Final

Biztek – Institute of Business and Technology
LETTER OF TRANSMITTAL
Feb 1, 2009
Mr. Khalid Jamil Ansari
Teacher, Business Finance - II
Biztek University
Karachi.
Sir:
We herewith present our “Term Report” authorized by you as a requirement for this course.
In this report, we have tried to provide Risk Management and its essential elements.
We hope we have covered all that was required for the report.
If there be any clarification demanded, we would appreciate a call from you to our group
Members.
Sincerely,
Muhammad Bilal
Muhammad Yousuf
Page 1 of 34 Prepared By: Muhammad Bilal

Muhammad Yousuf
EXECUTIVE SUMMARY
The main purpose of this report entitled “Risk Management” is to provide the students
a clear and closer exposure of Risk Management. This report has been prepared as a
requirement of course “Business Finance - II” as a part of MBA at Biztek University. The
topic mainly deals with what is Risk Management and its essential elements.
In the preparation phase of this report we have made an attempt to present the
material in a simple and crystal way. We hope that this report will surely help the people in
order to know about risk management.
For further improvement we seek sincere advices and valuable suggestions from our
honorable teacher and colleagues.

Muhammad Yousuf
ACKNOWLEDGMENT
We are very thankful to almighty Allah, who is most beneficent, most merciful and the
creator of all mankind. He gives us enough capabilities to learn and implement our skills. So
many thanks to Allah who has given us courage and ability to complete this exciting
assignment.
What so ever human capabilities can not be polished with-out good teacher, because
it is a teacher who groom students and make it possible to use their inner capabilities in a
better way. In this regard we are extremely thankful to our teacher Mr. Khalid Jamil
Siddiqui. Just because of his assistance, we are able to complete our report successfully.
This achievement would not have been possible without his kind guidance.
Muhammad Bilal
Muhammad Yousuf

Muhammad Yousuf
Introduction
In ideal risk management, a prioritization process is followed whereby the risks with the
greatest loss and the greatest probability of occurring are handled first, and risks with lower
probability of occurrence and lower loss are handled in descending order. In practice the
process can be very difficult, and balancing between risks with a high probability of
occurrence but lower loss versus a risk with high loss but lower probability of occurrence can
often be mishandled.
Intangible risk management identifies a new type of risk - a risk that has a 100% probability
of occurring but is ignored by the organization due to a lack of identification ability. For
example, when deficient knowledge is applied to a situation, a knowledge risk materializes.
Relationship risk appears when ineffective collaboration occurs. Process-engagement risk
may be an issue when ineffective operational procedures are applied. These risks directly
reduce the productivity of knowledge workers, decrease cost effectiveness, profitability,
service, quality, reputation, brand value, and earnings quality. Intangible risk management
allows risk management to create immediate value from the identification and reduction of
risks that reduce productivity.
Risk management also faces difficulties allocating resources. This is the idea of opportunity
cost. Resources spent on risk management could have been spent on more profitable
activities. Again, ideal risk management minimizes spending while maximizing the reduction
of the negative effects of risks.

Muhammad Yousuf
BACKGROUND
Risk Management is an important project and operations planning tool. It allows the
Manager to avoid possible damage to the project or the operation by identifying, in advance,
the possible areas where damaging events may take place.
Risk Management is a well-established field of professional expertise. It is used in a wide

range of areas including: engineering, business and finance, health and safety, environmental
management, healthcare, emergency management, business continuity management, sport
and recreation etc.
Risk Management has been described as 'all the things you need to do to manage an
uncertain future'. In most cases risks are taken so as to achieve some advantage, and
managing risks is associated with making decisions.
Standards New Zealand and Standards Australia have published a joint risk management
standard (AS/NZS 4360: 1999 Risk Management). It defines risk management as "the
culture, processes and structures which are directed towards the effective management of
potential opportunities and adverse effects."
The risk management process is defined as "the systematic application of management

policies, procedures and practices to the tasks of establishing the context, identifying, and
analyzing, evaluating, treating, monitoring and communicating risk."

