top of page

A Practical Guide to Risk Management - Book Review

1 March 2013

Dr. Moria Levy

"A Practical Guide to Risk Management", authored by Thomas Coleman in 2011, explores the realm of risk management theory. While its primary focus is on financial risk management, the book also provides valuable insights into various other facets of management. The author avoids delving into intricate details and formulas related to economic aspects, opting for a more encompassing summary, particularly concerning risk management.


The book covers the following topics:

  • Introduction: Living in Uncertainty and Risk Management

  • Types of risks

  • Measurement

  • Analysis

  • Reporting

  • Risk management


This book is recommended for individuals involved in risk management and may be considered essential for those engaged in financial risk management; it offers a wealth of knowledge, making it arguably the most comprehensive and in-depth resource on the subject at its writing.


Introduction: Living in Uncertainty and Risk Management

Uncertainty

We live in a world of uncertainty, with certain aspects beyond our control while others depend on our knowledge and volition. Some may express skepticism—why embrace risks? Surprisingly, every manager appears to desire and willingly accept risks.


Without risks, opportunities also cease to exist. The greater the willingness of an organization to embrace risk, the higher the likelihood of achieving elevated success or, at the very least, expedited progress.


Therefore, the initial decision confronting managers, intimately tied to how risks are handled, revolves around the level of risks they are prepared to endure or aspire to within the organization. While not inherently part of risk management, this decision significantly shapes the essence of the business. Its impact on risk management is undeniably substantial, creating a mutually dependent relationship.


Termed portfolio management, overseeing the decision on the level of risk is akin to numerous other considerations—it requires deliberate determination and should not be undertaken unwittingly.


Risk Management

Risk is a possibility where the actual profit or loss diverges from our anticipated or estimated expectations. It's crucial to note that risk management is not solely about minimizing risk; instead, it revolves around optimizing and striking a balance between risks and potential profits.


The core objectives of the field of risk management can be outlined by specifying its goals:

  1. Determining the organization's "known" risks through diligent study and examination.

  2. Explanation of risks using terminology that facilitates visibility, comprehension, and comparison.

  3. Exploration of unforeseen risks, such as those not previously encountered by the organization or its sector. The responsibility for risk management lies with the organization's managers across various hierarchical levels.


Risk management is paramount in any organization, especially in financial institutions, where it should be recognized as a core competency. We must acknowledge that we cannot directly control "luck." However, we can exert influence by addressing three key aspects:

  • Risk management: Steering the organization's direction and level of exposure to risks; adjusting the management approach based on the predetermined level of risk tolerance.

  • Damage management: Shielding the organization from the anticipated consequences if unfortunate events materialize.

  • Capitalization of prospects: Effectively managing opportunities (good luck) and leveraging them for the organization's benefit.


Consequently, risk management is an integral component of a comprehensive system designed to navigate circumstances beyond our control.


Types of risks

Risks can be examined at two levels:

  1. System-wide risks in the economy/worldwide.

  2. Unique risks associated with the specific organization in which we are located.


This book focuses on the second of the two types, a crucial consideration for every organization to understand what is not managed by managers.


Within the realm of organizational risks, various types should be managed, contingent upon the nature of the organization:

  1. Financial risks:

    a.Market risks

    b.Credit risks

    c. Liquidity risks

  2. Operational risks: Risks of loss resulting from inappropriate or failed processes, people, systems, or external events. Notably, effective management of operational risks prevents mishaps and enhances and optimizes performance, resulting in double profit.

    a. Performance risks

    b. Survivability risks (systems)

    c. Safety risks

  3. Compliance risks:

    a. Ethical risks

    b. Legal risks

    c. Regulatory risks

  4. Business risks

  5. Strategic risks

  6. Image risks:

    a. Professional reputation


(Note: The book predominantly addresses financial risks and mentions other risks without specific details. Risk categories were added by M.L..)


Measurement

Risk measurement can take either a quantitative or qualitative nature. While quantitative tools are crucial in financial risks, it is evident that in operational and other spheres, achieving quantitative measurement is only sometimes feasible.


