PM 6 Introduction to Risk Management
Risk, in the broadest sense, is exposure to uncertainty: the chance of a loss or an unfavorable result following an action, an inaction, or an outside event. That framing can make risk sound like something to shun, but it is not. Return earned without any risk is usually wishful thinking, and a strategy built on it tends to fall short of its goals. Risk and return are linked, and while return is difficult to command directly, exposure to risk can be shaped and controlled. That is why the discipline concentrates on the side of the pair that can actually be steered.
Risk exposure is the degree to which those underlying uncertainties translate into real gains or losses for a party that holds assets or liabilities sensitive to them. Exposure is the state of being vulnerable to a risk, and it results from the choices a firm or an investor makes about which risk-sensitive positions to hold.
Three meanings of the word risk
The term is used loosely for three related but distinct ideas. The risk driver is the underlying source of uncertainty. The risk position is the size of the risky action taken. The risk exposure is the potential change in value that follows. In the simplest cases, exposure is just the position multiplied by the driver.
An announcement in Japan is expected to move the yen up or down by 1 percent (a deliberately simplified range). A non-Japanese business holds an underlying position of JPY 1,000,000 tied to that currency.
What risk management actually means
Risk management is the discipline through which a firm or a person settles on how much risk to accept, gauges how much is actually being borne, and nudges the second amount toward the first, all aimed at maximizing enterprise value or personal utility. It is not the minimizing of risk. A firm that avoided every risk could not function at all. Instead, risk management is about understanding and deliberately accepting the risks that best trade the pursuit of goals against a tolerable chance of failure, then sizing, monitoring, and adjusting that exposure over time.
A useful slogan among practitioners is the doctrine of no surprises. It does not claim that a risk manager can predict what will happen. It means that if an unpredictable event does occur, its effect on the organization has already been quantified and thought through, so the only genuine surprise is the shock itself, not its consequences.
Consider a bank exposed to real estate securities. A capable risk manager would not be expected to foresee a property crisis, but would help management gauge in advance what such a crisis could do, for instance quantifying that it might wipe out 60 percent of the bank’s capital, and would raise that possibility in governance discussions before any trouble began. A weak process ignores the small but severe possibility, never sizes the loss, and leaves management unaware that more than half its capital could be at stake. In a strong process most of the work happens before an adverse event; in a weak one, just as much work may occur, but only afterward, when the damage is done.
A risk management framework is the combination of infrastructure, workflows, and analytics that make effective risk management possible, integrating the risk and return sides of the enterprise into decisions that best serve its goals within its tolerance for risk. There is no one-size-fits-all version; the framework is customized to each organization. Even so, every sound framework addresses the same set of components.
| Component | What it does |
|---|---|
| Risk governance | Top-down, board-level direction that ties risk activities to enterprise goals and sets risk tolerance. |
| Risk identification and measurement | The quantitative and qualitative assessment of all sources of risk and the firm’s exposures. |
| Risk infrastructure | The people and systems that capture exposures, run models, and report the risk profile. |
| Policies and processes | Governance extended into day-to-day limits, requirements, and decision checkpoints. |
| Monitoring, mitigation, management | Continually reviewing exposures and acting when they drift out of line with tolerance. |
| Communications | Clear, timely reporting and feedback loops across all levels, including back to the board. |
| Strategic analysis and integration | Using the risk lens to sort value-adding activities from the rest and improve decisions. |
These components overlap heavily in practice. When the whole framework hinges on top-down governance and stays focused on the goals of the entire organization, the result is effective enterprise risk management, an overarching approach applied consistently across the firm and aligned with its strategy.
How the pieces fit together
Picture the enterprise in three columns. On the left sits risk governance, the board-level activity that defines goals, decides risk tolerance, may guide where risk is taken through risk budgeting, and sets high-level policy. In the middle sits management, which plans and executes value-maximizing strategies consistent with that guidance and allocates capital to risky activities. On the right run the operating steps: establish the risk infrastructure, then identify and measure risks, then monitor them continuously.
