RISK VS UNCERTAINTY
If the probability is not known we know the impact then this stage is called UNCERTAINTY.
If we know the probability and impact then this stage is called RISK.
Risk in general terms can be, we expect something positive to happen and the outcome is negative. This is harmful to the company. These are due to bad decisions either taken by internal members of the company or Others. These decisions are made based on Consequences and Probability. A consequence can be positive or negative but Probability is always positive between 0 to 1. If the outcome is positive and within the risk estimated level this can be an opportunity for a company. If the outcome is negative and higher than the risk estimated level this will dangerous to the company and may lose a lot of capital.
RISK = IMPACT * PROBABILITY. SHORTCUT TO REMEMBER THE RISK DEFINITION RIP
IMPACT VS PROBABILITY
There are 4 ways to measure the risk level.
1)Low probable Low impact
This is the safest strategy. Risk-retention is possible. The color coding is Green. Risk can be tolerated and retention of risk is made.
2)Low probable High impact
This is the Moderate strategy. Risk transfer is possible. The color coding is Orange. Risk is transferred to other entities. For example, a fire occurrence in the office can be a low probable event but if the impact is high the damage cannot be retrieved. This risk can be transferred by opting for insurance. This theory with low probability and high impact is called Black Swan theory.
3)High probable low impact
This is the Moderate strategy. Risk reduction is possible. The color coding is Orange. This can be a threat to the company and Risk reduction is the remedy for this type of risk.
4)High probable high impact
This is dangerous and the color coding is Red. Risk avoidance is the only option. Risk avoidance or termination is the only remedy.
COSO VS ERM
A Committee of sponsoring organizations (COSO) is a framework to measure the risk. It is a process carried out by management that identifies the events that could potentially affect the company. This process is called Enterprise Risk Management (ERM)
Risk Mitigants in the financial company
Quantitative
Risk should not cross certain levels which are predefined. This is called Value at risk (VAR).
Qualitative
Risk levels can be determined based on the ratings and color codings. This can be measured by Scenario Analysis and Stress Testing.
RISK MANAGEMENT PROCESS STEPS
NOTE: SHORTCUT TO REMEMBER THE STEPS IN RISK MANAGEMENT IAETM
- IDENTIFY
- ANALYZE
- EVALUATE
- TREAT
- MONITOR AND REVIEW: CRO AND RM team will have to monitor and give a report on whether RM strategy is implemented. They need to review the implementation of the Risk.
RISK TOLERANCE VS RISK APPETITE
The maximum level of risk that a company can be forced to take loss under worst scenario is called Risk tolerance.
The maximum level of risk that a company is able/willing to take loss under worst scenario is called Risk appetite.
Note : Risk tolerance >= Risk appetite
RISK ATTITUDE PEOPLE
Those who invest in low-risk and avoid risks are Risk Averse. Trades in govt Bonds.
Those who invest in a neutral and balanced approach are Risk Neutral. Trades both in Bonds and intraday equity share marketing.
Those who invest in high-risk and earnings are high are Risk Seekers. Trades in intraday equity share marketing.
INHERENT RISK VS RESIDUAL RISK VS CONTROL RISK
If there is a risk in a company this is called inherent risk. Ex. Fire accident (100)
If there is a risk control measure that is used to reduce the risk is called residual risk. Ex. CO2 Cylinders used to control the fire fixed to the walls. (10)
Risk control is the difference between these two risks. Higher the risk control lesser the risk.
Risk control = inherent risk - residual risk
What is Value at Risk (VAR)?
Value at risk is the Probable loss estimated under normal circumstances at a given point of Time. It is quantitative in nature. It is determined based on three elements.
- Time
- Probability
- Amount
Under normal circumstances we use VAR but under abnormal circumstances, we use Stress Testing. It is based on qualitative in nature. It uses individual components like domestic interest rate or forex rate or inflation to determine the loss.
Scenario analysis
It is part of Stress testing. This testing is also used to measure the loss of an entity under abnormal circumstances. It is based on qualitative in nature. It uses all components at a time to arrive at the conclusion.
Enterprise Risk Management ERM
It deals with worst-case scenarios of loss of an entity while ensuring better results and faster growth. ERM deals with the following 6 fundamentals. Also, it has 8 components of risks. COSO has determined ERM be part of an organization.
- Financial risk, Legal, Operational, Compliance, Strategic, and Security. (FLOCSS 6 Fundamentals)
- control, Assessments, Response, Objectives, monitoring, Internal systems, Identification, Information & communication (CAROM-I3 8-components easy way to remember)
ISO 31000
ISO 31000 prescribes principles and guidance for risk management. It is set by international standards. It is used by most organizations.
Corporate Governance
Corporate Governance sets the policies and procedures. It mitigates the conflicts between the organization and the stakeholders.
Audit risk
Detection Risk
Auditor gives the opinion. If he gives an inappropriate opinion then this stage is called Audit Risk. Material misstatement of Financial Statements gives a chance of risk. So, the auditor should invariably give correct and appropriate FS.
Audit risk = Inherent risk * Control risk * Detection risk.
Inherent risk
The auditor should consider FS to the correct extent. He should consider internal controls before giving an Audited Balance sheet. If he gives material mis-statemets then this is called inherent risk
Control risk
The internal team of the organization should detect the risk on a timely basis. If failed to detect and prevent the risk then this type of risk is called Control risk.