See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/360947163

Introduction to Risk Management Chapter-1

Preprint · May 2022

DOI: 10.13140/RG.2.2.11075.27689

CITATIONS READS
0 8,670

1 author:

Sonjai Kumar
Fortune Institute of International Business New Delhi India
125 PUBLICATIONS 51 CITATIONS

SEE PROFILE

All content following this page was uploaded by Sonjai Kumar on 30 May 2022.

The user has requested enhancement of the downloaded file.

 This chapter is on fundamentals of risk
management helping those readers who
are new to the field of risk management.

Introduction
to Risk
Management
Chapter-1

Sonjai Kumar, CMIRM

Sonjai Kuma, PhD Scholar in Enterprise Risk Management at Fortune Institute of International Business (FIIB), New Delhi, 2022

Introduction to Risk Management

Chapter-1
Sonjai Kumar, Certified Member of Institute of Risk Management, London
PhD Scholar in Enterprise Risk Management at Fortune Institute of International Business (FIIB),
New Delhi India

Correspondence: [email protected]

https://www.linkedin.com/in/sonjaikumar/

1. Introduction
This chapter is written to help those new to risk management and who want to understand the
fundamentals of risk management. This chapter is based on my reading of various risk management
contents and experience gained over the working period.

The chapter covers the definition of risk, benefits of risk management, principles of risk management,
differences between risk management and enterprise risk management, corporate governance, risk
management framework, and types of risks.

The insurance and banking sector examples are shared to back the concept.

I would be happy to receive any feedback or suggestions.

2. What is Risk
According to ISO 31000, the definition of risk is "The effect of uncertainty on objectives." This definition
is about the uncertainty that arises in the future, and the risk is objectives may not be met due to the
uncertainty. Therefore, for risk to happen, both the condition of "future" and "objective" must be met
for risk to exist.

For example, if a person's objective is to go for a morning walk in a nearby park and find his car's tyre
punctured does not have any impact on meeting his aim of going to the park. So, the risk of a car's tyre
puncture has no effect; there is no risk. But, on the other hand, if the same person is to go to the office
using his car, finding the tyre puncture has an impact. So, a person's objective has a significant effect on
whether risk materializes or not. Similarly, if someone is living in New York, have no impact on risk if it
rains in London.

1|Page
Sonjai Kuma, PhD Scholar in Enterprise Risk Management at Fortune Institute of International Business (FIIB), New Delhi, 2022

Similarly, "future" significantly impacts whether risk occurs or not because uncertainty arises due to an
unknown future. For example, if there exists no tomorrow, there is no risk even if an objective exists.
For instance, if someone is on his deathbed and wants to be a millionaire (objective) presents no threat
to him, as his life is very short and almost has no future, and therefore, there is no uncertainty, so no
risk exists for him. However, if a 40-year-old man wants to be a millionaire, the future presents a chance
that he may not be a millionaire because of uncertainty.

Therefore,

Risk = Uncertainty due to future + Not meeting Objectives

3. Risk Management
Risk management is to help organizations identify, understand and manage their risks and
opportunities, and thereby increase the likelihood of achieving their objective by reducing uncertainty

The above description of risk management results from the way risk is defined above because the
management of risk helps identify the risk, which helps in understanding its likelihood and severity and
helps understand the threats and opportunities that uncertainty presents and thereby helps in meeting
the organization's objectives.

It is, therefore, imperative to have a complete understanding of risk. For example, Kodak is a classic case
of failure to understand strategic risk management and lacks a vision for approaching risk. Kodak
dominated the photographic film market for the entire 20th century, and it was Kodak first built a digital
camera way back in 1975.

The management of Kodak was so focused on film's success that they missed the digital revolution
opportunity and filed the bankruptcy in 2012.

It can be said that the digital camera was too early development for the market to adopt in 1975 when
the entire world was focusing on film cameras.

Keeping an eye on the future is key to risk management success.