Monitoring leads to a decision point. Are the risks within the limits set by tolerance and the risk budget? If the answer is no, mitigation and management actions modify the exposures, which restarts the cycle so the risks can be re-checked. If the answer is yes, the process moves to communication and reporting, and then to strategic analysis, which feeds insight back into both governance and the mix of risky activities. Real frameworks contain many such feedback loops, and most of these steps run at the same time rather than in strict sequence.
The individual version
An individual lacks the resources and overhead of a large firm, but the framework still applies in a reduced form of roughly six steps: set goals and objectives (the individual is effectively their own governing body); choose investments and identify their risks (often with an adviser acting as management); evaluate the resulting exposure; consider ways to modify it; implement the chosen solution such as insuring, hedging, or trading; and finally evaluate and review, perhaps less frequently but no less importantly. The main danger is dismissing the whole exercise as too complicated and skipping it entirely.
When risk is truly woven into every decision rather than treated as an afterthought, the organization has built an effective risk culture. The payoffs include fewer surprises and a clearer sense of the damage a surprise could cause, more discipline and better risk-return trade-offs, quicker mitigation, fewer operational errors, more trust between the board and management, and a stronger reputation. Together these tend to raise the value of the enterprise.
Risk governance is the foundation of risk management: the top-down guidance that directs risk activities to support the goals of the whole enterprise. It usually flows from a board of directors that carries fiduciary duties and risk oversight and that prescribes goals and authority. Beyond oversight, the governing body drives the framework in two further ways. It sets the organization’s goals, direction, and priorities, and it spells out risk appetite: which risks are acceptable, which must be mitigated and to what degree, and which are off limits. Good governance also signals roughly how large a loss could be tolerated across various scenarios. To keep a board honest about limits, it helps to define hypothetical red zones, much as a dashboard dial marks the range beyond which an engine should not be run.
Why the enterprise view matters
Enterprise risk management requires looking at the entire economic balance sheet, not just one part of the firm viewed on its own. Too narrow a view rarely serves the aim of raising the value of the whole enterprise.
A corporate pension fund holds assets (the funds) against liabilities (the pension promises). The liabilities behave much like bonds. A manager focused only on the assets invests them entirely in equities to chase maximum growth.
The same logic applies to individuals, even without the word enterprise. A person’s wealth includes human capital, not only financial assets. Someone whose career is in real estate is already exposed to property risk through earnings, so holding large amounts of real estate securities, though it might look optimal for the financial portfolio alone, leaves total wealth poorly diversified. Likewise, an investor with inflation-linked pension benefits, one with a fixed pension, and one with no pension at all need very different solutions, both for inflation and for uncertainty about lifespan. Because an individual’s life cycle is so variable and many goals are discrete, the enterprise view can matter even more for individuals than for institutions.
Committees and the chief risk officer
A risk management committee gives management a regular forum to discuss the framework and key risk issues, paralleling the board’s deliberations at an operational level and integrating the other parts of the framework. Another hallmark of strong governance is appointing a chief risk officer (CRO) responsible for building and running the framework. The CRO is a genuine participant in strategic decisions, not merely a policing role. Just as it would make little sense for the chief executive to double as chief financial officer, it makes little sense for the CEO to serve as the CRO, even though the CEO remains ultimately responsible for risk.
Perhaps the single most important governance decision is risk tolerance: the extent to which an organization is willing to bear losses or opportunity costs and to fall short of its objectives. Some risks are deemed acceptable, some unacceptable, and in between are risks to be taken only in a limited way. Setting tolerance is a board-level oversight job, distinct from the management task of selecting particular activities.
