Менеджмент (Управление рисками в финансовой сфере).

Plan
Introduction. Risk Management - definition and role in modern life.
1. Financial risk management
2. Methods of risk management. Role of Risk Manager
3. Risk management process
4. Quantification of risk
5. Risk diminution measures
6. Create a risk management plan
Conclusion. Risk communication. Current approaches to risk management.
Attachment
Literature

Менеджмент (Управление рисками в финансовой сфере).

Cost risk at the superior level is simply that there is not enough money to do the job in the limited time including existent reserves for reasonable contingencies. The causes of such risks can be the following: estimating errors, low ball bids, business decisions, political events. A management technique in this case could be to focus on new elements of the program and to insure that management reserves are adequate in comparison to the costs of the new elements.
For example, the construction industry in is a well-founded, well-understood and experienced industry. In major construction the uncertainty in costs to build are historically about 30% at the stage of "door knob" estimates. As the design and specification of a particular project evolves to the level of detailed definitions,detailed drawings/specifications and detailed schedules, the uncertainty drops to 5% or so. It is common practice for a builder to add 25% to the quoted cost to construct any plan that the particular builder has not built before.The main factor is that of the uncertainties in the details. A significant other factor is the such homes tend to be custom builds, and buyers of custom homes tend to be quite reach.
It is seemed to be unreasonable to expect smaller uncertainties in endeavors involving significant scratch development of state-of-the-art hardware and/or software.
The technical risks are known as performance risks associated with the end items. The point of the buying organization according to this concern is that the system will not perform as required. From the point of the performing organization the concern is that the system will not meet its specifications and thereby will not meet customers satisfaction goals.
The supportability risk means that another acceptable system will cost too much to operate and maintain over its lifetime in terms of time, employees and material resources. Most systems are known to cost more to sustain than to develop, and this fact is not new.2
A development effort is always related with a measure of risk because such an effort involves new aspects to the performing company. These new aspects as a rule are limited to "reach" aspects of the end item. For example, an experienced design company which is extending the performance range for a single parameter of a system probably has a minimal risk. On the other hand, a team formed as a result of winning a major proposal has many risks. Such multiple risks situations are major challenges and are the most interesting from a management perspective.
The management of risks is always associated with the development of the objective products. There are also risks which are specific in start-up situations. 4
3. Quantification of risk
There are several theories and attempts to quantify risks. The most widely accepted risk quantification is the following:
Rate of occurrence multiplied by the impact of the event equals risk
This formula can also be turned into Composite Risk Index, as follows:
Composite Risk Index = Impact of Risk event x Probability of Occurrence
The impact of the risk event can be measured from 1 to 5, where 1 and 5 are the minimum and maximum possible impact of an occurrence of a risk. The probability of occurrence could be assessed on a scale from 1 to 5, where 1 represents a very low probability of the risk event and 5 means very high probability of occurrence. This feature may be expressed in mathematical terms (event occurs once a year or once in ten years) or in words (event occurs here very often; event is known to occur here).
Therefore, the Composite Index can measure from 1 to 25, and this range is usually divided into three sub-ranges. Depending on the sub-range containing the calculated value of the Composite Index, the overall risk assessment is then Low (from 1 to 8), Medium (9 to 16) or High (17 to 25).
Here we see, why the probability of risk occurrence is difficult to estimate, when the past data on frequencies are not fully available.
Since we see, that the consequences of the risk is not usually easy to estimate, sometimes it is quite difficult to estimate the potential financial loss in case of the event of risk.
Moreover, the factors listed above can change depending on the adequacy of prevention measures taken to avoid the risk and also due to changes in the external business environment. That is why it is strongly recomended to periodically re-assess risks and change mitigation measures if it is necessary.
4. Risk diminution measures
Risk diminution measures are usually formulated according the following risk options:
1. Design a brand new business process with risk control to be built-in and which includes containment measures.
2. Periodically perform the re-assessment of risks, which is a normal feature of business operations, and modification of risk diminution measures.
3. Transfer risks to an external agency, for example, an insurance company.
4. Avoid risks by a number of companies, for example, by closing down a particular business area, known as a field of high-risk 5
There are four basic types of risk treatments, which could be applied, when the potential risk is assessed.
1. Avoidance – elimination of event, withdraw from it or do not become involved
2. Reduction – optimization of process to diminish the risk impact
3. Sharing - transfer outsource or insure
4. Retention – acceptance of the undesirable event partially or even the whole 3
Ideal use of all these strategies may not be possible. Some of them may draw in trade-offs that are not acceptable to the company.
Risk avoidance, the first type of treatment, means not performing an activity or event that could carry risk. For example, not flying in order not to take the risk that the plane were be crashed. Avoidance may be the answer to all risks, but avoiding risks leads to losing out the potential gain from accepting the risk. For example, not entering a business leads to avoidance of the possibility of earning profits.
Risk reduction, also known as optimization, involves reducing the severity of the loss or the probability of the loss. For example, smoke detectors help to decrease probability of fire impact.
All risks can be positive or negative. That is why optimizing risks means balancing negative risk and the profit of the event or activity. Optimization is also balancing between risk reduction and applied effort.
Risk sharing is sharing with another party the impact from the triggered event or the benefit of gain, from a risk, and the measures to reduce a risk. The usage of term 'risk transfer' instead of 'risk sharing' could lead to mistaken belief that it is possible to transfer a risk to a third party through insurance or outsourcing. 2