Muhammad Yousuf
In the 90's, the traditional background for risk assessment and management was widely
criticized. It was recognized that the large uncertainties associated with the evaluation and
the disagreement between experts had negative effects on the risk management and public
risk acceptability. Facing the lack of social trust, the development of new risk management
approaches has emerged oriented towards a larger involvement of the different stakeholders
and taking into account the specific context of risk situations.
In this context, reflections started in 1997 in the TRUSTNET European concerted action
involving decision makers from public authorities, elected representatives, NGOs, decision
makers from industry, and experts. These reflections focused on situations of risk where
public confidence and social trust are affected. The following definition of risk governance
was proposed: "Risk governance is the sum of political, social, legal, ethical, scientific and
technical components that permit the operation of hazardous activities". Risk assessment and
management take place in the context of a global governance system where specific actors
are entrusted with the task of assessing and managing the risks.
Concerning the quality of risk governance, the TRUSTNET reflections stressed that the most
suitable risk governance system remains the one that the different concerned components of
society consider as reasonable, reaching concrete and applicable decisions within accepted
political processes, meeting several objectives such as to:
• provide a level of protection which is widely recognized as acceptable,

• ban activities where the combination of risk and societal concerns is too high, not
justified for the concerned actors,
• promote accountability and autonomy of the concerned actors in the risk taking
process (empowerment, capacity building),
• make sure that risk exposure is equitable among society,

Muhammad Yousuf
• allow sustainable development and give access to worthwhile scientific and

technological developments that may help to solve the current and future social
concerns,
• give the concerned actors access to a pluralistic review of scientific opinions on risk,
• allow efficient collective decision-making, as regards costs and delays,
• ensure that protection resources are allocated in an efficient way,
• facilitate rehabilitation or resolution in case of accidents or emergencies and to prevent
social crisis,
• Contribute to improve Social Trust and Confidence among Stakeholders, Public
Authorities and Experts.

Muhammad Yousuf
Risk
“To understand uncertainty and risk is to understand the key business problem – and the key
business opportunity”— David B. Hertz, 1972.
Risk has been known to man ever since he first faced adversity. It is an integral part of the
evolution of man. Risk has been encountered primarily in his physical environment,
later on in his social environment
Risk is essentially, the probability that the outcome maybe damaging or result in a loss.
With risk, the outcomes of an event are thrown open to uncertainty.
Example
Tossing a dice is at a basic level a risky endeavor, which has uncertain outcomes. If you
were to be shot depending on the outcome of a dice roll (say prime number you live, non-
prime number you die), you would have a 50% chance of survival. A risky outcome with a
level of uncertainty involved.

Muhammad Yousuf
“If you don’t actively attack the risks, they

will actively attack you.”

Muhammad Yousuf
Risk Factor:
Companies deals with different types of market and company risks. Briefly, they are as
follows:
The effects of, and changes in, worldwide economic conditions e.g. recession, social,
political, labor conditions or government policies in which company operates etc. can
have an impact on its results.
Change in consumer preferences, introduction and timings of competitive products, changing
customer order patterns can affect the demand for products and hence can affect the
company’s revenue and profit margins.
• Developments of new products may subject to many risks and is largely dependent on
the timings of their launch and acceptance of that product in the market. There is no
guarantee that all these products will be commercially successful.
Price fluctuations, interruption in supply, shortages of raw material, changing demand,
natural disasters and other factors can have a material effect on the company’s results.

Muhammad Yousuf
“Today's total risk manager is the person who can combine art with science to master
the challenges & opportunities of a fast changing world.”

Muhammad Yousuf
CARRYING RISK UNKNOWINGLY
Risk is the probability that some event will take place

which may have a damaging impact on the project or
operations of the Ministry or Agency.

Muhammad Yousuf
Risk is therefore a positive number between 0 and 100%:
• An event that will never happen has a risk of 0%

• An event that is certain to happen has a risk of 100%
• Highly likely events could be given a risk of 75% to 95%
• Unlikely events may have a risk of 10 to 30%
Examples:
There is a 20% chance the server will not be delivered on time.
• There is a 40% chance the budget will not be approved for additional overtime.
• There is a 50% chance that members of the project team will request leave during July
or August.
It is the responsibility of the members of the risk management team to assess the risk for
each event that may have a damaging impact on the project or operation.