For an individual, the decision is similar but not identical. Traditional theory has the individual maximizing an unobservable utility while a business maximizes a broadly observable market value. People face certain death on an uncertain timetable, whereas firms tend to be short-lived yet operate with an expectation of immortality; a firm’s tolerance often treats continued existence as a major concern. In many respects the individual’s tolerance decision is the harder one.
The inside and outside views
Choosing tolerance starts by integrating two questions. The inside view asks what internal shortfalls would cause the organization to fail, or to miss critical goals. The outside view asks what uncertain forces, what risk drivers, the organization is exposed to. With both answers in hand, a board can mark the dimensions and levels of risk it finds too uncomfortable to accept. This should be settled and communicated before a crisis; doing it afterward is better than never but resembles buying insurance after the loss.
A Spanish construction-equipment manufacturer’s board is setting its risk tolerance. From the inside view it has two concerns. It can absorb a revenue drop of 5 to 10 percent, but a 20 percent drop would breach its debt covenants and imperil the launch of a new flagship product. It also needs EUR 40 million of cash flow each year across the coming three years to fund essential capital projects, with almost none of that cash flow available to put at risk. From the outside view it identifies three drivers beyond its control: swings in the US dollar, moves in interest rates, and returns on industrial-sector equities. Both its results and its share price move with these three.
What shapes tolerance
There is no formula. A firm’s goals, areas of expertise, and strategies help the board decide which risks to pursue and how hard. An ability to respond quickly to adverse events can support a higher tolerance. The amount of loss the firm can take without threatening its status as a going concern matters, since some firms are more fragile than others, as do the competitive landscape and the regulatory environment. Quantitative tools, including scenario analysis, economic modeling, and sensitivity testing against macro drivers, help locate the board’s comfort zone. Other factors should not drive tolerance but often do: the private agendas of directors (the agency problem), the size of the company, an apparently calm market, short-term pressures, and management pay. A formal tolerance also steers the firm away from easy but reckless strategies, such as selling put options on its own equity or piling on leverage, that boost short-term profit while raising the odds of failure.
Risk budgeting takes over where tolerance leaves off. Whereas tolerance settles what is and is not acceptable, budgeting is concerned with how the risk is taken: it quantifies and allocates the tolerable risk using specific metrics, extending and implementing the tolerance decision. It is used in managing a business and in managing a portfolio alike.
The underlying idea is that a business or portfolio is an assemblage of risk characteristics, which can be viewed along several dimensions at once. A traditional description of a portfolio might be 20 percent hedge funds, 30 percent private equity, and 50 percent split between stocks and bonds. A risk view of the very same portfolio might read 70 percent driven by global equity returns, 20 percent by domestic equity returns, and 10 percent by interest rates, with the equity part split 65 percent value and 35 percent growth, and perhaps 45 percent of holdings illiquid. These lenses coexist. For keeping a portfolio aligned with tolerance, the risk characteristics matter far more than labels like hedge funds or private equity, because equity can be low risk and some hedge funds can be high risk.
Simple and complex budgets
A risk budget can be one simple measure or a rich multi-dimensional structure. Four widely used one-dimensional measures are beta, standard deviation, scenario loss, and value at risk (VaR). Some hedge funds budget with standard deviation, managing to a fixed target and judging each new investment by how it changes the fund’s forward-looking standard deviation. More complex budgets spread risk across classes such as fixed income, equity, and commodities, or use factor approaches that tilt toward exposures believed to earn premiums, for instance emphasizing value stocks over growth on top of a baseline equity beta.
A major benefit of even a basic budget is that it forces trade-offs and builds a culture in which risk enters every key decision. If every activity the firm wants to pursue exceeds the budget, budgeting pushes it to invest where return per unit of risk is highest, and to weigh doing less of a risky investment against doing more while adding a hedge. Comparing a market hedge with a smaller position effectively benchmarks each investment against the market on a risk-equivalent basis, so decision makers end up trying to add active value in every choice while staying inside tolerance. Individuals sometimes budget too, but many do it poorly, most visibly when they concentrate financial savings in their own employer, leaving total wealth, financial plus human capital, extremely concentrated in one firm or industry.