For example, if the insurance company go bankrupt, the original risk is 'going back' the first party. The insurance policy simply provides that in case of an accident (the event) the policy holder will receive some compensation that is commensurate to the damage, but insurance company does not give a guarantee, that this event will never occur.
Risk retention involves accepting the impact, or benefit of gain, from a risk when it occurs. Risk retention is a good strategy for small risks where the cost of insuring against the event of risk would be greater over time than the total impact. All risks that are not avoided or transferred are retained by default. This category includes risks that cannot be insured because they are so large or catastrophic. For example, risk of the war could not be insured. Also any specters of potential loss over the amount insured is retained risk.
5. Create a risk management plan
To create a management plan it is essential to select appropriate controls and countermeasures to measure each risk. Risk diminution needs to be approved by the proper level of management. For example, if a risk concerns the image of the organization, it should be related with top management decision whereas IT management would have the authority to decide on computer virus risks. 3
The risk management plan should offer applicable and effective security measures for managing the risks. For example, an observed high risk of computer viruses could be decreased by using antivirus software. A good risk management plan should often contain a schedule for control implementation and responsible persons for those actions.
Completion of the risk assessment phase must be followed by preparing a risk treatment plan, which should contain the decisions about solving each of the identified event related with risks. Diminution of risks often means selection of some security controls, which should be documented in a statement of applicability. This statement identifies which particular control has been selected, and why.
After that comes implementation, which follows all previous methods for diminution the effect of the risks. This stage is characterized by purchasing insurance policies for the risks that have been decided to be transferred to an insurer, avoid all risks that can be avoided without sacrificing the entity's goals, reduce others, and retain the rest.
Initial risk management plans will never be perfect, that is why the plan always needs secondary improvement. Practice, experience, and actual loss of results will cause changes in the plan and contribute information to allow possible different decisions to be made in dealing with the risks being faced.
Analysis of results leads to periodically update of management plans. There are two primary reasons for this:
1. Evaluation whether the previously selected security controls are still applicable and effective, and
2. Evaluation the possible risk level changes in the business environment. For example, information risks are a good example of rapidly changing business environment. 2
If risks are improperly assessed and prioritized, dealing with risk of events that are not likely to occur could be just waste of time. Spending too much time assessing and managing unlikely risks can demand resources which could be used more profitably. Unlikely events could occur, of course, but if the risk is quite small and unlikely enough to occur it may be better to simply retain the risk and deal with the result if the loss does in fact occur. Qualitative risk assessment is subjective process, as you have seen above, and it lacks consistency. The primary justification for a formal risk assessment process is legal and bureaucratic.
Prioritization of the risk management processes too highly could keep an organization from ever completing a project or even getting started. This is especially true if other work is suspended until the risk management process is finally complete.
It is also important to keep in mind the distinction between risk and uncertainty. Risk is a feature that could be measured by impacts x probability. 2
There are some areas of risk management. In corporate finance, risk management is the technique for measuring, monitoring and controlling the financial task on the company's balance. In this field risks could be divided into price risk, credit risk and operational risk. There are also special methods for calculating requirements for each of these components.
Enterprise risk management considers risk as a possible event or circumstance that can have negative influences on the enterprise in question. Its impact can be on the very existence, the resources (human and capital), the products and services, or the customers of the enterprise, as well as external impacts on society, markets, or the environment. In a financial institution, enterprise risk management is normally thought of as the combination of credit risk, market risk and operational risk.
In general, every probable risk can be related with a pre-formulated plan to deal with its possible consequences, as it was described above.
From the whole amount of information, project manager can estimate:
the cost associated with the impact of event, related with risk if it arises, estimated by multiplying employee costs per unit time by the estimated time lost
the probable increase in time associated with a risk
the probable increase in cost associated with a risk 3
Risk in a project or in a process can be due different causes and requires appropriate treatment. That is to re-iterate the concern about extremal cases not being equivalent in the list immediately above.
In project management risk management includes the following activities:
Planning how risk will be managed in the particular project. Plans should include risk management tasks, responsibilities, activities and budget.
Assigning a risk officer - a team member other than a project manager who is responsible for foreseeing potential project problems. Typical characteristic of risk officer is a healthy skepticism.
Maintaining live project risk database. Each risk should have the following attributes: opening date, title, short description, probability and importance. Optionally a risk may have an assigned person responsible for its resolution and a date by which the risk must be resolved.
Creating anonymous risk reporting channel. Each team member should have possibility to report risk that he/she foresees in the project.
Preparing mitigation plans for risks that are chosen to be mitigated. The purpose of the mitigation plan is to describe how this particular risk will be handled – what, when, by who and how will it be done to avoid it or minimize consequences if it becomes a liability.
Summarizing planned and faced risks, effectiveness of mitigation activities, and effort spent for the risk management. 4