Now that you've analyzed the risks inherent to your project and come up with a plan to tackle them, it's time to put your risk management plan into practice. In this concluding article, examine the processes of implementing, monitoring and auditing a software risk management plan, together with a case study that demonstrates how it works in the real world.
Now that you know a little bit more about risk management theory, let's see how it plays out in the real world. Consider the following case study, which discusses real-life implementation of risk management in the context of an industry which constantly faces emerging technologies, changing market scenarios and technological advances in financial transactions: the banking sector.
Objective: To focus the bank's resources on: * Enhancing the supervisory risk management processes in a bank. * Evaluating the security of the bank.
Ground work: * Continuous assessment of the bank workflow. * Detailed review of the information available about the bank. * Comparison of surveillance reports with other banks to highlight the strengths and vulnerabilities of the bank. * Understanding of the operational environment of the bank, the risks to which it is open, and the tools and techniques available to measure and mitigate them. * Study of the infrastructure established to implement risk reduction activities. This could be either a specialist risk engine or a treasury and risk management system. * Study of the most recent audit, loan review, and other compliance functions.
Identify loopholes: * Investigate the efficiency of the studies performed. * Perform test transactions to evaluate the quality of the bank's methodologies and processes. * Use tools like intrusion detection software to detect pitfalls in the bank network. * Detect illegal entries into the system. * Study the banking environment, the staff and its economic condition.
Establish the requirements for an appropriate Risk Management System: * It should have all equipment necessary for reporting functions. * It should facilitate communication of risk and return targets, and guidelines to marketing personnel. * It should define benchmarks (internal or external) for the same and make available tools needed to maintain the benchmarks. * It should ensure that good follow-up and feedback mechanisms are in place to enable management to compare the results before and after implementing the risk reduction activities. * It should provide infrastructure to analyze risks and their position in the system, and to present this data in an understandable manner. It should include tools to measure risk factors and determine the causes of risk exposure. * It should include components for monitoring, controlling and reporting limits that have been exceeded.
Classify and prioritize risks on the following basis: * Probability of occurrence * Severity of impact * Frequency of occurrence
Take corrective action against each risk: * Interest rate risk: Use duration-based measures to compare the relative risk of two different portfolios irrespective of their size and basis-point value to compare the impact of rate changes. * Exchange rate risk: Monitor the changes taking place in foreign exchange repositories, and calculate currency exchange rates in a consistent manner. * Liquidity risk: Impose controls on the foreign reserves in liquid assets and how are distributed between different sectors. Record the bank's categorization of assets and make available this information to those concerned. * Credit risk: Set limits on the various credit exposures.
Apply techniques such as: * Monte Carlo simulation: This method combines historic data with assumptions made by the users and randomly generates values for uncertain variables over and over to simulate the behaviour of the model in different situations. * Stress tests: Here, extreme cases are considered and applied to the existing portfolio to calculate the maximum loss to the bank. * Historical simulations: Here, historical data is applied to determine the maximum loss to the bank.