Identifying risks is one of the first tasks in implementation. This reading splits them into two groups. Financial risks arise from events in the financial markets, such as moves in prices or interest rates. Non-financial risks arise elsewhere, from actions inside the organization or from external sources such as the environment, counterparties, regulators, governments, suppliers, and customers. Most risks eventually have monetary effects, but the term financial risk is reserved for those born in the markets.
| Category | Risks included |
|---|---|
| Financial | Market risk, credit risk, liquidity risk |
| Non-financial | Settlement, legal, regulatory, accounting, tax, model, tail, operational, solvency |
| Chiefly for individuals | Health, mortality, longevity, property and casualty |
The three financial risks
Market risk stems from changes in stock prices, exchange rates, commodity prices, and interest rates. It is among the most visible risks, and the state of knowledge is probably most advanced here. Credit risk is the risk of loss when a party fails to pay what it owes on a bond, loan, or derivative; it is also called default or counterparty risk, and for some derivatives it runs in both directions. Defaults have far longer-lasting effects than a temporary price decline, since a fallen price can rebound but a bankruptcy does not. Liquidity risk is the risk of a sharp downward price adjustment when selling an asset. The familiar bid-ask spread paid at purchase is a cost rather than a risk; what creates risk is the chance that this spread balloons as market conditions change or as a position grows larger than normal trading volume, so the sale price falls below the seller’s estimate of fundamental value. In extreme cases there may be no positive price at all. For this reason liquidity risk is sometimes called transaction cost risk.
The main non-financial risks
Settlement risk concerns payments made just before a default: if one party wires funds and the counterparty goes bankrupt before delivering, the payer may recover money only slowly through bankruptcy. It is also called Herstatt risk, named for a German lender that collapsed in 1974 after taking in payments and then defaulting. Legal risk covers both being sued and, more pointedly in finance, the chance that a contract’s terms will not be upheld in court, since even a weak case can prevail. Regulatory, accounting, and tax risks together form compliance risk: rules change, and updates can bring unexpected costs, back taxes, restatements, and penalties.
Model risk is the danger of a mispricing that arises from using the wrong model or applying the right one incorrectly, for example assuming constant dividend growth when growth is not constant. Closely related is tail risk, the tendency for more extreme outcomes than a probability model predicts. Tail risk is especially acute under the normal distribution, a model that gets overused; disregarding fat tails is itself a form of model risk. Operational risk arises from failed or inadequate people, systems, and internal processes, as well as external events that disrupt operations. Sources include employee theft or honest error (crediting an account with USD 100,000 for a USD 100 deposit), the rogue trader (Nick Leeson destroyed the 200-year-old Barings Bank in 1995 with speculative trades that hid losses), natural disasters, cyber attacks (under the General Data Protection Regulation, breaches of sensitive personal data must be reported within 72 hours, with fines that can reach several million euros), and terrorism. Solvency risk is the danger that a firm exhausts its cash and cannot survive, even when it is otherwise solvent. Lehman Brothers is the classic case: its funding vanished almost overnight in 2008 as counterparties refused to bear its risk, and solvency risk, not a single market loss, forced the bankruptcy.
Individuals face operational-style risks too, such as hacking, burglary, and identity theft, but their primary non-financial risks relate to life and health: health risk (direct costs, lost income from disability, reduced lifespan or quality of life), mortality risk (dying relatively young, which cuts off an income stream), longevity risk (outliving one’s resources), and large property and casualty risks such as fire, natural disaster, or liability from harming others.
Risks rarely arrive one at a time. A familiar phrase holds that market risk gives rise to credit risk, which in turn gives rise to operational risk: an unexpected market move leaves one party owing another, which then requires operations to process and collect the payment, so credit risk always drags settlement risk along with it. Legal risk frequently follows market or credit losses, as the losing party searches contracts for a way out. The combined effect is almost always worse than the sum of the parts, and most risk models do not capture these links.