4. Why read risk management

Risk Management helps reduce earnings volatility

A study was made to investigate the effect of risk management on earnings volatility on shares of banks
listed on the Tehran Stock Exchange.

All 20 listed banks on Tehran Stock Exchange were studied over the period 2009-2015. It was found that
Risk management has a significant effect on the reducing volatility of earnings of accepted banks in
Tehran Stock Exchange.

2|Page
Sonjai Kuma, PhD Scholar in Enterprise Risk Management at Fortune Institute of International Business (FIIB), New Delhi, 2022

Risk Management Adds Value to Shareholders

It has been found that those companies that follow risk management typically add around 20% to 30%
more shareholders' value.

One study was made between 1990 and 1995 where the ratio of market value to book value was studied
for those companies doing the hedging activities. It was found that more attractive companies were
rewarded with an average increase of 20% in market value

Fewer Surprises

Organizations keeping an eye on the future regularly identify risks and develop mitigation action reduce
surprises.

Better decision making

Organizations knowing that risk can disrupt the business helps them in making better business decisions.
Therefore, it is strongly recommended that the decision-making should be risk-based, where every
decision is based on risk identification and planning for the mitigation action.

Maximize capital utilization and profit

It has been proven in many academic works of literature that the implementation of risk management
enhances the value of the organization, capital utilization, and profits.

5. Principles of Risk Management

The fundamental principle of risk management is a valuable addition to the organization by reducing the
volatility of the outcome.

ISO 31000 has 11 risk management principles.

The eleven risk management principles are:

1. Risk management establishes and sustains value.

2. Risk management is an integral part of all organizational processes.
3. Risk management is part of decision-making.
4. Risk management explicitly addresses uncertainty.
5. Risk management is systematic, structured, and timely.
6. Risk management is based on the best available information.
7. Risk management is tailored.
8. Risk management takes human and cultural factors into account.
9. Risk management is transparent and inclusive.
10. Risk management is dynamic, iterative, and responsive to change.
11. Risk management facilitates the continual improvement of the organization.

3|Page
Sonjai Kuma, PhD Scholar in Enterprise Risk Management at Fortune Institute of International Business (FIIB), New Delhi, 2022

6. Difference between Risk Management and Enterprise Risk

Management (ERM)
As the name suggests, 'Enterprise" means companywide risk management, a risk management which
starts at the top of the hierarchy at the Board level and goes to the last employee in the Company's
supply chain.

Fragmented risk management does not work as risks are highly correlated and cannot be segmented
and managed independently. Correlated risk is the simultaneous occurrence of many losses from a
single event. For example, Natural disasters such as earthquakes, floods, and hurricanes produce highly
correlated failures: many homes in the affected area are damaged and destroyed by a single event

There is also a higher cost of management of independent risk as the benefit of diversification of risks
will not happen. For example, liquidity risk may arise due to the crystallization of credit risk. If you
manage both the risks independently, it will be very expensive; however, if you manage just the credit
risk, liquidity risk will be automatically managed.

So, there is an excellent value in enterprise risk management against silo risk management.

What is ERM?
 ERM is a risk management process integrated across the Company flowing right through the top
of the hierarchy with ownership of the Board running through the last employee in the ladder
chain.

 In ERM, risk management is part of the daily working culture and an integral part of the
decision-making process

In ERM, risk management is not done once in a while; it is a daily part of the working culture. Every
activity that all employees are doing is to think like a front-line risk manager; what if thinking should be
every day part of the culture. In ERM, risk management is not just the work of risk function, but
everyone takes ownership of the risk management.

To progress systematically, the different ownership of risks need to be defined, employed, and
executed

Under ERM, ownership of the risks is defined. Generally, the function head takes ownership of their
respective risks.

A risk owner is an accountable point of contact for an enterprise risk at the senior leadership level who
coordinates efforts to mitigate and manage the risk with various individuals who own parts of the risk.
The responsibilities of the risk owner are to ensure that: ... Risks are clearly articulated in
risk statements.