Muhammad Yousuf
What is Risk Management?
“Risk management is less of a set of techniques and

more of a paradigm in how the organization talks about
key issues.”
Risk management is a discipline at the core of every financial institution and encompasses all
the activities that affect its risk profile. It involves identification, measurement,
monitoring and controlling risks to ensure that
The individuals who take or manage risks clearly understand it.

The organization’s Risk exposure is within the limits established by Board of Directors.
Risk taking Decisions are in line with the business strategy and objectives set by BOD.
The expected payoffs compensate for the risks taken
Risk taking decisions are explicit and clear.
Sufficient capital as a buffer is available to take risk.
In every financial institution, risk management activities broadly take place

simultaneously at following different hierarchy levels.

Muhammad Yousuf
Strategic Level: It encompasses risk management functions performed by senior

management and BOD. For instance definition of risks, ascertaining institutions
risk appetite, formulating strategy and policies for managing risks and establish
adequate systems and controls to ensure that overall risk remain within acceptable
level and the reward compensate for the risk taken.
Macro Level: It encompasses risk management within a business area or across
business lines. Generally the risk management activities performed by middle
management or units devoted to risk reviews fall into this category.
Micro Level: It involves ‘On-the-line’ risk management where risks are actually
created. This is the risk management activities performed by individuals who take
risk in organization’s behalf such as front office and loan organization functions.
The risk management in those area is confines to following operational procedures
and guidelines set by management.

Muhammad Yousuf
Purpose of Risk management
• Risk management is a structured approach to managing

uncertainty related to a threat, a sequence of human activities including: risk
assessment ...
• The process of determining the maximum acceptable

level of overall risk to and from a proposed activity, then using risk assessment
techniques to ...
• The process, distinct from risk assessment, of weighing

policy alternatives, in consultation with all interested parties, considering risk
assessment and other factors relevant for the health protection of consumers and for
the promotion of fair trade practices, and, if needed, selecting ...
risk assessment
• The identification and acceptance or offsetting of the

risks threatening the profitability or existence of an organization. With respect to
foreign exchange involves among others consideration of market, sovereign, country,
transfer, delivery, credit, and counterparty risk.
• Process of identifying and monitoring business risks in

a manner that offers a risk/return relationship that is acceptable to an entity's
operating philosophy

Muhammad Yousuf
• The process of evaluating and selecting alternative

regulatory and non-regulatory responses to risk. The selection process necessarily
requires the consideration of legal, economic, and behavioral factors.
• Involves analyzing all exposures to the possibility of

loss and determining how to handle these exposures and reduce or transfer the risk.
• Decisions about whether an assessed risk is sufficiently

high to present a public health concern and about the appropriate means for control of
a risk judged to be significant. The process of evaluating and selecting alternative
regulatory and non-regulatory responses to risk. ...
• Covers all the processes involved in identifying,

assessing and judging risks, assigning ownership, taking actions to mitigate or
anticipate them, and monitoring and reviewing progress.
• Proactive steps that management can take to assess and

manage business risks. The culture, processes and structures that are directed toward
the effective management of potential opportunities and adverse effects.
• The process of handling pure risk by way of reduction,

elimination, or transfer of risk, with the latter commonly achieved through insurance.
• Identification, evaluation and control of risk
• The employment of financial analysis and trading

techniques to reduce and/or control exposure to various types of risk.

