Managing Pure Risks: Operation and Markets

This article focuses on managing pure risk. It provides an overview of the main approaches and challenges to managing the pure risks associated with and resulting from business operations and market activity. Topics of discussion include pure risk management strategies, operational risk, market risk, and formal risk disclosure requirements. This section serves as a foundation for a discussion of the issues associated with pure risk transfer and terrorism catastrophe bonds.

Keywords Market Risk; Operational Risk; Pure Risk; Risk Management; Speculative Risk; Terrorism Catastrophe Bonds

Insurance & Risk Management > Managing Pure Risk: Operations & Markets

Overview

Corporate risk can be divided into the two broad categories of pure risk and speculative risk. Pure risk exclusively involves the potential for loss and no potential for profit. The occurrence of pure risk cannot be controlled nor reliably predicted. Examples of pure risk include terrorism, fire, death of key employees, customer injuries on the premises of the business, and natural hazards such as earthquakes and hurricanes. Pure risk can devastate a company. In contrast, speculative risk involves the equal chance of making a profit or taking a loss.

There is debate within the corporate world about how pure and speculative risks should be managed. Risk management refers to the process of evaluating, classifying, and reducing risks to a level acceptable by stakeholders. Risk management tactics include risk avoidance risk transfer, risk reduction and risk assumption. Since the emergence of risk management in the 1960s, corporations have created strategies for managing the pure risks associated with scientific research, market fluctuations, operations, engineering inventions, computer systems, and liability (Barlow, 1993). There is a tendency in many corporations to combine pure risk management and speculative risk management into the same program and initiatives. These corporations base this decision to have a widely-applied risk management approach on the belief that corporate risk represents a single exposure to the corporation. In practice, managing pure and speculative risk requires two very different skill sets.

Pure risk management involves minimizing negative outcomes by avoiding losses and accidents and preparing for natural and man-made disasters and catastrophes. Speculative risk management involves working to achieve the best passive results for events beyond the company's control (Lansdale, 1997). Speculative risk, which can be used to create profit and is also referred to as financial risk, is the domain of corporate managers, company owners, and the board of directors; pure risk, with no potential to bring profit, growth, or increased performance to the firm, is the domain of risk managers (Vann, 1990). Pure risk is assessed and managed almost exclusively by risk mangers. Pure risk managers plan for eventualities never knowing if or when the pure risk scenario will occur.

Corporations choosing to handle risk through a unified management strategy rather than separate pure risk and speculative risk strategies are continuing the industry's practice of the last forty years. While corporate insurance dates back to the nineteenth century, the practice of risk management, characterized as a singular approach to business risk, did not emerge until the 1960s and was not widely adopted until the 1980s. The 1980s were characterized by increasing government regulations, a growing economy, and insurance crisis. The federal government passed laws, such as the Occupational Safety and Health Act, the Environmental Protection Act, and Superfund legislation, which required corporate compliance. Corporations created new positions, such as risk manager, to address liability, safety, and environmental compliance issues. In addition, the business-boom of the mid 1980s, characterized by an increase in production plants, business locations, operations and workers, required new types and larger amounts of insurance. Companies demanded more insurance options and coverage from their insurers and insurance companies balked at the demands. Companies struggled both with financing their increasing insurance needs and finding insurance policies that met the needs of their expanding businesses. Corporations increasingly hired risk managers to assess their risks and select the best insurance options for their expanding businesses (Englehart, 1994).

Over the last ten years, insurance companies, in response to the of events such as the September 11, 2001 attacks on the World Trade Center, the collapse of the Enron Corporation and the unstable global geopolitical risk, are increasingly unwilling or unable to insure pure risk. Insurance companies are increasingly requiring shared risk scenarios with corporations and governments. Clearly, the current business and political environment is creating a greater divide between pure risk and speculative risk than ever existed before. While firms face the potential for numerous types of pure risk, within the areas of operational risks, market risks, cultural risks, economic risks, political risks and credit risks, pure risk managers are possibly most challenged by the need to manage operational risk and market risk. The pure risks associated with operations and market behavior, along with pure risks in general, are characterized by their unpredictability and potential to create devastating losses.

The following section provides an overview of the main approaches used to manage the pure risks associated with and resulting from business operations and market activity. Topics of discussion include formal management approaches, operational risk, market risk, and risk disclosure requirements. This section will serve as a foundation for a discussion of the issues associated with pure risk transfer and terrorism catastrophe bonds.

