Introduction to Risk Management
Risk management is one of the big functions of corporate treasuries. Depending on the business and geography of your company, the types of risk your company may vary.
There are many different types of possible risks your company may face, but the main type of risks most treasury professionals try to manage is financial risks which could include FX, interest rate, liquidity, credit, commodity risks, etc.
That said, in this age of constant change, many CFOs and treasury professionals today also need to be mindful of strategic, operational, compliance and even political risks faced by their companies.
There are many theoretical risk management frameworks and tools developed by academics, and risk management might be implemented in different ways for different companies. However, in practice, minimally, most risk management frameworks should involve these four steps:
- Identifying the risk
- Measuring the risk
- Controlling the risk
- Evaluating the risk
We will cover the different types of risks, and various ways in which companies manage these risks in greater detail in the sections below.
Step #1: Identifying the Risk
Large conglomerates typically have dedicated risk managers to manage risks for their companies at a company-wide level, a practice commonly known as Enterprise Risk Management (ERM).
The increase in emphasis on risk management in recent years is partly due to corporate governance rules and compliance regulations like the Sarbanes-Oxley (SOX) and ISO 31000, an International Risk Management Standard.
Risk managers will normally coordinate with various business units to understand all possible types of risks that the company might face and prioritize these risks based on various criteria like the probability and severity of the risks. The risks that a large company may face are not limited to:
- Fraud risks
- IT risks
- Tax compliance risks
- FX risks
- Pricing risks
- Reputational risks
- Legal risks
- Customer risks
- Labour shortage risks
The types of risks that risk managers need to manage can be wide-ranging, and more companies are increasing their focus on building their ERM capabilities. While there is a growing trend that corporate treasurers need to be holistic in their understanding of their company’s business and be more involved in strategic planning and decision making, it is not our aim to explain all the enterprise risks and ERM in great detail here. Instead, we will be focusing on risks like FX, interest rate, credit, liquidity risks, etc., that are more relevant and of greater interest to corporate treasuries.
Before we discuss the major risks in greater detail, we should take note that even though risk is usually associated with losses, risk does not necessarily imply losses. In the context of treasury, risk refers to uncertainty and refers to anything that can affect positively or negatively the stability of financial performance of the organization.
In our view, these are the 4 top treasury risks faced by most organizations that corporate treasurers try to manage using various strategies:
Treasury Risk 1: Foreign Currency Risk
As multinational companies often have to deal with buying and selling in multiple currencies in different countries, FX risk is one of the most common risk exposures faced by MNCs.
FX risks can arise from actual foreign-currency transactions like sales and purchases, dividend payments, loans, capital injections, involving actual physical transfers of foreign currencies.
Alternatively, it may also arise from the translation of foreign assets and liabilities to the organization’s local currency, showing up as a translational accounting gain or loss during consolidation.
Another type of risk related to foreign currencies that treasurers should be aware of is that of actions taken by foreign governments like exchange controls, restrictions on cross-border remittances, limits on foreign currencies to be held by residents and non-residents, etc. These country restrictions differ currency to currency, so if your organization has business operations in multiple jurisdictions, you should familiarize yourself with the laws related to the country’s currency.
Typically, you can approach your relationship banks for advice or research the currency regulations, which most of the time are information that is publicly available. For example, you could refer to the 2017 Global Payments Guide (83 page) published by J.P. Morgan on cross-currency payments and currency restrictions for over 160 countries here.
Treasury Risk 2: Interest Rate Risk
Interest rate risk arises when a company is exposed to risk related to changes in interest rates. This could happen when the company borrows or extends credit to others. If your company has a large amount of outstanding floating-rate debt, a small increase in interest rate could significantly impact the interest expense from the outstanding debt.
Another type of interest rate risk is the yield-curve risk. Banks holding portfolios of interest-rate based securities like bonds will be more sensitive to changes in the yield curve. A yield curve is a term structure of interest rates and is basically a graph that plots yields among comparable bonds against their maturities.
If your company is holding a portfolio of bonds with different maturities, you will probably be interested in the change in your portfolio value when interest rate changes. You could do so by calculating your portfolio duration and the price value of a basis point (PVBP), i.e. how a basis point change in yield affects the value of your portfolio.