Broken links are a recipe for disaster

4|Page
Sonjai Kuma, PhD Scholar in Enterprise Risk Management at Fortune Institute of International Business (FIIB), New Delhi, 2022

Under the ERM structure, if links are broken down, for example, underwriting and claims team within an
insurance company stops talking, then the flow of information between them will be broken down. This
may lead to an increase in the number of claims. Therefore, all the links within the Company must be
working well.

It's like the entire body linked through the veins and blood flowing through it; if any vein is cut, there will
be a severe problem within the Company, and the risk management cycle will break.

Accountability at the Top part of ERM

As mentioned above, under ERM, the Board at the top of the hierarchy have the overall responsibility of
providing oversight by developing policies and procedures around the risk that are consistent with the
organization's strategy and risk appetite. The Board also ensures that the policies approved and risk
appetite set are followed and reported back to the Board regularly, often quarterly.

 One of the critical causes of the 2008 economic crisis is attributed to the failure of the different
Boards to execute a proper risk assessment plan.

 Some of the questions raised in the post-2008 economic crisis analysis were

 On Composition of the Board/Age of the members

 Relevant experience and qualifications of independent directors

 Infrequent meetings

 Remuneration structure not based on performance

 For ERM to be successful, Board is to play a key role in executing the ownership of all risk
management policies, oversight, action plan, etc

 Without proper Board involvement, ERM cannot be successful

 This will be based on what should be the overall Governance structure?

Role of the hierarchy, part of ERM

Hierarchical structure plays a significant role in the success of risk management

 Tone from the top at the CEO level makes a lot of difference; it has been found where the tone
from the top is strong, the Company has performed well on the ERM front. A tone from the top
sets the right pitch and culture for embedding risk management within the organization. Such
tone from the top should be a regular feature rather than one thing.

 In a Company with sound risk management embedding, a separate Risk Management Function
is required, headed by CRO, to implement the risk management policies approved by the Board

5|Page
Sonjai Kuma, PhD Scholar in Enterprise Risk Management at Fortune Institute of International Business (FIIB), New Delhi, 2022

across the Company. The job of the risk management function is to provide oversight of risk
management and help develop the risk culture.

 The role of the CRO is the implementation of risk management policies across the Company
approved by the Board. In addition, the CRO is responsible for all risk management strategies
and operations and supervising the organization's risk mitigation and identification procedures.

 The role of CROs is becoming crucial at a global level as they provide independent review and
challenge all the risks within the organization. A CRO needs to have a futuristic vision to
challenge the business plan, products that are priced and distributed and question the
Company's strategy and embedded risks within the Company strategy.

 A good CRO should have the following skills

 Keeping up to and well-read, aware of daily events and developing risks

 Good understanding of the industry and business

 Understanding the needs of the business

 Critical thinking and consulting skills

 Good communication skills

 Technical skills

 Ability to influence,

7. Corporate Governance
Corporate governance is the way the Board runs the Company and sets and controls the processes in the
best interest of stakeholders

Corporate governance is the combination of rules, processes, or laws by which businesses are operated,
regulated, or controlled. The term encompasses the internal and external factors that affect the
interests of a company's stakeholders, including shareholders, customers, suppliers, government
regulators, and management.

Corporate governance is essential for the success of risk management. If the corporate governance is
not strong, then risk management cannot succeed because the holes within the corporate governance
will dilute the impact of risk management, or it will not let risk management apply appropriately within
the organization.

A typical best practice in Corporate Governance is

1. Communication with stakeholders

6|Page
Sonjai Kuma, PhD Scholar in Enterprise Risk Management at Fortune Institute of International Business (FIIB), New Delhi, 2022

2. Independence of Board
3. Board performance
4. Board Compensation arrangement

8. Risk Management Framework

To do risk management within an organization, the Company requires having a risk management
framework. A risk management framework is a combination of all tools and techniques that will be used
for risk management Purpose

The risk management framework has specific components such as risk policies, risk management
process, the risk appetite of the Company, and what defense structure the Company is following, such
as three lines of defense.