Applications

Managing Operational & Market Risk

Pure risk managers are responsible for assessing, anticipating, minimizing, and mitigating the pure risks associated with operations and market activity. Like all pure risks, the pure risks associated with operations and market activities are always unexpected, negative, and destructive. Pure risk managers develop response scenarios and prepare their organizations for surviving pure risk situations such as fire, terrorism, death of key employees, customer injuries on the premises of the business, and natural hazards such as earthquakes and hurricanes.

Operational Risk

Operational risk refers to the financial losses that could potentially result from either internal procedural failures or external affairs. Examples of operational risk include the following: Procedural errors; internal control failures; failure of information processing equipment; malicious or fraudulent actions by individuals; workplace safety issues; succession failures; unintentional failures to protect clients; damage to physical assets; failures to follow regulations; business disruptions including terrorism and vandalism; computer and network crashes; service or product quality lapses; fraud; failure to comply with regulations or company policies; shifting political landscapes; and other unpredictable events (Beans, 2003, p.22). Operational risk is created by multiple factors including overly complex production processes; over-engineered products; too many vendors; complex or unclear organizational structures; and fragmented financial or control systems (Lynn, 2006). The results of operational risks can be potentially far-reaching and devastating for firms of all sizes and in all industries. Regulators and corporations have struggled since the 1990s to come to a consensus on the definition and meaning of operational risk. Firms of all sizes and in all industries struggle to decide the best means to allocate capital for managing operational risk and determine what role the board of directors has in assessing and managing operational risk. While a working definition of operation exists across industries, operational risks vary significantly between different industries and sectors (Garver, 2006).

The Basel Committee on Banking Supervision has led the way in the effort to define operational risk and develop tactics for management of operational risk. The Basel Committee on Banking Supervision has issued two international accords or international agreements, Basel I in 1988 and Basel II in 2004, which have standardized corporate perception of and management of operational risk. The Basel Accords have been widely adopted by regulatory commissions around the world. In the United States, the main federal banking agencies, including the Office of the Comptroller of the Currency, the Federal Reserve System, the Office of Thrift Supervision, and the Federal Deposit Insurance Corporation, have revised and implemented the Basal II Accord. The Basel Committee on Banking Supervision reported that the most serious operational risks arise from breakdowns in internal controls and corporate governance. Operational risk, according to the Basel Committee, can also be caused by failures of information technology systems or events such as major fires or other disasters (Aerts, 2001).

The Basel II Accord, officially titled the International Convergence of Capital Measurement and Capital Standards, promotes three approaches to quantifying operational risk:

  • 1. The first is a basic indicator approach based on the annual revenue of the institution
  • 2. The second is a standardized approach based on the annual revenue of each broad business lines institution
  • 3. The third is advanced analytical approached based on an internal risk measurement framework.

U.S. firms, under pressure from the Basel II Accord requirements and the federal Sarbanes-Oxley Act, are increasingly revamping their organizations to handle operational risks. The operational risk management framework generally includes identification, measurement, monitoring, reporting, control and mitigation frameworks (Garver, 2006). Creating a framework for operational risk requires defining operational risk. More and more companies and countries are adopting the Basel Committee's definition of operational risk. That said, operational risk frameworks are not wholly general to all firms and industries. For example, the banking industry has unique needs, investment tools, and objectives and cannot adopt the operational risk frameworks of large corporations in other industries such as manufacturing or real estate. In the banking industry, operational risk often overlaps with credit risk and interest-rate risk.

Operational Risk Manager's & Management

Operational risk managers are responsible for anticipating, minimizing, mitigating, and preparing for operational risk. Operational risk managers work to minimize operational risk through engaging in the following risk management strategies: Foster a culture of risk awareness throughout the organization; back up all data, information, and procedures; practice contingency plans; take time to get to know customers; understand the firm's products; visit all branches and offices of the firm; and streamline and optimize all processes (Beans, 2003). Operational risk managers mitigate operational risk through the use of multiple strategies including: Looking and planning for the unexpected; instituting quality control programs; evaluating financial processes and transactions as if they were manufacturing processes, adopting internal performance metrics such as customer-oriented metrics, product oriented metrics, and financial oriented metrics; aligning insurance closely with the desired unit of value; and training for the unexpected. Operational risk managers prepare for operational risk through the use of multiple strategies including adopting the mindset of production managers with a concern for reducing defects in the products they produce for their customers; evaluating low frequency but high value risk/return tradeoffs; and increasing resources devoted to training, communication, and teamwork. Increased training, especially cross training, increases the likelihood that individuals throughout the organization remain alert for sources of defects or risk.