Using duration to measure interest rate sensitivity is a common practice for fixed income portfolio managers, but it is imperfect because it assumes a parallel shift in the yield curve, i.e. single change in yield across all maturities.
More commonly, we see non-parallel shifts in the yield curve, i.e. yield curves may flatten or steepen, indicating that interest rates changes are different across bonds of different maturities. Therefore, bond portfolios with different maturities will be exposed to ‘yield curve risk’ and have different exposures to the shift in the yield curve.
Treasury Risk 3: Commodity Risk
Commodity risk is the risk associated with fluctuations in commodity prices. Major consumers and producers of commodities like oil, metals, sugar, agriculture, etc. will need to deal with risks related to change in commodity prices which could be affected by seasonal changes, political changes, changes in tax regulations, and market impacts.
Treasury Risk 4: Counterparty Risk
Counterparty risk (or default risk) is the risk that the counterparty does not fulfil or defaults on its contractual obligations.
Counterparty risk is greater when you have a direct contract with another party. For example, if you enter into an over-the counter interest rate swap with Bank A, you become exposed to the risk that your counterparty (Bank A) fails to deliver on the contract when it becomes due.
On the other hand, if you enter into a contract to buy currency futures from the listed derivatives market, the exchange’s clearinghouse is your counterparty rather than individual market participants, thus greatly reducing the counterparty risk that you will be exposed to. The clearinghouse protects itself from risk by requiring market participants to mark-to-market and maintain a margin for their outstanding positions on a daily basis.
Step #2: Measuring the Risk
“What gets measured gets managed.” Risks that can be quantified should be measured to determine their potential impact to the organization’s businesses and financials.
Risk measurement and reporting may not be a straightforward exercise, as the risk controller often needs to aggregate multiple sources of information to determine the extent of the company’s risk exposures.
Large organizations might have a Treasury Management System (TMS) that is capable of aggregating various information to determine overall risk exposures and calculate common risk metrics like Value at Risk (VaR), Cash Flow at Risk (CFaR), etc. For firms that are not using a TMS, risk reporting and measuring could also be done manually by collecting information from the company’s ERP systems and its various subsidiaries and using simple Excel modelling to calculate overall risk exposures.
While there are many advanced risk modelling techniques developed by academics and statisticians, for most corporates, simple forecasting and measurement techniques that can be easily understood by senior management should be sufficient and arguably more effective than complicated analyses.
Below we will describe 2 measures of risk commonly used by industry.
Risk Measure 1: Volatility or Sigma
Volatility, or σ (sigma), measures the degree of variation or dispersion of returns from the mean of a security or market index. This is the same volatility that is used in option pricing models. We can determine the volatility of asset prices either from historical data (historical volatility) or from option prices if traded in the market (implied volatility).
When we calculate historical volatility based on historical actual data, our sample size should be sufficiently large (at least 50 data points). This method assumes that past volatility will be a good reflection of future volatility, which might not hold true if we go too far back in history for data sampling.
Another way to estimate volatility is to obtain option prices from the market, and calculate the volatility implied by the option prices, using an option pricing model like Black-Scholes.
Risk Measure 2: Value at Risk (VaR) or Cash Flow at Risk (CFaR)
VaR is a measure of the level of financial risk of a firm or portfolio. It measures the maximum loss, given a specified degree of confidence. VaR is typically used by institutional investors to track and evaluate risk on their portfolio values.
CFaR measures the financial risk, in cash flow terms, and is applicable for companies that are concerned with how their cash flows might be affected in a worst-case scenario.
A one-day 5% VaR of $1 million means that there is a 5% probability that the firm’s portfolio declines in value by $1 million in a day. To calculate VaR or CFaR, we can use the historical method, variance-covariance method or Monte Carlo simulation.
Under the historical method, we simply obtain historical daily returns, and plot the daily returns in a histogram. For example, to determine 5% VaR, we take the 95th percentile of the histogram to find the worst 5% of all daily returns.
The second method for VaR calculation is the variance-covariance method, which involves using historical daily returns, and assuming that the returns are normally distributed. We obtain the asset volatility and correlation between different pairs of assets based on historical data, and used these parameters to determine the value at risk for the portfolio.
The third method, Monte Carlo simulation, involves developing a model for future prices and running the model multiple times. This is unlike the previous two methods which make use of historical prices in the calculation of VaR. After developing a theoretical model for future prices, we can run the model multiple times and plot the results in a histogram below. A 5% VaR can then be determined from the results generated from running the model, as shown below.