 Risk Policies

 Risk Management Process

 Risk Appetite

 Three Lines of Defence Model

Some companies may have a few more components within the risk management framework.

Risk Management Policies

Risk management is defined as the culture and processes for the systematic application of management
policies, procedures, and practices to the tasks of establishing the context, identifying, analyzing,
assessing, treating, monitoring, and communicating risks

Types of risk management policies will depend on the types of business because, based on the industry,
the risks will change, so relevant policies are required to address that risk. For example, financial
companies will have financial risks with an interest rate, equity, liquidity, etc. In contrast, the
manufacturing industry will have other than financial risks such as risks of supply of raw materials, third
party risk, etc. So, the two types of companies have to write different risk management policies.
However, most companies will have some common policies, such as operational risk policies, because all
the companies use people, processes, and systems, resulting in operational risk.

Another example in insurance key risks are mortality, interest rate, lapses, etc. however, in banking, key
risks are credit risk, liquidity risk, etc.

Certain risk policies could be common such as Operational Risk, as every Company runs through its
operation.

7|Page
Sonjai Kuma, PhD Scholar in Enterprise Risk Management at Fortune Institute of International Business (FIIB), New Delhi, 2022

Risk Management process

The risk management process consists of five related risk management activities, each dependent on
the previous step. The risk management process is a crucial step as it forms the risk management
engine. The risk management process includes

1. Risk identification,
2. Risk measurement,
3. Risk management
4. Risk monitoring
5. Risk reporting.

Risk
Identification

Risk
Risk Reporting
Measurement

Risk Risk
Monitoring Management

Risk Identification
Risk identification is an essential part of the risk management process. If risks are missed or not
identified or inadequately identified due to any reason, then subsequent steps will not be performed.

It is just like a doctor, if you go to the doctor and tell him about your disease and your disease is not
identified correctly, you will either get the wrong medicine or inadequate medicine. So, risk
identification is a crucial step. When it is asked from people what risk is, they will say there is a no-risk,
or it will not happen, or it has never happened. Such statements do not help in risk identification;
therefore, there could be four situations

1. The first situation is "I know what I know", which means you are aware of what you know.

2. This second situation is perhaps the best (I know what I don't know); you are aware of what you
know and what you do not know.

3. I don't know what I know-

8|Page
Sonjai Kuma, PhD Scholar in Enterprise Risk Management at Fortune Institute of International Business (FIIB), New Delhi, 2022

4. I don't know what I don't know

The first situation is clear, in the second situation, you know what you don't know, so you will be able to
find the risk. The challenge comes in situations 3 and 4 when you don't know. You have to explore the
risks under the 3 and 4 categories, and this can be done by identifying the sources of risks.

Issues and Risk

In risk identification, one must be clear about the difference between issues and risk. The risk is
futuristic and yet to happen, while an issue or problem has already occurred, so while making the risk
identification, the issues or problem is to be left for auditors to handle because that has already
happened. So, this clarity is essential that issues or problems are not included in the risk identification
process. Instead, ask whether it has happened or will happen; if it is "will happen," then it is a risk;
otherwise, it is an issue or a problem.

Cause and Effect

In risk identification, there is a strong relationship between cause-risk-effect. It is a cause that leads to
an event or risk, and the event leads to effect. They occur in sequence. While doing the risk
identification, one needs to be careful not to put cause or effect in the risk bucket. For example, poor
wire quality leads to a fire destroying the building. So here, poor quality is a cause of the fire; fire is an
event or risk, and destruction due to fire is an effect. Therefore. poor quality of wire or destruction of
houses cannot be placed under the risk category. Here the risk or event is fire. This relation of cause-
event-effect helps in risk mitigation by addressing the controls on the cause, such as better quality of
wire will help prevent fire and the destruction of the building.