Party A purchases a put option that sits out of the money, struck at JPY 1,000, a contract worth roughly JPY 100 in theory that could pay as much as JPY 1,000 from Counterparty C if an equity index falls. There is a 2 percent chance that C defaults, and at first this default is assumed independent of the equity market. Adjusted for that independent default, the contract might price at about JPY 98 to A.
Non-linear compounding
Adverse interactions tend to be non-linear. A firm levered two times might post a 2 percent loss where its unlevered twin loses 1 percent. If liquidity is a serious problem, a 10 percent baseline loss might grow into a 25 percent loss instead of 20 percent as funding strains bite. It would not be surprising for that firm to fail at a 30 percent baseline loss, undone by the toxic interplay of leverage and liquidity. This same pattern, where leverage feeds market risk that then feeds liquidity and solvency risk, impaired many firms in 2008 and sank Long-Term Capital Management in 1998.
Individuals face this too. An employee who receives and then keeps a large block of her employer’s shares assumes a highly concentrated position; if the company or industry falters she can lose her job and her savings at once, a particularly harsh collision of market risk with human capital risk. Enron’s 2003 collapse wiped out the retirement savings of many loyal employees who never recognized the concentration. In short, risks generally interact, the combined risk is worse than the sum of its components, and stressed markets make this even more dangerous.
You cannot modify a risk without first measuring it, and the point of measuring is to check whether the risk being taken matches the pre-defined tolerance. Measurement starts with understanding what drives risk.
Drivers
Financial risks are, at heart, no different from the other uncertainties of life: all arise because the future is unknown. Three layers of drivers stand out. First, global and domestic macroeconomies, shaped by governments and central banks through taxes, regulation, law, and monetary and fiscal policy, which set the ground rules for economic activity; even routine events like naming a central bank chair can signal a policy shift. Second, industries, some stable and some highly cyclical, which government policy can favor or discourage. Third, individual companies and their idiosyncratic, unsystematic risk. Diversified portfolios are said to bear no unsystematic risk, but it still matters to a company’s own management, to poorly diversified investors, and to analysts, and what looks unsystematic can turn systematic, as when poor risk management at a bank that is too big to fail becomes a global crisis. A risk manager can reduce the chance his firm defaults but cannot control interest rates; for the latter he can only position the firm so its exposure fits its objectives and tolerance.
Metrics
The most basic metric is probability, the relative frequency with which an outcome is expected; it can be objective (rolling a six is one in six) or subjective (a 50 percent chance a central bank raises rates). Probability alone is not enough, since a 25 percent chance of loss does not tell us how large the loss might be.
Standard deviation measures the dispersion of a distribution. In a normal distribution about 68 percent of outcomes fall within one standard deviation of the mean, about 95 percent within two, and about 99 percent within three. Its limits are real: it may be a poor measure for non-normal distributions and may not even exist for fat-tailed returns. Modern portfolio theory also holds that an asset’s own standard deviation overstates its risk inside a diversified portfolio, since security-specific risk can be diversified away and should earn no premium. That points to beta, a gauge of the amount of market risk that an asset adds to a diversified portfolio.
Other exposures need their own metrics. Derivatives carry the Greeks: delta, which captures how the derivative price responds to a small move in the underlying, is the most important and a first-order risk; gamma captures larger changes and is a second-order risk because it reflects changes in delta; vega measures sensitivity to the volatility of the underlying; and rho measures sensitivity to interest rates. Fixed-income instruments use duration, a first-order interest-rate sensitivity analogous to delta. Because each of these means little outside its asset class, a common measure was needed across asset classes, which spurred value at risk.