Muhammad Yousuf
• A strategy developed to reduce or control the chance of

harm or loss to one’s health or life; the process of identifying, evaluating, selecting
and implementing actions to reduce risk to human health and to ecosystems.
• Is the effort to reduce the likelihood that a hazard will

produce harm. Risk management may involve decreasing the size of the population at
risk ...
• The use of various management practices to reduce the

production and financial risk of the business. Commonly used practices include
diversification, purchasing insurance, hedging or forward contracting, maintaining
cash reserves and maintaining flexibility in the operation.
• Risk management is a system for decreasing the chance

for injury or accidents in a given area, in this case a fraternity or sorority house.
Salisbury Universities Interfraternity Council has an elected Risk Manager that serves
to protect Greek students and make and enforce rules. ...
• Risk management is the active process of identifying,

assessing, communicating and managing the risks facing an organization to ensure
that an organization meets its objectives.
• The monitoring and controlling of various risk factors in

an investment portfolio with the aim of minimizing volatility of investment returns.
• Controlling the probability, and/or the severity, of a

potential adverse event so that the consequences of that event are within acceptable

Muhammad Yousuf
limits. ...
• Process of identifying, assessing, and reducing the risk

to an acceptable level and implementing the right mechanisms to maintain that level
of risk.
• 1) A family of security controls in the management

class dealing with the process of identifying and applying controls commensurate
with the value of the assets protected based on a risk assessment. 2) The total process
of identifying, controlling, and mitigating IT system-related risks. ...
The systematic application of quality management policies, procedures, and practices
to the tasks of assessing, controlling, communicating and ...
• The process of identifying, analyzing and assessing the

likelihood of loss and choosing options to better manage or minimize loss exposures.
• Clinical and administrative activities undertaken to

identify, evaluate, and reduce the risk of injury to patients, staff, and visitors and the
risk of loss to the organization itself.
• To intervene based on a performed risk assessment. It

means to prevent, reduce or modify exposure, to alter awareness, perception or
valuation of risks.

Muhammad Yousuf
Guidelines for Risk Management Process Review
The purpose of risk management is to identify potential problems before they occur so that
risk-handling activities may be planned and invoked as needed across the life of the product
or project to mitigate adverse impacts on achieving objectives.
Risk management is a continuous, forward-looking process that is an important part of

business and technical management processes. Risk management should address issues that
could endanger achievement of critical objectives. A continuous risk management approach
is applied to effectively anticipate and mitigate the risks that have critical impact on the
project.
Effective risk management includes early and aggressive risk identification through the
collaboration and involvement of relevant stakeholders. Strong leadership across all relevant
stakeholders is needed to establish an environment for the free and open disclosure and
discussion of risk.
Although technical issues are a primary concern both early on and throughout all project
phases, risk management must consider both internal and external sources for cost, schedule,
and technical risk. Early and aggressive detection of risk is important because it is typically
easier, less costly, and less disruptive to make changes and correct work efforts during the
earlier, rather than the later, phases of the project.

Muhammad Yousuf
Risk management can be divided into three parts: defining a risk management strategy;
identifying and analyzing risks; and handling identified risks, including the implementation
of risk mitigation plans when needed.
For the purpose of this review, please address the following points:
1. Demonstrate that you have a process

to determine risk sources and categories. Identification of risk sources
provides a basis for systematically examining changing situations over time to uncover
circumstances that impact the ability of the project to meet its objectives. Risk sources are
both internal and external to the project. As the project progresses, additional sources of
risk may be identified. Establishing categories for risks provides a mechanism for
collecting and organizing risks as well as ensuring appropriate scrutiny and management
attention for those risks that can have more serious consequences on meeting project
objectives.

to define the parameters used to analyze and categorize risks
and the parameters used to control the risk management
effort. Parameters for evaluating, categorizing, and prioritizing risks typically include
risk likelihood (i.e., the probability of risk occurrence), risk consequence (i.e., the impact
and severity of risk occurrence), and thresholds to trigger management activities.
Risk parameters are used to provide common and consistent criteria for comparing the
various risks to be managed. Without these parameters, it would be very difficult to gauge

Muhammad Yousuf
the severity of the unwanted change caused by the risk and to prioritize the necessary
actions required for risk mitigation planning.

to establish and maintain the strategy to be used for risk
management. A comprehensive risk management strategy addresses items such as:

