INTRODUCTION TO RISK MANAGEMENT

LOS 6.a: Define risk management.

LOS 6.b: Describe features of a risk management framework.

LOS 6.c: Define risk governance and describe elements of effective risk governance.

LOS 6.d: Explain how risk tolerance affects risk management.

LOS 6.e: Describe risk budgeting and its role in risk governance.

LOS 6.f: Identify financial and non-financial sources of risk and describe how they may interact.

LOS 6.g: Describe methods for measuring and modifying risk exposures and factors to consider in choosing among the methods.

1. Risk is exposure to uncertainty. What is uncertainty: not knowing with complete confidence what outcome will happen.
2. In plain English, risk means life refuses to sign a fixed contract with you. Good things can happen, bad things can happen, and most of the time you do not fully control either.
3. The reading focuses on economic and financial risk, especially for investing and business decisions. That is the part the CFA curriculum cares about most.
4. Business and investing are really about allocating capital to chosen risks. You do not get to directly choose returns; you mostly choose which risks you are willing to bear.
5. This is why risk management matters. It is one of the few levers management can actually pull before the future shows up.

WHAT RISK MANAGEMENT REALLY IS

1. Risk management is the process by which an organization or individual defines the level of risk to be taken, measures the risk being taken, and adjusts the second toward the first.
2. What is "defines the level of risk to be taken": deciding how much uncertainty, loss, or failure chance is acceptable before acting.
3. Why is risk management used: to maximize company value, portfolio value, or personal utility while staying inside a tolerable risk zone.
4. Risk management is not about avoiding all risk. A company that avoids all risk is basically choosing not to operate.
5. The reading says return without risk is usually a false hope. That line matters because many people secretly want reward without uncertainty, which is fantasy, not finance.
6. Risk exposure is the extent to which an organization is vulnerable to a risk. What is vulnerability here: how strongly value or cash flow changes when the underlying risk driver moves.
7. The yen example in the source is useful. The risk driver is the exchange-rate move, the risk position is the yen amount held, and the risk exposure is the possible gain or loss from that position.
8. The word risk itself is slippery. Sometimes it means the underlying uncertainty, sometimes the risky position, and sometimes the resulting loss range.
9. The reading suggests cleaner language: risk driver, risk position, and risk exposure. That is a good way to stop yourself from getting lost in vague wording.
10. Good risk management means fewer surprises. What is "no surprises" here: not predicting every shock, but understanding in advance how badly the shock could hurt you.

1. A poor risk process does the hard work after the explosion. A good risk process does most of the hard work before the explosion.
2. Because risks and exposures keep changing, risk management is continuous. It is not a one-time memo and definitely not a one-time spreadsheet.

RISK MANAGEMENT FRAMEWORK

1. A risk management framework is the infrastructure, process, and analytics needed to support effective risk management in an organization.
2. What is infrastructure: the systems, data, models, and people needed to capture exposures and analyze them.
3. The framework is not one-size-fits-all. It should be built around the enterprise's own goals, constraints, and real risks.
4. The framework has seven main pieces in the reading: risk governance, risk identification and measurement, risk infrastructure, policies and processes, risk monitoring and mitigation, communication, and strategic analysis.
5. Governance is the top-level system of structures, rights, and obligations by which the organization is directed and controlled. In most firms this sits at board level.
6. Risk governance is the top-down guidance that aligns risk activity with the goals of the whole enterprise. That "whole enterprise" point is the soul of the section.
7. Risk identification and measurement is the quantitative and qualitative core. It asks two things: what can hurt us, and how big can the hurt get?
8. Risk infrastructure includes risk capture, databases, models, scenario engines, reporting tools, and skilled people. If any one of these is weak, the whole machine lies more easily.
9. Policies and processes are governance translated into daily behavior. They include limits, checklists, escalation rules, and decision rules so risk thinking becomes operational, not ceremonial.
10. Risk monitoring, mitigation, and management is the active loop. You measure risk, check whether it is in line with tolerance, and if not, you act.
11. Communication matters because risk information is useless if it lives in a quiet corner of the firm and never reaches decision makers.
12. Strategic analysis is the offensive side of risk management. It helps management ask which activities are truly adding value for the risk taken.

HOW THE ENTERPRISE LOOP WORKS

1. The framework diagram in the source starts with goals. Then governance sets risk tolerance and often gives some risk-budgeting guidance.
2. Management then chooses strategies and allocates capital to risky activities consistent with that governance guidance. That is where actual exposures are born.
3. Once risky activities are chosen, the framework identifies and measures risks, monitors them, and checks whether they remain in line with tolerance and policy.
4. If risks are out of line, mitigation actions are taken. If they are in line, monitoring continues and reports feed back into decisions.
5. This loop creates many feedback channels. Good risk management is not linear. It is more like a nervous system constantly checking whether the body is still okay.

