be misleading or dangerous.
​
It is worth beginning with the observation that society at large is increasingly intolerant of risk which has no obvious owner – no one who is responsible and who can be sued in the event of a bad outcome. Increasingly it is no longer acceptable to say ‘bad things happen’ and we are inclined to view any bad event as someone’s fault. This is associated with much management activity that could be characterized as ‘covering one’s back’.
The important thing is no longer the risk itself but the demonstration that appropriate action has been taken so that the risk of legal liability is removed…
It is fundamentally wrong to spend more time ensuring that we cannot be sued than we do in trying to reduce the dangers involved in our business.
Another trap we may fall into is the feeling that good risk management requires a scenario-based understanding of all the risks that may arise. Often this is impossible, and trying to do so will distract attention from effective management of important risks. As Stulz (2009) argues, there are two ways to avoid this trap. First there is the use of statistical tools (which we will deal with in much more detail in later chapters).
‘Contrary to what many people may believe, you can manage risks without knowing exactly what they are – meaning that most of what you’d call unknown risks can in fact be captured in statistical risk management models. Think about how you measure stock price risk.
. . . As long as the historical volatility and mean are a good proxy for the future behavior of stock returns, you will capture the relevant risk characteristics of the stock through your estimation of the statistical distribution of its returns. You do not need to know why the stock return is +10% in one period and -15% in another.’
The second way to avoid getting bogged down in an unending set of almost unknowable risks is to recognize that important risks are those that make a difference to management decisions. Some risks are simply so low in probability that a manager would not change her behavior even if this risk was brought to her attention. This is like the risk of being hit by an asteroid – it must have some small probability of occurring but it does not change our decisions.
A final word of caution relates to the use of historical statistical information to project forward. We may find a long period in which something appears to be varying according to a specific probability distribution, only to have this change quite suddenly.
.
Edward J. Anderson, “Business Risk Management - Models and Analysis”, John Wiley & Sons, Ltd, 2014.