(1) The scope of the risk management effort, (2) Methods and tools to be used for risk
identification, risk analysis, risk mitigation, risk monitoring, and communication, (3)
Project-specific sources of risks, (4) How these risks are to be organized, categorized,
compared, and consolidated, (5) Parameters, including likelihood, consequence, and
thresholds, for taking action on identified risks, (6) Risk mitigation techniques to be used,
such as prototyping, simulation, alternative designs, or evolutionary development, (7)
Definition of risk measures to monitor the status of the risks, and (8) Time intervals for
risk monitoring or reassessment.
The risk management strategy should be guided by a common vision of success that
describes the desired future project outcomes in terms of the product that is delivered, its
cost, and its fitness for the task. The risk management strategy is often documented in an
organizational or a project risk management plan. The risk management strategy is
reviewed with relevant stakeholders to promote commitment and understanding.

to identify and document the risks. The identification of potential issues,
hazards, threats, and vulnerabilities that could negatively affect work efforts or plans is

Muhammad Yousuf
the basis for sound and successful risk management. Risks must be identified and
described in an understandable way before they can be analyzed and managed properly.
Risks are documented in a concise statement that includes the context, conditions, and
consequences of risk occurrence.
Risk identification should be an organized, thorough approach to seek out probable or

realistic risks in achieving objectives. To be effective, risk identification should not be an
attempt to address every possible event regardless of how highly improbable it may be.
Use of the categories and parameters developed in the risk management strategy, along
with the identified sources of risk, can provide the discipline and streamlining appropriate
to risk identification. The identified risks form a baseline to initiate risk management
activities. The list of risks should be reviewed periodically to reexamine possible sources
of risk and changing conditions to uncover sources and risks previously overlooked or
nonexistent when the risk management strategy was last updated.
Risk identification activities focus on the identification of risks, not placement of blame.
The results of risk identification activities are not used by management to evaluate the
performance of individuals.
There are many methods for identifying risks. Typical identification methods include (1)
Examine each element of the project work breakdown structure to uncover risks; (2)
Conduct a risk assessment using a risk taxonomy. Interview subject matter experts; (3)
Review risk management efforts from similar products. Examine lessons-learned
documents or databases; (4) Examine design specifications and agreement requirements.

to evaluate and categorize each identified risk using the
Muhammad Yousuf
defined risk categories and parameters, and determine its

relative priority. The evaluation of risks is needed to assign relative importance to
each identified risk, and is used in determining when appropriate management attention is
required. Often it is useful to aggregate risks based on their interrelationships, and
develop options at an aggregate level. When an aggregate risk is formed by a roll up of
lower level risks, care must be taken to ensure that important lower level risks are not
ignored.

to develop a risk mitigation plan for the most important risks
to the project, as defined by the risk management strategy. A
critical component of a risk mitigation plan is to develop alternative courses of action,
workarounds, and fallback positions, with a recommended course of action for each
critical risk. The risk mitigation plan for a given risk includes techniques and methods
used to avoid, reduce, and control the probability of occurrence of the risk, the extent of
damage incurred should the risk occur (sometimes called a “contingency plan”), or both.
Risks are monitored and when they exceed the established thresholds, the risk mitigation
plans are deployed to return the impacted effort to an acceptable risk level. If the risk
cannot be mitigated, a contingency plan may be invoked. Both risk mitigation and
contingency plans are often generated only for selected risks where the consequences of
the risks are determined to be high or unacceptable; other risks may be accepted and
simply monitored.
Options for handling risks typically include alternatives such as: (1) Risk avoidance:
Changing or lowering requirements while still meeting the user’s needs; (2) Risk control:
Taking active steps to minimize risks; (3) Risk transfer: Reallocating design requirements

Muhammad Yousuf
to lower the risks; (4) Risk monitoring: Watching and periodically reevaluating the risk
for changes to the assigned risk parameters; (5) Risk acceptance: Acknowledgment of risk
but not taking any action. Often, especially for high risks, more than one approach to
handling a risk should be generated.
In many cases, risks will be accepted or watched. Risk acceptance is usually done when
the risk is judged too low for formal mitigation, or when there appears to be no viable
way to reduce the risk. If a risk is accepted, the rationale for this decision should be
documented. Risks are watched when there is an objectively defined, verifiable, and
documented threshold of performance, time, or risk exposure (the combination of
likelihood and consequence) that will trigger risk mitigation planning or invoke a
contingency plan if it is needed.
Adequate consideration should be given early to technology demonstrations, models,

simulations, and prototypes as part of risk mitigation planning.