Ultimately, operational risk management is important for numerous reasons. For example, companies that experience fraud, errors, and systems failures are generally granted less capital by their financial lenders and become less competitive in the marketplace over time. In addition, companies that experience fraud, errors, and systems failures generally do not garner customer, employee, and vendor trust and develop a negative reputation in their industry or business sector (Lynn, 2006).

Market Risk

Market risk refers to exposure to the uncertain market value of a portfolio. Investors experience market risk as a result of the fluctuations in securities prices. Market risk extends to entire classes of assets or liabilities. Pure risk managers assess market risk through value-at-risk analysis. Value-at-risk analysis refers to a measure of how the market value of an asset or of a portfolio of assets is likely to decrease over a certain time period under usual conditions. Market risk anticipates the value or amount that an investment will decrease due to changes in market factors. The main factors, source, or variables effecting market risk include the following: Equity risk, equity index risk, interest rate risk, currency risk, commodity risk, unanticipated inflation and exchange rate change, decline in customer buying habits, and a shrinking market.

The United States government has strict corporate market risk reporting requirements. The Securities and Exchange Commission (SEC) requires that all corporations include a 10-K form in their annual reports describing the ways in which their own results may depend directly on financial markets. The SEC requires this reporting practice as a means of consumer protection for current or potential investors. In 2005, the Securities and Exchange Commission issued new corporate risk reporting and disclosure requirements. The SEC requires reporting on risk factors in three main categories of market behavior including industry risks, company risks, and investment risks. The SEC's new corporate risk reporting requirements, as represented by changes to annual report requirements on Form 10-K and quarterly reports on Form 10-Q, further the SEC's commitment to integrating corporate disclosure and processes first described in the Securities Act of 1933 and the Securities Exchange Act of 1934. Corporations must now disclose risk factors in their annual reports and describe changes in previously disclosed risk factors in their quarterly reports. Risk factors are believed to present a summary of the risks facing the company and identify factors that investors should consider when making an investment.

The SEC’s new corporate risk disclosure requirement, as described in Item 503(c) of Regulation S-K, instructs that, when appropriate, a company has to engage in a discussion regarding the most important factors that may negatively affect the issuer’s business, operations, industry, financial position or its future financial performance. The SEC argues that the new reporting requirements should not be burdensome as the SEC noted that companies should already be in a position to recognize new or changing material risks affecting their businesses. The SEC argues that disclosure of risk factors will alert investors to risks specific to the company or its industry that make an offering speculative or high risk.

The SEC requires, as stated in Rule 421 (d) of Regulation C, that the risk factors section of annual and quarterly reports be written using plain English principles. The SEC specifies six basic plain English principles that must be followed when drafting and explaining corporate risk factors: Short sentences; definite, concrete, everyday words; active voice; tables or bullet point lists, whenever possible; no legal jargon and highly technical business terms; and no multiple negatives. The SEC's plain English requirements are intended to make the risk factors easier for investors to understand. Ultimately, the SEC reports that the new risk disclosure requirements should help rather than hinder corporations. The disclosure of market risks limits the future liability of the company should such a market loss occur (Robbins & Rothenberg, 2005). In addition to the SEC market risk disclosure requirement, the Sarbanes-Oxley Act, passed in 2002 in response to corporate auditing scandal, requires that corporations engage in risk assessment and risk auditing to monitor its financial reporting and auditing processes. Section 404 of the Sarbanes-Oxley Act, which focuses on management's assessment of internal control over financial reporting, instructs corporations to conduct a top-down market risk assessment to evaluate the corporation's internal controls systems (Banham, 2004).

Issues

Pure Risk Shifting & Terrorism Catastrophe Bonds

Risk philosophy refers to a predetermined goal concerning the allocation of risk. Two of the most common risk philosophies are risk sharing and risk shifting. In the case of pure risk, risk shifting or risk transfer involves causing the other contracting party to sustain the full consequences of unanticipated events. In contrast, pure risk sharing occurs when an owner is willing to assume the risk of increased costs in the future caused by unanticipated events in exchange for a contract price today. Corporations and risk managers choose their risk philosophy based on their appetite for and ability to finance risk (Kozek & Hebberd, 1989). Catastrophe bonds, also referred to as cat bonds, are an example and increasingly common form of pure risk shifting. Traditionally, catastrophe bonds have been used to transfer the pure risk of natural disasters like hurricanes, storms, and earthquakes. Following the September 11, 2001 attacks on the World Trade Center, catastrophe bonds that transfer the pure risk of a manmade disaster have become common. Recent economic and political events, such as September 11, 2001 terrorist attacks and the collapse of the Enron Corporation, have brought a new awareness of pure risk and exposure to corporations around the world. More businesses are employing pure risk management strategies and tools to address this new awareness of corporate risk and vulnerability.