The foundation for any measurement lies in the past—examining disasters or damages that have already manifested in the organization or elsewhere, from which inferences can be drawn for the organization. As previously mentioned, the world of systemic risk management does not concentrate on phenomena that have not occurred and are unpredictable; instead, it focuses on those already familiar to us.


Quantitative measurement revolves around comprehending the distribution of profit and loss (volatility) and its intensity at each point. The understanding of decentralization does not necessarily diminish loss but enables the effective management of uncertainty and, consequently, risk.


Without delving into the intricacies of various formulas, it is crucial to recognize that most measurements involve location and rank. The two paramount parameters for this purpose are the mean and standard deviation. The concept of decentralization is also derived from what Value at Risk (VaR) represents—the maximum statistical loss, acknowledging that predicting the maximum absolute loss is inherently unpredictable. Estimating these edge cases, which constitute the maximum statistical loss, is not straightforward due to their exceptional nature. Usually, a normal distribution (bell curve) is assumed for these estimations.


The book primarily emphasizes quantitative measurement, especially in the context of financial risks, while providing two essential insights:

  1. In quantitative measurement, a sense of security is derived, but it has limits that must be acknowledged and recognized.

  2. In qualitative measurement, particularly when risks, such as operational risks, cannot be precisely measured, the recommendation is to invest less in measurement and more in the management itself.


Analysis

Many individuals focus on measuring risks, often overlooking that the decision-maker is typically a manager rather than a risk management expert.


To arrive at sound decisions, it is imperative not only to be aware of the risk and its level but also to:

  1. Comprehend the nature of the risk.

  2. Understand its origins.

  3. Grasp how changes in risk impact the overall portfolio of the organization.


Suppose the subject needs to be encapsulated in a single sentence. In that case, the risk should be understandable enough for the manager to articulate it in their own words, ideally within two to three sentences. Such articulation typically encapsulates all the levels of analysis and understanding outlined above.


Reporting

Human nature is not inherently geared toward managing random phenomena, and there is no doubt that risks fall into the realm of randomness. Moreover, comprehending risks is not an intuitive task. Practical, intelligent, and helpful reporting is a cornerstone of any risk management system.


Recommendations for the contents of a quantitative risk management report may include, for example:

  1. Decentralization of risks of various types (as detailed in the Types of Risks section above) and their contribution to the overall risk.

  2. Identification of the three significant contributors to statistical end losses.

  3. Recognition of the three significant contributors to statistical end profits.

  4. Tailoring the portfolio to account for risks.


Risk management

Risk management constitutes the responsibility of managers within an organization. The risk management unit, along with any other function addressing the subject, aims to support the manager and equip them with tools for decision-making. Managers are tasked with making tactical or strategic decisions based on the tools provided through the preceding measurement, analysis, and reporting processes. Key components of risk management include:

  1. People Management – Incentive and Reward: The author recommends managing incentives and rewards for individuals as a preventative measure against risks. This is a non-trivial task, mainly when the interests of various stakeholders are not always transparent, and incentives or rewards may not straightforwardly align with their benefit, especially during challenging periods for the organization.

  2. Process Management: Overseeing proper processes and procedures to mitigate risks. The recommendation is to establish processes and procedures that make it challenging for individuals to engage in fraudulent activities.

  3. Systems and Data Management: Ensuring robust systems and data management to support accurate risk management.

  4. Supporting Organizational Structure: Establishing a supportive organizational structure for risk management, consisting of:

    a. Supreme Risk Committee – Establishing policies and procedures and ensuring their correct execution.

    b. Control Committee – Overseeing data accuracy.

    c. Risk Management Unit – A professional body measuring, analyzing, and reporting risks.

    d. Managers – Responsible for making decisions related to risks.

  5. Damage Control: Implementing strategies for damage control to minimize the impact of disasters if and when they occur.


In conclusion, the art of risk management lies in constructing an organization and processes that balance rigidity and flexibility—being sturdy enough to anticipate the unexpected and offering recommendations on how to prepare for it. It is essential to bear in mind that most lapses result from a combination of circumstances, and even if a single loophole exists, a well-built organization that adeptly manages risks can, in most cases, overcome challenges, avoid stumbling, or minimize losses. There is indeed hope!

bottom of page