Adopting a Risk-Based Approach to Asset Management
All organizations encounter unforeseen issues that can lead to financial loss or even closure. However, at the same time, refusing to take risks can also lead to missed opportunities.
This guide on risk management offers a detailed account of the main risk management frameworks and asset management strategies for the maximum benefit of your company.
What is risk management, and why is it important?
Risk management definition refers to the systematic approach of identifying, analyzing, and monitoring risk factors that could negatively affect an organization’s financial performance. These factors often are:
- Financial, such as losses associated with claims and liability judgments
- Operational risks, such as labor strikes or equipment failure
- External, such as severe weather or political changes that can affect business operations
- Strategic, including management changes, market shifts, or reputational damage
By implementing an effective risk management program, a firm can comprehensively evaluate the spectrum of issues it may encounter.
A risk management program is designed and assessed based on the cost of risk, which includes:
- Retained losses, such as deductibles, retention, or exclusions that the business must pay out-of-pocket
- Net insurance proceeds received from insurance coverage for losses that are covered by insurance
- Costs associated with loss control activities that are designed to minimize or prevent losses
- Expenses related to managing claims and processing insurance coverage, including claim management expenses
- Administrative costs associated with running the risk management program itself
Additionally, asset management in risk management is crucial, as it helps to evaluate the interrelationship between emerging threats and the potential cascading effect they could have on an organization’s business strategy.
Top 3 approaches to the risk management process
For a risk management program to be effective, it must be closely integrated with an organization’s strategic plan.
Achieving this requires risk managers to first establish the organization’s risk appetite. Some risks can be accepted without further action, while others may require mitigation, sharing, transfer to another party, or avoidance altogether.
This necessitates a comprehensive understanding of the organization’s risk profile and a careful balancing of risk appetite and risk tolerance to achieve strategic objectives.
Now, let’s take a close look at the ways risk managers identify, monitor, and mitigate risks. We’ll focus on the top three most popular regulations for risk management:
ISO’s risk management framework
One of the most well-known resources in the risk management discipline is the ISO 31000 standard, developed by the International Organization for Standardization (ISO).
ISO’s risk management process involves five steps that can be applied by any type of organization:
- Identify the challenges.
- Analyze the probability and potential effect of each threat.
- Prioritize risks based on the organization’s objectives.
- Treat (or respond to) the identified issues.
- Oversee the results and implement necessary changes.
While the steps may appear straightforward, it is important for risk management committees to follow them properly to perform their risk function effectively.
NISTIR risk management framework
The National Institute of Technology (NIST) Interagency Report suggests a NISTIR 8286A framework for identifying cybersecurity risks in ERM. The NIST defines a set of seven steps to help organizations improve security and privacy issue management:
- Prepare. From reviewing essential internal processes to evaluating key performance metrics and assessing an organization’s mission, this component includes reviewing all levels of information that can affect a risk management strategy.
- Categorize. This step entails determining the potential worst-case scenarios and assessing the potential damage to the organization across key business functions and verticals.
- Select. At this stage, the security controls are identified based on the categorization output from the previous step and the appropriate baseline.
- Implement. This step involves applying new infrastructure security measures using best engineering practices and advanced security configuration settings.
- Assess. This stage evaluates the effectiveness of security measures on the subject of their implementation and efficiency.
- Authorize. This step analyzes the results of the previous assessment stage to find out whether the risk level is acceptable or not.
- Monitor. The final step involves regularly monitoring the measures in place and tracking signs of change, attack attempts, or other events that may cause new threats.
COSO’s Enterprise Risk Management framework
In its partnership with PwC experts, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) developed its enterprise risk management framework. This framework provides clear guidance on managing risk and defines key concepts and principles of ERM. The framework consists of five interrelated components and 20 principles.
These components are:
- Culture and governance. This element serves as the foundation for the whole model, as strong governance is key for successful business operations. This step offers guidance on the oversight of board responsibilities, leadership tone, talent attraction and retention, and a wide range of operating processes.
- Strategy and objective-setting. This component focuses on strategic planning and the understanding of potential external and internal factors influencing it. It helps to analyze the business context, define risk appetite, and set realistic objectives.
- Performance. This section helps the firm to define and evaluate issues that could therefore affect its ability to achieve its strategic goals. It also helps to prioritize and respond to risks properly. The financial performance component is crucial because an organization’s success is directly dependent on its profits.
- Review and revision. Once issues have been defined and response strategies have been developed, the firm moves into the review and revision phase to evaluate any changes that have taken place. This is also the opportunity to understand how effective the ERM process is and what can be improved for the extra benefit of the organization.
- Information, communication, and reporting. The final stage is about the safe process of sharing external and internal information. At this stage, it is important to capture, process, manage, and report on the organization’s risk, culture, and performance throughout the organization.
What risks can occur in asset management?
Apart from the financial, operational, external, and strategic risks described above, enterprise risk can occur in the process of managing assets.
What is asset risk management?
Asset risk management is the process of evaluating risks associated with managing assets.