Step #3: Controlling the Risk
After we have identified and measured the risks, we need to consider an appropriate course of action to take.
Should we hedge the risk? How much of the risk should we hedge? How should we hedge the risk (what instrument to use)? What is my company’s risk appetite?
Thus, as corporate treasurers, we need to consider the company’s risk policy and strategy and the available tools at our disposal to decide the most appropriate method to control the risk.
Risk Policy and Strategy
Risk management should be carried out with policies and procedures that are approved by a committee, e.g. Group Finance Committee or Group Risk Management Committee. ISO 31000 provides a good overview of what a good risk management policy would entail.
Based on ISO 31000, a good risk management policy should include the following sections:
- Risk management and internal control objectives (governance)
- Statement of the attitude of the organisation to risk (risk strategy)
- Description of the risk aware culture or control environment
- Level and nature of risk that is acceptable (risk appetite)
- Risk management organisation and arrangements (risk architecture)
- Details of procedures for risk recognition and ranking (risk assessment)
- List of documentation for analysing and reporting risk (risk protocols)
- Risk mitigation requirements and control mechanisms (risk response)
- Allocation of risk management roles and responsibilities
- Risk management training topics and priorities
- Criteria for monitoring and benchmarking of risks
- Allocation of appropriate resources to risk management
- Risk activities and risk priorities for the coming year
For a full and thorough read on the ISO 31000, you can visit this link, otherwise the above summary points should suffice.
The treasurer may use different tools and market products to hedge different risks. There are many different products in the market, and it is important that one should never use a product that he does not understand.
For example, to hedge FX risks, we can use FX forwards, variable rate forwards, FX options, structured options, principal only swap, coupon swap, etc. For interest rate risks, we can use interest rate options, interest rate swaps, collars, forward rate agreements, duration swaps, etc. For commodity risks, we can use commodity futures, commodity options, commodity swaps, etc. Different tools might be better for different environments and circumstances.
Take note that complexity does not always mean effectiveness in managing risk. Most of the time, it is better to use simple products that have readily available pricing through Bloomberg or Reuters. Complex products that are more opaque are normally priced higher by the banks, and may not be available in all markets, implying a lower liquidity.
Step #4: Evaluating the Risk
In order to judge the effectiveness of the hedging tools and strategies, they need to be tested and evaluated over time. Simple, clear and conservative strategies that are consistently applied over a long time tend to be more effective in risk management.
Controls and Limits
In the previous section, we have focused on market risks, i.e. interest rate risk, FX risk. Here, we discuss more about operational risks, controls and limits defined in a formal treasury risk policy. The middle office function tracks and reviews treasury exposures by monitoring indicators like risk, volatilities, exposures, VaR, CFaR, etc. These internal controls should be reviewed regularly to ensure that they remain relevant in risk management for the company.
The policy which should be approved at Board level states clearly roles and responsibilities, structure of the treasury model, types of risk exposures, methods of hedging, authorisation limits, individual and team dealing limits, dealing procedures, payment procedures, mandated banks, etc. The three most common internal controls relevant to treasury activities are:
- Segregation of duties. Duty segregation is important to avoid conflict of interests. For example, dealing and confirmation of treasury transactions should be performed by different persons to minimize risk of error or fraud risk.
- Each person should have a clearly-defined authorization level for different market instruments. Typically, boundaries are set such that the person initiating a deal will not be the one authorizing or reconciling it. Authorisation procedures should be spelt out in the settlement method, and are usually set up in the e-banking or treasury management systems.
- Deal limits. Each person should also have his own deal limit, restricting the size of individual transactions and type of financial instruments he can deal over a period of time. Deals that exceeds the limit or involve alternative financial instruments will require an additional layer of approval or authorisation.
The treasurer should be concerned with the monitoring and control of all treasury activities. He should therefore review all deals conducted, breached credit limits and any non-standard trades on a daily basis to ensure that any control failures related to treasury are immediately dealt with.
Hope from this short summary, you now have a good overview of the different treasury risks - operational risks and market risks, and a simple risk management framework you can use to control various risks in your organization!
Next, let’s discuss about treasury systems, the role of systems in a treasury set-up and implementation of systems in a corporate treasury!