to monitor the status of each risk periodically and implement
the risk mitigation plan as appropriate. To control and manage risks
effectively during the work effort, follow a program to monitor risks and their status and
the results of risk-handling actions regularly. The risk management strategy defines the
intervals at which the risk status should be revisited. This activity may result in the
discovery of new risks or new risk-handling options that may require re-planning and
reassessment. In either event, the acceptability thresholds associated with the risk should
be compared against the status to determine the need for implementing a risk mitigation
plan.

Muhammad Yousuf
8. Demonstrate that you have established

and maintain an organizational policy for planning and
performing the risk management processes.
9. Demonstrate that you establish and

maintain a plan for performing the risk management process .
Typically, this plan for performing the risk management process is included in (or
referenced by) the project plan. This would address the comprehensive planning for all of
the specific practices in the project plan, from determining risk sources and categories all
the way through to the implementation of risk mitigation plans.
10. Demonstrate that you provide adequate resources for

performing the risk management process, developing the work
products, and providing the services of the process. Examples of
resources provided are: risk management databases, risk mitigation tools, prototyping
tools, and modeling and simulation.
11. Demonstrate that you assign responsibility and authority for

performing the process, developing the work products, and
providing the services of the risk management process.

Muhammad Yousuf
12. Demonstrate that you train the people performing or

supporting the risk management process as needed.
13. Demonstrate that you place designated work products of the

risk management process under appropriate levels of
configuration management.
14. Demonstrate that you identify and involve the relevant

stakeholders of the risk management process as planned.
15. Demonstrate that you monitor and control the risk

management process against the plan for performing the
process and take appropriate corrective action.
16. Demonstrate that you objectively evaluate adherence of the

risk management process against its process description,
standards, and procedures, and address noncompliance.
17. Demonstrate that you review the activities, status, and

results of the risk management process with higher level
management and resolve issues. Reviews of the project risk status are held
on a periodic and event-driven basis with appropriate levels of management, to provide
visibility into the potential for project risk exposure and appropriate corrective action.
Typically, these reviews will include a summary of the most critical risks, key risk
Muhammad Yousuf
parameters (such as likelihood and consequence of these risks), and the status of risk
mitigation efforts.
The Scope of Risk Management
A risk management framework encompasses the scope of risks to be managed, the

process/systems and procedures to manage risk and the roles and responsibilities of
individuals involved in risk management. The framework should be comprehensive enough
to capture all risks a bank is exposed to and have flexibility to accommodate any change in
business activities. An effective risk management framework includes
Clearly defined risk management policies and procedures covering risk identification,
acceptance, measurement, monitoring, reporting and control.

Muhammad Yousuf
A well constituted organizational structure defining clearly roles and responsibilities of

individuals involved in risk taking as well as managing it. Banks, in addition to risk
management functions for various risk categories may institute a setup that supervises
overall risk management at the bank. Such a setup could be in the form of a separate
department or bank’s Risk Management Committee (RMC) could perform such function*.
The structure should be such that ensures effective monitoring and control over risks being
taken. The individuals responsible for review function (Risk review, internal audit,
compliance etc) should be independent from risk taking units and report directly to board or
senior management who are also not involved in risk taking.
There should be an effective management information system that ensures flow of

information from operational level to top management and a system to address any
exceptions observed. There should be an explicit procedure regarding measures to be taken
to address such deviations.
The framework should have a mechanism to ensure an ongoing review of systems, policies
and procedures for risk management and procedure to adopt changes.
TEXTUAL DISCUSSION
PROFFESOR JAMES: (American Risk Management Institution)
Just one thing I'm not sure I agree with. It seems that the overall risk level should not be
below the highest risk factor. If the highest risk factor is something along the lines of
"death by electrocution" and the risk factor is "high," the overall risk of the job should not
be "medium" unless additional effective safety controls are considered. Did I misread the
article? If so, please accept my slightly embarrassed apologies. Thanks for your time.
PROFFESOR ELBERT: (British Commerce Academy)