Sources of risk

As stated above, the cause is the driver of risk, and while doing the risk identification, the causes of risk
should be addressed. This is also referred to as sources of risk. If sources of risks are known, it will help
in spotting the resulting events leading to risk. So, in the quest to identify risk, one should always scan all
sources of risks, such as all environments around your organization which could be internal or external.

There will be no risk to the person from an increase in urbanization as that will not change the value of
retirement proceeds or a steady flow of income.

Risk Measurement
Risk measurement helps organizations in prioritizing the risks for management to take action. All risks
are not material, so the quantification in terms of likelihood and severity helps decide to take actions
based on the organization's risk appetite.

Both likelihood and severity are measured; the quantifiable risks, such as interest rate risks, liquidity
risks, etc., are measured through statistical methods, while the non-quantifiable such as people,
process, or system risks, are measured in terms of a scale of low, medium and high.

9|Page
Sonjai Kuma, PhD Scholar in Enterprise Risk Management at Fortune Institute of International Business (FIIB), New Delhi, 2022

Overall, the risk is quantified as Probability * severity

Risk Management
There are four methods of management of risk in the risk management domain; they are

1. Accept the risk

2. Manage the risk

3. Transfer the risk

4. Avoid the risk

Transfer Risk Avoid Risk

Low likelihood, high Impact High likelihood, High Impact

Impact

Accept Risk Manage Risk

Low likelihood, Low Impact High likelihood, Low Impact

Likelihood

Acceptance of Risk:

The first option available to the risk professionals is to accept the risk. But every risk cannot be
accepted. Therefore, only those risks are taken with low likelihood and low impact. Such risks are often
within the acceptance range of the organization or within the risk appetite. Such acceptance of risks is a
healthy proposal at standard premium rates in the insurance business. Similarly, customers with good
credit ratings are accepted for giving loans at the standard interest rate in the banking sector.

Manage the Risk:

The second option with the risk professionals is to manage the risks. Such risks are generally high on
likelihood and low on the impact scale. Certain customers are non-standard lives in the insurance

10 | P a g e
Sonjai Kuma, PhD Scholar in Enterprise Risk Management at Fortune Institute of International Business (FIIB), New Delhi, 2022

business, such as customers with diabetes, hypertension, heart disease, etc. Such customers are
accepted by the insurance company with an extra premium; here, the chances of making a claim are
higher, so they are categorized under a separate bucket to manage the risk. Similarly, in the banking
industry, those customers with poorer credit ratings are accepted for a loan with a higher interest rate
to manage the risks with a higher premium. So, where an organization sees that the likelihood of a claim
is high, but the impact is low, they accept and manage the risk. Another practical example of
management of risk is wearing a seatbelt while driving a car or wearing a helmet while driving a two-
wheeler. Having a sprinkler system is an example.

Transfer the Risk:

The third option with the risk professionals is to transfer the risk. Those risks that are low in likelihood
and high in impact are transferred to a third party. Such risks under the insurance business are those
risks that are either of high value (say more than USD 5 million) or very substandard life where the
impact of claims will be higher. Such risks are reinsured with the reinsurance company by paying a
premium to a reinsurer. So, the insurance company transfers the risk to the reinsurance company.

Avoid the Risk:

Those risks that have a high likelihood and high impact should be avoided. Those bank customers with
very high default rates on repayment of the loan will be declined for a loan as Bank wants to avoid giving
such a loan to the customer. Such risk is outside the appetite of the Company. We are in a lockdown
situation because we want to avoid the risk of the contraction of the covid virus.

Residual Risk

Risk mitigation helps in reducing the overall risks to the Company. However, it is possible that after
applying the risk mitigation, some risk remains within the Company; such risks are referred to as
residual risk. The residual risk should be within the risk appetite of the Company.

If the residual risk is out of the appetite, the Company may have to re-work the objectives or persuade
shareholders to pump more money or drop the objective. Such an example could be entering into
unknown markets, trying new products, or making a hefty investment in a troubled area with many anti-
social activities.