The Fédération Internationale de Football Association (FIFA), soccer's international governing body, issued the first terrorism catastrophe bond in 2003. The Fédération Internationale de Football Association issued a catastrophe bond worth an equivalent $260 million to cover the risk of a terrorism related cancellation of the World Cup 2006 in Germany. The bond covered the marketing revenue that the Fédération Internationale de Football Association would have to refund if the matches were cancelled due to natural or terrorist related catastrophe. The Fédération Internationale de Football Association earns most of its revenue from World Cup Soccer. The Fédération Internationale de Football Association based its decision to create the bond on a risk analysis in the form of an extensive model of potential terrorism-related pathways to FIFA World Cup disruption and cancellation. The bond's scheduled maturity was September 2006. The 2006 World Cup did in fact happen as planned and was unmarked by terrorist acts. Since the FIFA terrorism catastrophe bond was issued in 2003, terrorism catastrophe insurance, as a form of pure risk insurance, has grown extremely popular. The demand for terrorism catastrophe bonds is so great that they are often oversubscribed. The current geopolitical environment is currently so unstable that few insurers or companies can or will finance the pure terrorism risk alone. Insurers and companies use terrorism catastrophe bonds as one form of pure risk shifting (Trot & Jenkins, 2003).

Conclusion

In the final analysis, managing pure risk requires a thorough knowledge of the relevant workings of business and industry as well as an awareness of dangers to the business posed from real-world political and environmental events. Pure risk managers must oversee loss and risk associated with people, property, liabilities, and finance. Examples of pure risks include bomb explosions, fire, windstorm damage, theft, fraud, environmental pollution, an employee accident, an employee illness, loss of a key management figure, exposure to liabilities, or loss of market share for product. Pure risk managers create a framework within which firms can absorb the results of pure risk scenarios. A pure risk management framework will include the coordination and monitoring of risk preparedness and response scenarios and activities as well as an overall statement of the firm's risk management philosophy (Cooper, 1993).

Terms & Concepts

Commodity Risk: A form of market risk resulting from change in commodity prices.

Currency Risk: A form of market risk resulting from changes in foreign exchange rates.

Equity Index Risk: A form of market risk resulting from changes in index prices.

Equity Risk: A form of market risk resulting from changes in stock process.

Geopolitical Risk: Any peril that arises from geographic, historic, and societal variables related to international politics.

Interest Rate Risk: A form of market risk resulting from changes in interest rates.

Market Risk: The potential for an investor to experience loss from fluctuations in securities prices.

Mitigation: Efforts taken to reduce either the probability or consequences of a threat.

Operational Risk: Operational risk refers to the financial losses that could potentially result from either internal procedural failures or external affairs.

Pure Risk: A category of risk that results exclusively in loss and failure.

Risk Management: The process of evaluating, classifying, and reducing risks to a level acceptable by stakeholders.

Sarbanes-Oxley Act: A law, enacted in 2002, which introduced highly significant legislative changes to financial practice and corporate governance regulations.

Speculative Risk: Risky action that results in an uncertain degree of gain or loss.

Value-at-Risk Analysis: A measure of which direction and how far the market value of an asset or of a portfolio of assets is going to move during a given time period assuming regular conditions.

Bibliography

Aerts, L. (2001). A framework for managing operational risk. The Internal Auditor, 58, 53-59.

Banham, R. (2004). Enterprising views of risk management. Journal of Accountancy, 197, 65-71. Retrieved July 3, 2007, from EBSCO Online Database Business Source Complete. http://search.ebscohost.com/login.aspx?direct=true&db=bth&AN=13318843&site=ehost-live

Barlow, D. (1993). The evolution of risk management. Risk Management, 40, 38-44.

Beans, K. (2003). How to create a framework for managing operational risk. Community Banker, 12, 22. Retrieved July 9, 2007, from EBSCO Online Database Business Source Complete. http://search.ebscohost.com/login.aspx?direct=true&db=bth&AN=10444077&site=ehost-live

Bloom, L., & Galloway, D. (1999). Operational risk management pays off. American Banker, 164, 6. Retrieved July 9, 2007, from EBSCO Online Database Business Source Complete. http://search.ebscohost.com/login.aspx?direct=true&db=bth&AN=2381334&site=ehost-live

Cooper-Mitchell, M. (1993, August). A thorough approach to business security. Director, 11-17.