Muhammad Yousuf
This may be good for an employee that has little to do but "risk management". It is very
good for those in a school environment that wants to debate the issue, split hairs, and
totally immerse themselves in the subject. To follow the program will allow you to
complete a requirement.
However, it’s not practical for a common user. If used at all to complete a plan it most
likely would wind up as a dust collector on a shelf.
FINDING CONCLUSION OF RISK MANAGEMENT
Risk Management has recently become a major managerial tool. Many institutes concerned
with standardization have adopted Risk Management as a key process in their work.
Risk Management can also be used as a planning tool in that it identifies the possible
alternatives a project or an operation may take to avoid or minimize damages.
This preliminary attempt to define a standard evaluation framework for the quality of risk
management disclosure is based on a functional approach and is grounded on five general

Muhammad Yousuf
propositions. The data requirements are limited to mandatory, widely disseminated and
standardized data, i.e. the risk management information found in the annual report.
Obviously, this information does not satisfy the timeliness principle. Yet, we are willing to
compromise on timeliness since the framework's main objective is to provide a comparison,
both across firms and over time, of the quality of public risk management disclosure. This
standard evaluation framework for risk management disclosure is flexible. It can be
implemented despite differences in valuation methods, in holding periods and in mandatory
trading and non-trading information. To allow comparability across firms and to limit our
attention to well-defined and measurable risk factors, the current framework considers the
quality of disclosure only for market and credit risk factors. This choice is motivated by the
need for comparability of qualitative and quantitative information, since most firms have a
well-defined policy for the management of those two risk exposures.
The framework is preliminary and should be extended to other important risk factors such
as liquidity and operational risks, as the measurement methods are well defined and broadly
used. Further, the functional approach to the evaluation of risk management disclosure
should be extended to financial conglomerates. Finally, risk management is still a new and
evolving field that is far from offering structured and unified solutions to problems such as
financial and non-financial risks monitoring, risk aggregation, and risk-based capital
allocation. The professional community is still struggling with the definition of a
sound 'global' risk management policy, including its underlying principles, its evaluation
and its value-added to market participants.
There are several concrete limitations and challenges to the full risk management
disclosure. First, there have been negative market responses to enhanced disclosure. Such
responses occur in particular if market participants do not know how to analyze and
interpret risk management information meaningfully. This, in turn, leads to a negative

Muhammad Yousuf
perception of marked-to-market values and to a perception of greater volatility of on- and

off-balance sheet assets. Thus, education of market participants plays a crucial role in
enhancing the demand for and the rational responses to enhanced transparency. Second,
disclosure enhancement has one fundamental pre-requisite: a sound definition of the
economic value of the assets of the firm. Economic valuation is far from being settled in
the finance literature (and in the accounting community) especially for illiquid assets,
structured complex strategies, proprietary intangible assets and growth opportunities. Third,
though standardization of risk management disclosure in the annual report may enhance its
quality, firms with more specialized and less quantifiable profit sources may find
meaningful risk management disclosure more difficult. This is particularly true in the
absence of valuation definitions that reveal their effective risk-adjusted performance.
Fourth, the willingness of a firm to disclose is a management issue and is thus closely
related to the incentive mechanisms adopted within the firm. Senior management may not
have the proper incentives to enforce risk management disclosure when it communicates to
shareholders, financial analysts and other market participants. They may thus use risk
management disclosure as an entrenching mechanism to disguise or delay the reporting of
past errors in trading and investment activities to maintain their status, bonuses and job
security.
Finally, let us recall the primary objective of sound risk management disclosure: to enhance
the confidence of market participants in the firm's ability to identify, measure and manage
its risks appropriately. Unfortunately, this primary goal is too often lost or distorted by the
conflict between the objectives of the shareholders and the governments for risk
management. The shareholders may wish to take risks which, due to measurement
problems or externalities, the government may wish to limit. This may cause managers to
adopt strategies that shift risk to less quantifiable categories and thus manage risk less
efficiently. We hope that our proposed framework stimulates further