In its ten-episode podcast, the law firm Simmons+Simmons mentions risk in asset management, related to cybersecurity, competition, business protection, corporate culture, ESG, conflicts of interests, and more. Generally, asset management risks fall into the following types:
- Market risk. Also known as a portfolio risk, it refers to the potential loss due to unfavorable market conditions. This risk type makes portfolio management difficult due to a potential decline in portfolio value.
- Credit risk. The risk is that the borrower or issuer of investments may default on their obligations, resulting in financial loss.
- Liquidity risk. Also known as an investment risk, liquidity risk appears when an asset cannot be easily sold or exchanged in an investment process without a loss in value.
- Operational risk. The risk of loss as a result of improperly built processes in daily operations, people management, or third-party interactions.
- Legal and regulatory risk. The risk is that the asset management firm may be subject to penalties, fines, or other legal consequences due to non-compliance with laws and regulations.
- Reputational risk. The risk is that the company’s reputation may be damaged due to negative publicity, poor performance, or unethical behavior.
- Cybersecurity risk. The risk of data breaches, cyber-attacks, or other forms of cybercrime could result in loss of profits or harm to clients’ personal and confidential information.
These issues are not exhaustive, and there may be others depending on the type of asset being managed and the specific circumstances of the asset management activities.
It is important for an asset manager to establish a comprehensive asset risk management plan for measuring threats and preventing them.
How to manage risks in asset management?
The risk management function in asset management is critically important to the proper investing process, and it should work in close cooperation with all stakeholders.
In its study, the Boston Consulting Group focused on risk management in the asset management industry and concluded that asset managers take risk ever more seriously. Some of the tools being used by asset managers in the course of handling risk include:
- Delegating a management team for risk
- Strategically creating excellent governance processes
- Clearly defining risk-management processes
In its Asset Risk Management report, Deloitte also states that corporations now increasingly implement a risk-based approach in their asset management. Here’s what the report concludes:
- Effective asset management now includes a robust risk management component.
- Due to increasing complexity, asset managers are being appointed to manage diverse problems associated with assets.
- While many companies recognize the importance of asset risk management, only half measure and report its benefits.
- Asset risk management is often used to improve the efficiency of investment processes, with a focus on managing the risks associated with aging assets.
- Quantitative assessment has untapped potential to benefit organizations.
- Qualitative asset data is crucial for mature asset risk management, but many companies struggle to gather it effectively.
- The market penetration of IT tools that support asset risk management is currently low, and their integration with other IT tools is limited as well.
Despite the emerging trends of including asset risk management in their development strategies, there’s still much to be improved in the way firms address this issue. Further, we’ll explore some tips asset managers can use to minimize risk factors.
Tips on risk response strategy in asset management
While there are many effective approaches to asset management, from the one suggested by the US Government Accounting Office (GAO) to ISO 55001 Asset Management requirements, we’d like to focus on a three-defense model suggested by the GrantThornton advisory:
- The first line of defense is operational managers who take responsibility for their own risks.
- The second line of defense involves senior management, which is responsible for various compliance oversight and risk control functions.
- The third line of defense involves internal or independent third-party auditors, who should perform objective analysis of existing and emerging risks.
Asset managers must apply a performance-driven, three-line model that is tailored to their industry’s unique risk profile. Asset managers should focus on the following five key risk areas:
- Enterprise risk management (ERM). This is a second-level function that requires continuous monitoring of the organization’s evolving risk profile. Although first-level managers are well-positioned to identify emerging risks during their daily interactions, they must work with the compliance team to ensure compliance.
- Regulatory compliance. While compliance must be performed by the second-level of defense, aka senior management, first-line managers often have early knowledge of regulations in their area. This is why the first and second lines of defense should join their efforts to track the changes in all regulations and coordinate the organizational response to them.
- Sales practices. First-line operational managers should own sales practices as a part of their ongoing work process. However, the second-line compliance function is also important in overseeing sales practices, as it can help to minimize illicit financial gain.
- Investment guidelines. Front-line involvement in investment guidelines is crucial, as brokers know their clients and investment options best. However, asset managers must closely monitor and, if necessary, limit broker participation to avoid conflicts of interest. Organizations should consult brokers for creating investment guidelines; however, they should entrust second-line professionals to review and oversee their implementation. First-line operational managers can also perform a quality assurance function by testing the guidelines with extreme use cases.
- Third-party risk. While third-party risk can manifest itself in various forms, asset managers should have efficient ways of mitigating it. From cybersecurity to data security, reputational risks, and fraud — all these issues should be minimized with a strict third-party vetting process. Here, first-line operational professionals can collect information on vendors, but second-line professionals should own the vetting process. Approval should extend not only to the vendor but also to the particular service they provide.
- Risk management is the analysis, prediction, and mitigation of an organization’s financial, operational, external, and strategic risks.
- The main risk management strategies highlighted in this article are ISO’s, NISTIR, and COMO’s ERM frameworks for risk identification and management.
- Risk management is asset management to some extent because the latter should be considered as part of a risk management program.
- Asset management risks fall into market, credit, liquidity, operational, legal, reputational, and cybersecurity risks.
- The three-line defense approach is an effective way to address asset management risks in a consistent, coherent, and holistic way.
- To mitigate asset management risks effectively, each asset manager should address ERM, regulatory compliance, sales practices, investing guidelines, and third-party risks as part of their strategy.