Risk Monitoring
Risk monitoring acts as a feedback loop; before risk monitoring, there are three steps: risk identification,
measurement and management; monitoring allows knowing whether the identified risk was adequate
or not or if there was a need to change in the risk identification method.

Also, monitoring lets the organization know whether the risk quantification was adequate; for example,
who would have thought the world economic activity would stop between December 2019 and March
2020? So, the quantification was very poor during this period.

11 | P a g e
Sonjai Kuma, PhD Scholar in Enterprise Risk Management at Fortune Institute of International Business (FIIB), New Delhi, 2022

Monitoring helps in knowing the risk mitigation plan; in certain countries, the lockdown during the peak
of COVID 19 was either slow or inadequate, leading to lots of deaths, so what would you say about the
management plan. It was perhaps insufficient, and a more stringent lockdown was required.

So, monitoring exercise gives time and space to look back and take stock of the situation and make the
correction for the future.

Actual performance against the expected

As the future is unknown, assumptions are made about the future; that assumption is based on past
experience, present data, and professional judgment; however, the reality may still be different from
expected. So, monitoring allows the opportunity to make corrections in setting assumptions for the
future. Such assumption setting is widespread in the life insurance business, which is long term in
nature, 15 years or 20 Years or even whole life.

Early warning signals

Monitoring also allows the organization to spot a trend and identify the early warning signal. For
example, if the country's GDP is regularly declining quarter after quarter, it gives a warning signal that
there could be something wrong, which will help find the reason and correct the problem.

Examples of Risk Monitoring

1. Regular assessment of the development of GDP against the target and make changes if it is
lagging against the target.

2. On the business front, regular progress of profit against the target helps in taking any corrective
action or identifying new risks such as the emergence of a competitive product, change in
customer behavior, or any change in customer financial situation due to change in economic
condition.

3. It is common for insurance companies to monitor the actual claims experience against the
expected to know whether actual claims are higher or lower.

4. In many financial products, certain future interest rate assumptions are made; it becomes
essential to determine whether the actual interest rate rises or falls against the assumptions
made. Such actual movement in interest rate may lead to profit or loss for the Company

5. It is essential to know how brand value is doing from a marketing perspective. Such monitoring
is necessary for Company's popularity, brand recall, and future product sales.

6. If there is a deviation against the expected line, the advantage of monitoring is taking corrective
action and completing the risk management process cycle.

12 | P a g e
Sonjai Kuma, PhD Scholar in Enterprise Risk Management at Fortune Institute of International Business (FIIB), New Delhi, 2022

Risk Reporting
Risk reporting is the final step in the risk management process. It enables the Company to communicate
the risk and other information to all relevant stakeholders. The key stakeholders are the Board of the
Company, Risk management committee, Audit Committee, senior management, employees, regulators,
rating agencies, securities exchange, and customers, both current and future.

Summary of the risk management process

The first step of the risk management process is risk identification, which can be performed by
brainstorming, workshop method, Stress and Scenario testing, SWOT, Survey, etc. There are many more
methods of risk identification that will be covered later in the chapters.

Similarly, the second step is risk measurement, where risks are measured quantitatively or qualitatively.
The quantitative method is used where risks are measurable by a number, such as interest rate risk,
while under in qualitative risks are not measurable by number, so they are measured on a scale of low,
medium, and high or other scales.

The third step is risk management; there are four ways; accept the risk, manage the risk, transfer the
risk or avoid the risk.

Risk monitoring is a feed loop and refines all the previous steps of the risk management process.

In risk reporting, communication about the risk is made to the relevant stakeholders.

The risk management process is critical and forms the engine of risk management.

Three Lines of defense

The first line of defense is the business unit, the second line of defense is the risk and compliance
function, and the third line of defense is the audit function

Under the three lines of defense, the model is to identify their risks and the mitigation action; since they
are subject matter experts in their areas, they are best placed to identify the risks and the mitigation
action.