Consider monthly returns on the S&P 500 Index from January 1950 to October 2018. Returns averaged 0.70 percent per month, with a monthly standard deviation of 4.10 percent. Under a normal distribution, the worst month, minus 21.76 percent in the October 1987 crash, would be expected just once in 2,199,935 years. The second and third worst, minus 16.94 percent in October 2008 and minus 14.58 percent in August 1998, would show up only once in 6,916 years and once in 654 years. The best month, a positive 16.30 percent in October 1974, would appear once in 888 years.
Value at risk (VaR) gauges how large the tail of the profit distribution is. It brings together three elements: a currency amount, a length of time, and a probability.
A London bank reports a VaR of GBP 3 million at 5 percent for one day.
VaR is simple but controversial. Different estimation methods can give very different numbers, it depends on an assumed distribution and on its inputs, and a tolerable VaR can lull naive users into a false sense of security. It should always be supplemented. Conditional VaR (CVaR) is the weighted average of all losses beyond the VaR level; in credit, the analogous measure is expected loss given default. Because VaR can understate tail risk, statisticians developed extreme value theory to study outcomes far out in the tails. Two further tools complement VaR: scenario analysis, which asks how a portfolio fares under a defined set of market moves, and stress testing, which applies rare, extreme, potentially destabilizing moves; central banks now require major banks to stress test. Credit risk leans on ratings from agencies such as Moody’s, S&P, and Fitch, supplemented by a lender’s own analysis of liquidity, solvency, profitability, and leverage ratios, plus measures like credit VaR and probability of default. Operational risk is among the hardest to measure, since events such as the 2014 Home Depot data breach are rare but costly, so firms often rely on statistics pooled across many companies.
Once tolerance is set and actual risk is measured, the manager aligns the two. Modification is not the same as reduction. A portfolio aiming for an even 50/50 mix of equity and cash will drift toward cash in a market where cash outperforms, becoming less risky; beyond a point its risk may be too low for its return target, so modification means adding risk back through rebalancing. Most of the time, though, modification does mean reducing risk, commonly through hedging, a transaction put in place to lower risk, sometimes to eliminate it and sometimes only to bring it to an acceptable level. There are four broad approaches: prevention and avoidance, acceptance, transfer, and shifting.
Prevention and avoidance
One option is to avoid a risk entirely, but this is harder than it sounds, and not every risk should be avoided, especially when elimination is costly. We could nearly rule out car-accident injury by never riding in a car, but at the cost of the benefits of driving; we could hold all retirement savings in cash, but give up inflation protection and long-run growth. Nearly every risk carries an upside as the risk taker sees it, which is why people smoke, gamble, or skydive: they judge the benefits to exceed the costs, conceptually the same as an investor choosing a high level of risk. In organizations, the choice to steer clear of a risk is usually taken at the governance level when setting tolerance, often to keep management focused on areas where it has a better chance of adding value.
Acceptance: self-insurance and diversification
Often it makes sense to keep an exposure but bear it efficiently. Self-insurance means bearing a risk considered undesirable but too costly to remove, sometimes simply by accepting it and sometimes by setting aside a reserve. A young, healthy adult without dependents who forgoes health insurance while saving to cover potential costs is self-insuring; banks self-insure by holding capital and loan loss reserves. The danger is the fine line between self-insurance and denial. If a firm’s tolerance caps its bearable loss at EUR 1 billion, yet management declines to limit a fraud or rogue-trader risk that could cost EUR 3 billion by claiming it is simply self-insuring, management is really ignoring the risk and violating its own governance. Diversification is another way to accept risk efficiently; strictly a mitigation technique, it is central to portfolio analysis but is usually not effective on its own.
Because a strategic allocation drifts as markets move, keeping risk aligned with tolerance sometimes requires increasing exposure, not cutting it. A 50/50 equity-and-cash target that has tilted toward cash may need equity added back to restore the intended risk and return. Rebalancing is therefore a two-way tool, even though most hedging activity works to reduce risk.