INDIVIDUAL RISK MANAGEMENT

1. The same framework applies to individuals, just in a smaller and less bureaucratic form. An individual is basically their own governing body.
2. The six simplified steps for an individual are: define goals, choose investments and identify risks, evaluate exposure, modify risk if needed, implement the solution, and review the outcome.
3. Many individuals do some of this informally, but badly. They insure the obvious things and ignore the subtle ones until life punches them in the mouth.
4. A personal risk culture means understanding how life, health, career, liquidity, and investments interact instead of pretending the portfolio lives on a separate planet.

RISK GOVERNANCE

1. Risk governance is the foundation for everything else. If the top of the organization is confused, the rest of the framework becomes theater.
2. The governing body sets goals, direction, priorities, and risk appetite. What is risk appetite: the broad sense of which risks are acceptable, limited, or unacceptable.
3. Enterprise risk management means looking at the whole balance sheet and whole business, not just one exciting corner in isolation.
4. The pension-fund example shows why this matters. Looking only at pension assets while ignoring pension liabilities can create a fake sense of safety.
5. If liabilities are bond-like and the manager goes aggressively into equities for growth, a market collapse with falling rates can crush assets while liabilities rise. That is how you hurt the whole enterprise.
6. A risk management committee is part of good governance. Why is it used: it creates a recurring forum where top decision makers actively discuss risk issues instead of noticing them only during disasters.
7. A chief risk officer (CRO) is another hallmark of strong governance in a large organization. The CRO should help build and run the framework, not merely play police officer after mistakes.
8. Visible commitment from the top matters. If the board treats risk as a boring compliance nuisance, the rest of the organization will copy that attitude.

RISK TOLERANCE

1. Risk tolerance is the extent to which the organization is willing to experience losses, opportunity costs, and failure to meet objectives. This is one of the most important sentences in the reading.
2. The inside view asks: what internal shortfalls would seriously hurt or even break us? The outside view asks: what external uncertainties or risk drivers hit us?
3. The Spanish construction-equipment company example ties this together well. It worried about revenue decline, debt covenants, critical cash flow needs, currency risk, interest rates, and industrial equity returns.
4. Risk tolerance should be decided before a crisis, not after. Buying governance after the damage is like buying insurance after the fire.
5. A firm's goals, core competencies, fragility, competitive setting, regulation, and ability to respond to stress all help shape risk tolerance.
6. Some things should not drive risk tolerance but often do anyway: board ego, short-term pressure, compensation design, and fake calm during stable markets.
7. For individuals, risk tolerance is harder because the objective is utility, not a quoted market value. A life is messier than a public company.

RISK BUDGETING

1. Risk budgeting comes after risk tolerance. Risk tolerance says how much pain is acceptable. Risk budgeting says where and how that pain allowance will be allocated.
2. Risk budgeting is any way of allocating a portfolio by risk characteristics rather than only by asset labels. This is much more informative than just saying "20% here, 30% there."
3. The reading gives a strong contrast. A traditional allocation view might say hedge funds, private equity, stocks, and bonds. A risk view might say global equity risk, domestic equity risk, interest-rate risk, illiquidity risk, and factor tilts.
4. Common single-dimension risk-budget tools are standard deviation, beta, value at risk, and scenario loss. More advanced approaches budget by risk classes or risk factors.
5. The big benefit is discipline. If risk is a budget, every new investment must justify the risk it consumes instead of acting like risk is free.
6. Risk budgeting also forces comparison against passive alternatives. That is a beautiful hidden benefit: you stop asking only "Is this attractive?" and start asking "Is this attractive for the risk versus the market?"

FINANCIAL AND NON-FINANCIAL RISKS

1. The three primary financial risks are market risk, credit risk, and liquidity risk.
2. Market risk is the risk arising from movements in interest rates, stock prices, exchange rates, and commodity prices.
3. Credit risk is the risk that a counterparty fails to pay what is owed on a bond, loan, swap, forward, or other obligation.
4. Liquidity risk here means the risk of having to sell an asset at a big valuation concession because market conditions are stressed or buyers are scarce.
5. The key thing with liquidity risk is uncertainty. A normal bid-ask spread is a cost. A sudden collapse in the price you can actually sell at is a risk.
6. Non-financial risks include settlement risk, legal risk, regulatory risk, accounting risk, tax risk, model risk, tail risk, operational risk, and solvency risk.
7. Settlement risk is the risk that one side pays or delivers but the other side fails to complete the transaction on time. The Herstatt story sits behind this idea.
8. Legal risk includes being sued and also the risk that a contract is not upheld the way you expected.
9. Model risk is the risk of a valuation or decision error from using the wrong model or using the right model wrongly.
10. Tail risk means extreme outcomes occur more often than simple models, especially normal-distribution models, would suggest. The source absolutely hammers this.
11. Operational risk comes from failed people, systems, internal processes, and damaging external events affecting operations.