13 | P a g e
Sonjai Kuma, PhD Scholar in Enterprise Risk Management at Fortune Institute of International Business (FIIB), New Delhi, 2022

The integration of enterprise risk management comes when the first line of defense act as a risk
manager.

The role of the second line is to provide oversight on the risks that have been identified by the first line
of defense and provide the monitoring and reporting activities. The second line is to see whether the
first line has identified all the risks and their mitigation actions or if something is missed out. The second
line is to challenge the first line and ask the right questions; therefore, risk managers should have
interpersonal skills and consulting skills to guide the first line in mitigating risk.

The failure of the second line comes when they fail to raise adequate reviews, do not ask the right
questions, and do not challenge to first-line work enough. These many times create conflict between the
first and second lines.

The second line also guides on risk management matters, framing the risk management policies, taking
the lead in different risk committees, and acting as an internal regulator.

The third line of defense is the Audit function; they provide the independent assurance to the Board on
different aspects of risk management, the effectiveness of governance, and internal controls within the
Company.

14 | P a g e
Sonjai Kuma, PhD Scholar in Enterprise Risk Management at Fortune Institute of International Business (FIIB), New Delhi, 2022

Summary of Risk Management Framework

The above sections covered the following areas under the risk management framework.

1. Risk Policies

2. Risk Management Process

3. Risk Appetite

4. Three Lines of Defence Model

9. Types of Risks
This section covers different types of risks, such as financial risk, insurance risk, Operational risk,
Regulatory risk, and reputational risk.

Financial Risk
Financial risk is the possibility of losing money on an investment caused by market movements due to
factors such as Credit Risk, Liquidity Risk, interest rate risk, and foreign exchange risk.

Equity Risk

Equity risk arises due to adverse movement in the equity value. Such adverse movement happens when
the equity market falls and investors lose money. There are times when the equity market crashes and
investors lose the substantial value of their assets.

The key risk to the Banks from equity is that Bank accepts equity as collateral against the loan; in case
of a fall in the equity market and if a customer default on the loan repayment, then the outstanding
value of the loan will not be covered by selling the equity in the market.

Similarly, in the insurance business, a fall in the equity value leads to lower customer maturity or
surrender value, leading to customer dissatisfaction and impacting future new business sales.

Equity investment should be careful after understanding the customers' risks and individual risk
appetite.

Interest rate risk

Interest rate risk is the fluctuation in interest rate leading to a change in the value of assets and
liabilities. For example, the value of assets or liability increases if the interest rate falls, while the value
of assets or liability falls when the interest rate rises.

In the banking sector, assets (loan given) are of longer tenure compared to liability (deposits), so if
interest rate rises, the value of assets fall more than the value of liability leading to mismatch between
assets and liability.

15 | P a g e
Sonjai Kuma, PhD Scholar in Enterprise Risk Management at Fortune Institute of International Business (FIIB), New Delhi, 2022

In the insurance sector, liabilities (customer's payouts) are longer than assets (investments), so when
the interest rate falls, the value of liability rises more than the value of assets leading to a mismatch
between assets and liability, so fall in the interest rate is a risk in the insurance business.

Liquidity Risk

Liquidity risk is the risk of not being able to convert the available assets into liquid cash when needed to
pay out the liability. Liquidity risk does not mean that the Company does not have money or they are
insolvent; it simply means that the assets are not converting into cash. Such illiquid assets could be
property; property is not easily liquidated, and it may take time to sell a property where a Company has
investment to meet the payouts.

Liquidity risk arises more under the economic stress conditions when certain assets are either not
liquidable or will not be getting enough market price. For example, during the COVID situation, most
property prices fell. If the property is sold, there will not be enough buyers, and even if buyers are there,
the property prices could attract lower value by 30% to 40%, for example.

Liquidity risk also arises when liquidity from the market dries up.

Liquidity risk arises when rating agencies downgrade the rating of certain companies, in which case the
assets become illiquid- not enough buyers for low-rated assets.

Liquidity risk is one of the key risks in financial institutions.