Muhammad Yousuf
Recommendation
Recommendation #1: The department should develop, implement and

communicate an integrated financial management control framework. In doing so, the
department should consider the following:
• The need for key financial processes to be carried out consistently across the
department;
• The need to formalize financial management roles, responsibilities, authorities and

reporting relationships;

Muhammad Yousuf
• The need to establish an effective risk-based monitoring and review function with
related accountability mechanisms; and
• The need to be able to provide assurance that financial controls are in place and
operating as intended.
Recommendation #2: The department should develop a comprehensive

financial management training strategy.
Recommendation #3: The Chief Financial Officer should clearly identify

key financial risks should at the department level, assess those risks in terms of developing
mitigation strategies to manage them effectively, and communicate the risks to senior
management and all involved in financial management. The Chief Financial Officer should
regularly reassess and update key financial risks to ensure those identified are current.

Muhammad Yousuf

Final

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Final

Uploaded by

Copyright:

Available Formats

Biztek – Institute of Business and Technology

Page 1 of 34 Prepared By: Muhammad Bilal

Page 2 of 34 Prepared By: Muhammad Bilal

Page 3 of 34 Prepared By: Muhammad Bilal

Page 4 of 34 Prepared By: Muhammad Bilal

Risk Management is a well-established field of professional expertise. It is used in a wide

The risk management process is defined as "the systematic application of management

Page 5 of 34 Prepared By: Muhammad Bilal

• provide a level of protection which is widely recognized as acceptable,

Page 6 of 34 Prepared By: Muhammad Bilal

• allow sustainable development and give access to worthwhile scientific and

Page 7 of 34 Prepared By: Muhammad Bilal

Page 8 of 34 Prepared By: Muhammad Bilal

“If you don’t actively attack the risks, they

Page 9 of 34 Prepared By: Muhammad Bilal

Page 10 of 34 Prepared By: Muhammad Bilal

Page 11 of 34 Prepared By: Muhammad Bilal

CARRYING RISK UNKNOWINGLY

Risk is the probability that some event will take place

Page 12 of 34 Prepared By: Muhammad Bilal

Risk is therefore a positive number between 0 and 100%:

• An event that will never happen has a risk of 0%

Page 13 of 34 Prepared By: Muhammad Bilal

What is Risk Management?

“Risk management is less of a set of techniques and

The individuals who take or manage risks clearly understand it.

In every financial institution, risk management activities broadly take place

Page 14 of 34 Prepared By: Muhammad Bilal

Strategic Level: It encompasses risk management functions performed by senior

Page 15 of 34 Prepared By: Muhammad Bilal

Purpose of Risk management

• Risk management is a structured approach to managing

• The process of determining the maximum acceptable

• The process, distinct from risk assessment, of weighing

• The identification and acceptance or offsetting of the

• Process of identifying and monitoring business risks in

Page 16 of 34 Prepared By: Muhammad Bilal

• The process of evaluating and selecting alternative

• Involves analyzing all exposures to the possibility of

• Decisions about whether an assessed risk is sufficiently

• Covers all the processes involved in identifying,

• Proactive steps that management can take to assess and

• The process of handling pure risk by way of reduction,

• Identification, evaluation and control of risk

• The employment of financial analysis and trading

Page 17 of 34 Prepared By: Muhammad Bilal

• A strategy developed to reduce or control the chance of

• Is the effort to reduce the likelihood that a hazard will

• The use of various management practices to reduce the

• Risk management is a system for decreasing the chance

• Risk management is the active process of identifying,

• The monitoring and controlling of various risk factors in

• Controlling the probability, and/or the severity, of a

Page 18 of 34 Prepared By: Muhammad Bilal

• Process of identifying, assessing, and reducing the risk

• 1) A family of security controls in the management

• The process of identifying, analyzing and assessing the

• Clinical and administrative activities undertaken to

• To intervene based on a performed risk assessment. It

Page 19 of 34 Prepared By: Muhammad Bilal

Guidelines for Risk Management Process Review

Risk management is a continuous, forward-looking process that is an important part of

Page 20 of 34 Prepared By: Muhammad Bilal