1. Cyber risk is now a major operational risk. Data breaches can trigger reputational damage, legal consequences, regulatory penalties, and pure business disruption all at once.
2. Solvency risk is the risk the organization fails because it runs out of cash, even if it may look solvent on paper. This was one of the major lessons of 2008.
3. The source is blunt here: Lehman Brothers was not only a leverage story. It was also a solvency story because funding disappeared.
4. Individuals also face non-financial risks around health, mortality, longevity, identity theft, and property and casualty losses.
5. Mortality risk is the risk of dying too young. Longevity risk is the risk of living so long that your money runs out before you do.

RISK INTERACTIONS

1. Risks do not live alone. Market risk can create credit risk, which can create settlement and operational strain. This is one of the nastiest ideas in the reading.
2. Counterparty risk gives a clean example. A market move can make your derivative counterparty owe you more exactly when that counterparty is becoming less able to pay.
3. Wrong-way interactions are ugly because the same shock hits you twice. The exposure grows while the counterparty quality gets worse.
4. Leverage mixed with liquidity and solvency risk is especially toxic. The reading points to Long-Term Capital Management in 1998 and many firms in 2008 for this reason.
5. For individuals, Enron is the unforgettable example. Employees kept salary risk, human-capital risk, and retirement-savings risk all tied to one company and got hit from multiple directions at once.

RISK DRIVERS AND METRICS

1. Risk drivers are the fundamental global, domestic, industry, and company-level factors that create risk. They are deeper than the headline market prices you see on a screen.
2. Governments, central banks, industries, and company-specific events all feed the risk environment. Risk management cannot control those drivers, but it can position exposures relative to them.
3. Probability is the most basic metric, but probability alone is not enough. Knowing that something has a 25% chance of happening does not tell you how much money is at stake.
4. Standard deviation measures dispersion in outcomes. In normal distributions, about 68% of outcomes lie within one standard deviation and about 95% within two.
5. Standard deviation has limitations, especially with fat tails and non-normal distributions. That is why using it blindly can create a false sense of precision.
6. Beta measures how sensitive a security's return is to the market portfolio. What is beta: a relative-risk measure for diversified equity portfolios.
7. Derivatives use special risk metrics called the Greeks. Delta measures first-order sensitivity to the underlying. Gamma measures how delta itself changes. Vega measures sensitivity to volatility. Rho measures sensitivity to interest rates.
8. Fixed-income instruments use duration to measure interest-rate sensitivity. Different asset classes often need their own native risk language.
9. Value at risk (VaR) is a tail-loss measure with three ingredients: a currency amount, a time horizon, and a probability.
10. A one-day VaR of GBP 3 million at 5% means the organization expects to lose at least GBP 3 million one day out of 20, on average. That "at least" matters a lot.
11. VaR is a minimum tail loss, not a maximum loss. Many people miss that and then trust VaR too much.
12. Conditional value at risk (CVaR) looks at the average of losses beyond the VaR point. Expected loss given default plays a similar tail role in credit risk.
13. Scenario analysis and stress testing ask what happens under ugly but plausible or deliberately severe conditions. These are the grown-up version of asking, "If this gets bad, how bad is bad?"
14. Credit risk uses ratings, but serious analysis also looks at liquidity, cash flow coverage, profitability, leverage, default probability, and macro and industry pressures.
15. Operational and regulatory risks are harder to measure than market risk because the events are rare, messy, and often not captured by clean time-series data.

MODIFYING RISK

1. Risk modification means aligning actual risk with acceptable risk. Sometimes that means reducing risk. Sometimes it means increasing risk back toward target, like rebalancing a portfolio that became too conservative.
2. The four broad families are prevention and avoidance, acceptance and self-insurance, transfer, and shifting.
3. Prevention and avoidance means taking steps so the risk never gets on the table or becomes less likely. Seatbelts, due diligence, controls, and avoiding weak contracts all fit here.
4. But full avoidance is not always best because avoiding risk can also mean avoiding opportunity. The real trade-off is costs versus benefits, not fear versus courage.
5. Acceptance means bearing the risk yourself. Self-insurance means keeping some losses internally because paying someone else to bear every risk would be too expensive or too restrictive.
6. Transfer usually means insurance. Insurance works best when risks can be pooled or diversified by the insurer across many low-correlation exposures.
7. Deductibles are clever because they split risk between the insured and the insurer. They reduce nuisance claims and keep the insured interested in not behaving recklessly.
8. Reinsurance is insurers buying insurance from other insurers. That line is easy to forget but very testable.
9. Risk shifting usually means derivatives. Forwards, futures, swaps, and options can reshape the payoff distribution instead of simply pooling risk like an insurer does.
10. Forward commitments lock in future prices or rates without an up-front premium. Options give flexibility but require a premium because one side gets a right without an obligation.
11. For risk shifting, you must understand the trade-off. A forward locks the outcome. An option costs cash but preserves flexibility.
12. No method is automatically best. Good choice depends on cost, benefit, remaining risk profile, and consistency with risk tolerance and governance.

1. The final practical rule is simple: avoid stupid risks, self-insure where sensible, transfer what can be pooled efficiently, and shift financial risks when derivatives do the job more cleanly.