The last two approaches move undesired risk to another party. Risk transfer passes risk on, most often through insurance, a contract in which an insurer covers a share of a loss in return for a premium. From the insurer’s side it works through pooling: sell many policies whose risks have low correlation, then charge a premium that covers expected aggregate losses, operating costs, and profit, using widely available actuarial data on accidents, illness, damage, and death. Insurers still manage carefully, since some risks correlate. Property cover along the US Gulf Coast is dearer because a single hurricane can hit many policies at once, so insurers limit concentrated exposure, buy reinsurance, issue catastrophe bonds that let them skip payments when claims exceed a threshold, and write exclusions.
Deductibles, a monetary amount the insured absorbs before claims are paid, share risk between the two sides. They cut the number of small claims, encourage good risk management by the insured, and let the insured blend transfer with self-insurance for a better trade-off. Some risks resist pooling: a single volatile film star, or a one-off event such as an Olympics that might be boycotted. Specialized cover comes from syndicates at Lloyd’s of London, groups of investors who bear a risk for a premium and are exposed to the full extent of losses; NBC, for instance, insured the 1980 Moscow Olympics against a boycott through Lloyd’s and collected when the United States withdrew. Related instruments include the surety bond, where an insurer pays if a third party fails to perform, and the fidelity bond, which covers losses from employee dishonesty.
Risk shifting with derivatives
Whereas transfer pools risk, risk shifting changes the shape of the distribution of outcomes, and it generally uses derivatives. A derivative takes its price from an underlying asset or rate, so it can deliver much the same exposure at lower cost and lower capital, letting risk be moved across the distribution and between parties. Derivatives fall into two families. Forward commitments (forwards, futures, and swaps) obligate both parties to transact later at a price agreed today; no cash changes hands at the start, and they lock in an outcome, so a treasurer can fix the rate at which a future foreign cash flow converts to domestic currency regardless of later moves. Contingent claims (options) give one party a right rather than an obligation. A call is the right to buy or to pay a set rate, a put the right to sell or to receive one. Because the right is one-sided, the buyer pays a premium up front and can let the option expire; that flexibility is the advantage over a forward, at the cost of the premium. Dealers on exchanges or in private markets stand between originators and ultimate risk bearers, restructuring and passing on the risk so it settles with whoever is most willing to hold it.
A UK investor holds 60 percent in a FTSE 100 index fund and 40 percent in US Treasuries. The expected return on the Treasuries is 1.6 percent in US dollars, and because the expected return on the USD/GBP rate is 0 percent, that is also the sterling expectation. The expected return on the FTSE 100 is 5.5 percent. The standard deviations are 13.2 percent for the FTSE 100, 11.0 percent for the Treasuries in sterling, and 9.0 percent for USD/GBP. Correlations are shown below.
| FTSE 100 | US Treasuries | USD/GBP | |
|---|---|---|---|
| FTSE 100 | 1.00 | −0.32 | −0.06 |
| US Treasuries | −0.32 | 1.00 | 0.33 |
| USD/GBP | −0.06 | 0.33 | 1.00 |
How to choose a method
The four methods, prevention and avoidance, self-insurance, transfer, and shifting, are not mutually exclusive, and many firms use all of them. None dominates; the choice always weighs costs against benefits in light of tolerance. Prevention and avoidance usually come first, especially for risks outside the firm’s core competencies with little prospect of adding value, though avoidance can mean forgoing opportunity. Firms with ample free cash flow may self-insure some risks, but few can self-insure everything, and self-insurance should be addressed at the governance level and kept consistent with tolerance. Transfer through insurance suits poolable risks but not those that strike many parties at once, while risk shifting through derivatives is a common choice for financial risks that exceed appetite. The methods also leave different residual profiles: a contingent claim keeps upside while capping downside but demands cash up front, whereas a forward commitment locks in the outcome with no up-front cash. Ultimately the aim is a residual risk profile consistent with the organization’s objectives.