Englehart, J. A historical look at risk management. Risk Management, 41, 65-72.

Ferrer, R., & Mallari, N.C. (2011). Speculative and pure risks: their impact on firms' earnings per share. Journal of International Business Research, 10115-136. Retrieved November 15, 2013, from EBSCO Online Database Business Source Complete. http://search.ebscohost.com/login.aspx?direct=true&db=bth&AN=64876714&site=ehost-live

Garver, R. (2006). Operational risk: Who's making progress. American Banker, 171, 9-16. Retrieved July 10, 2007, from EBSCO Online Database Business Source Complete. http://search.ebscohost.com/login.aspx?direct=true&db=bth&AN=20749794&site=ehost-live

Halek, M., & Eisenhauer, J. (2001). Demography of risk aversion. Journal of Risk & Insurance, 68, 1-24. Retrieved July 10, 2007, from EBSCO Online Database Business Source Complete. http://search.ebscohost.com/login.aspx?direct=true&db=bth&AN=4862654&site=ehost-live

Kozek, J. & Hebbard, C. (1989). Contracts: Share the risk. Water Engineering & Management, 136, 20-24.

Kurland, O. (1992). The rise of financial risk management. Risk Management, 39, 12-15.

Langsdale, G. (1997). Five risk trends to watch. Financial Executive, 13, 21-23.

Lynn, B. (2006). Operational risk: Are you prepared? AFP Exchange, 26, 40-46.

McNamara, M. (1991). Managing the risk of employee benefits exposures. Society of Chartered Property and Casualty Underwriters, 44, 24-35.

Mainelli, M. (2002). Industrial strengths: Operational risk and banks. Balance Sheet, 10, 25-35.

Marcela-Cornelia, D. (2010). Causal relations between natural risk and business risk. Annals of the University of Oradea, Economic Science Series, 19, 242-248. Retrieved November 15, 2013, from EBSCO Online Database Business Source Complete. http://search.ebscohost.com/login.aspx?direct=true&db=bth&AN=65287268&site=ehost-live

Powers, M. (2006). Pure vs speculative risk; false choice; sham marriage. The Journal of Risk Finance, 7, 345.

Robbins, R., & Rothenberg, P. (2005). Writing effective risk factor disclosure in offering documents and exchange Act Reports. Insights: The Corporate & Securities Law Advisor, 19, 9-15. Retrieved July 11, 2007, from EBSCO Online Database Business Source Complete. http://search.ebscohost.com/login.aspx?direct=true&db=bth&AN=17256492&site=ehost-live

Trott, D., & Jenkins, G. (2003). How FIFA sold terrorist risk to the capital markets. International Financial Law Review, 22, 49-52. Retrieved July 11, 2007, from EBSCO Online Database Business Source Complete. http://search.ebscohost.com/login.aspx?direct=true&db=bth&AN=11759497&site=ehost-live

Vann, J. (1990). Risk management is relevant. Management Accounting, 68, 54-55.

Suggested Reading

Davis, R. (1989). Different treatment of marketing and design defects in pure risk-utility balancing: Who's the… American Business Law Journal, 27, 41. Retrieved July 10, 2007, from EBSCO Online Database Business Source Complete. http://search.ebscohost.com/login.aspx?direct=true&db=bth&AN=9701240348&site=ehost-live

Gahin, F. (1967, March). A theory of pure risk management in the business firm. Journal of Risk & Insurance, 34, 121-129. Retrieved July 10, 2007, from EBSCO Online Database Business Source Complete. http://search.ebscohost.com/login.aspx?direct=true&db=bth&AN=17482328&site=ehost-live

Sundararaj, G., Aravindan, P., Devadasan, S., & Muthu, S. (2000). Risk prevention and management in blast furnace operation through mock drill exercise. Production Planning & Control, 11, 197-206. Retrieved July 10, 2007, from EBSCO Online Database Business Source Complete. http://search.ebscohost.com/login.aspx?direct=true&db=bth&AN=3977368&site=ehost-live

Essay by Simone I. Flynn, Ph.D.

Dr. Simone I. Flynn earned her Doctorate in cultural anthropology from Yale University, where she wrote a dissertation on Internet communities. She is a writer, researcher, and teacher in Amherst, Massachusetts.