IFT Notes for Level I CFA® Program
LM06 Introduction to Risk Management
Investors often assume higher risk in the pursuit of higher returns. Businesses and investors manage risk, whether consciously or not, in every investment decision they make. This reading lays the fundamentals of risk management from the perspective of both businesses and individuals.
Some of the important concepts addressed in this reading include:
- What is risk management and why is it important?
- How businesses and individuals manage risk?
- The principles behind both enterprise and portfolio risk management.
- How an entity’s goals are affected by risk and how risk management decisions produce better results?
- Identifying the various risks and the tools used by an organization to manage risk.
2. The Risk Management Process
Risk is the exposure to uncertainty. Risk driver is the underlying risk. Risk position is the description or quantification of the risky action taken. Risk exposure is the extent to which an entity is sensitive to underlying risks. In other words, risk exposure is the risk position multiplied by the risk driver.
Risk management is the process by which an organization or individual defines the level of risk to be taken (risk tolerance), measures the level of risk being taken (risk exposure), and adjusts the latter toward the former, with the goal of maximizing the company’s or portfolio’s value or the individual’s overall satisfaction or utility. Ideally, risk exposure should roughly be equal to risk tolerance. Risk management is not about minimizing risk, but about actively managing risks to achieve goals. The focus is on risk management (as opposed to return management) because it is possible to manage risk, but it is not always possible to manage returns.
3. The Risk Management Framework
A risk management framework is the infrastructure, processes, and analytics needed to support effective risk management in an organization. Any risk management framework should include the following factors:
- Risk governance: This top-down process lays the foundation for risk management in an organization. Good governance ensures that the risk tolerance level is set for an organization and provides risk oversight.
- Risk identification and measurement: This is the quantitative and qualitative assessment of all sources of risk to an organization.
- Risk infrastructure: This refers to the people and the systems required to track risk exposures and to perform risk analysis.
- Defined policies and processes: These are limits, requirements, constraints, and guidelines to ensure that an organization’s risky activities are within its risk tolerance levels.
- Risk monitoring, mitigation, and management: This primarily involves identifying, measuring and continuously monitoring risk exposure of an organization. If risk exposure is not aligned with pre-defined risk tolerance, then necessary action is taken to restore balance between the two.
- Communications: Critical risk issues must be continually communicated across all levels of an organization. Risk tolerances must be communicated to managers. Risk metrics must be reported in a timely, easy-to-understand manner. A feedback loop with the governance body should be present to ensure that risk guidance is validated and communicated to the rest of the organization.
- Strategic analysis or integration: The objective of this analysis is to use risk management to increase the overall value of the business.
The diagram below shows the risk management framework in an enterprise context.