Foreign Exchange risk

Foreign exchange risk is the risk of financial loss resulting from changes in foreign exchange rates. The
Company is exposed to this risk when its financial transaction is denominated in foreign currency. Export
and import business are greatly affected by the foreign exchange risk.

Insurance risk
Three key risks are mortality, expense, and lapses specific to life insurance. Along with mortality, two
other risks of the same family are morbidity and longevity risks.

The mortality risk is defined as the actual number of claims higher than expected. This means that if one
expects that there will be 100 deaths in a year from the policies that have been sold, if the actual death
turns out to be 120, there are 20 extra deaths for which Company has not priced the risk, and they have
to pay the 20 claims from their pocket, which is a loss.

Morbidity risk is related to sickness instead of death, as in the case of mortality. The definition goes
similarly as higher actual sickness claims compared to expected.

Longevity risk is related to living longer than expected. This in the insurance business comes with the
pension products where the life company expects that they have to pay pension for say 15 years but

16 | P a g e
Sonjai Kuma, PhD Scholar in Enterprise Risk Management at Fortune Institute of International Business (FIIB), New Delhi, 2022

actual customer survives for 20 years. In this case, the Company is to pay five years of extra pension
from their pocket, which is a loss.

Expense Risk

Expense risk is, in fact, common in all businesses where actual expenses turn out to be higher than
expected. The situation in the life insurance business is slightly complicated as the business is long term,
the premium is level for the premium paying period, and incidences of expenses are uneven with very
high initial expenses leading to a problem in recovery if the future premium does not come.

Lapse risk

Lapse risk occurs when policyholders stop paying future premiums; this leads to loss because a certain
premium volume is assumed when the product is priced. As stated above, lapse risk leads to non-
recovery of expense. Lapse risk occurs when the customer is either not satisfied with the product or the
product is mis-sold to him, or the customer faces a financial crisis and is unable to pay the premium. If
the premium is not paid, the policy lapses and future benefits get terminated then and there.

Operational risk
The operational risk is defined as a risk of loss resulting from inadequate or failed internal processes,
people, and systems or from external events.

Operational risk is present in all businesses because all the Company has either people, process, system,
or combination. Therefore, operational risk is in all companies.

The building block of operational risk is "cause" leads to the "event", and the event leads to a
"consequence". The cause may be people, processes, systems, or a combination of one or all. It is
important to note that one cannot control the event or the consequence because both result from the
cause. So, in operational risk management, applying control on the "cause" is the only way to manage
the operational risk.

For example, because of the inefficient recruitment process, the Company has recruited incompetent
people, which led to material error in the business plan, leading to the loss of millions of dollars. The
event is an error in the business plan, and the consequence is a loss of million dollars, but one cannot
control either the event or the consequence without addressing the cause. The cause is an ineffective
recruitment process; once the recruitment process is strengthened, hire the right people with
appropriate qualifications and experience to make a robust business plan.

17 | P a g e
 Sonjai Kuma, PhD Scholar in Enterprise Risk Management at Fortune Institute of International Business (FIIB), New Delhi, 2022

Regulatory risk
Regulatory risk occurs when the Company breaches the regulation and commits fraud or any illegal
activities that may lead to a penalty, warning, restriction in doing certain business, administrative
takeover, or suspension of license to operate.

Management often has zero appetite for regulatory risk; such breach of regulation also leads to a loss in
reputation.

Reputational risk
Reputational risk is a risk of loss resulting from damages to a firm's reputation, leading to a loss in
revenue; increased operating capital or regulatory costs; destruction of shareholder value, etc.

As with the operational risk, where the cause is the responsible factor for the operational risk, similarly,
under the reputational risk, loss of reputation may happen because of specific causes. So, loss in
reputation at times is a consequence of another event. For example, consistent customer complaints on
social media may lead to a loss in reputation that may impact their business adversely.

-----------------------------------------End---------------------------------------

18 | P a g e

View publication stats