Guan Seng Khoo, PhDGuan Seng Khoo, PhDHead, Group Risk (Models Validation)Head, Group Risk (Models Validation)
Standard Chartered BankStandard Chartered [email protected]@standardchartered.com
[email protected]@gmail.com
Structuring ERM for Your Organization in an Era of Structuring ERM for Your Organization in an Era of Regulatory Convergence (Basel II, SOX, COSO, IAS): Regulatory Convergence (Basel II, SOX, COSO, IAS):
ERM from a RiskERM from a Risk--Return PerspectiveReturn Perspective
AgendaAgenda• Introductory Remarks
ERM from a Risk-Return Perspective• Identifying the top risks of your organization • How to develop an appropriate ERM framework:
Speaking the Same LanguageIntegration-centric approachImplementing a common risk language that’s “aggregatable” & flexible
• The Structure to Governing Risk (Proposed) • Developing the KPIs to measure the result of your ERM framework• How to achieve balance on cost of compliance• Concluding remarks
Economic Slowdown,
Credit crunchCredit risk
HedgingRegulatory/Operational/Market risk
Staff turnoverHR operational
risk
Earnings volatilityReputation risk
High Oil PriceStrategicBusiness/
Market Risk
Criteria for RiskResponse Plan
Priority ResponseCriteria
Liquidity & Enterprise Risk ManagementLiquidity & Enterprise Risk Management
Unit OperationsActionsLoss Event
Frequency of LossMajor Mod. Minor
High Risk Loss Exposure for Division 2Priority Division Facility Unit Loss Event Risk Certainty
Expected LossFrequencies for
Division 2MajorLoss
AnnualizedRisk
Mod.Loss
MinorLoss
Facility 1Facility 2Facility 3
Risk Contribution for Division 2
Facility 4
Organization
Division 1 Division 2
Facility 1 Facility 2
Unit 1
Assets PeopleManagement
Systems
1. Identify principal 1. Identify principal business risksbusiness risks
2. Develop 2. Develop EnterpriseEnterprise--wide wide
Risk ProfilesRisk Profiles
3. Prioritize Risk 3. Prioritize Risk Management PlansManagement Plans
4. Identify options 4. Identify options for mitigationfor mitigation
Envisioning meeting
Data from past losses Data from prior studies Risk mapping
InsuranceLoss control / mitigation Risk financing alternatives
Who decides acceptability of risks? How quickly to resolve?Who implements solutions?
1. Introductory Remarks:1. Introductory Remarks: Always Bear in Mind to be Never Always Bear in Mind to be Never
ComplacentComplacent• Even during good times, unexpected negative events
can occur – stressed environments! Recall:• space shuttle Columbia • Tsunami Tidal Wave & Impact in SE & South Asia• London 7/7, New York 11/9, etc.• Mumbai flood July 2005 – no BCP• Hurricane Katrina – impact on oil and lifestyle in Asia• Sustained high oil prices• Toxic mortgages/subprime contagion
ReminderReminder• Any EWRM framework must consider potential impact of
crises. • Preparation & implementation should be based on the
old military saying, “the more you sweat in peace the less you bleed in war”.
• That is, EWRM implementation should have a comprehensive program to test portfolios, staff readiness, systems, processes, etc. so as to be better prepared when a unexpected negative event occurs.
• Initial assessment/test of the attributes of an institution’s portfolio of infrastructure, human resource, systems and processes, to withstand scenarios that are likely to occur and calculating the losses should a crisis come to pass – Test first to unearth the inefficiencies & loopholes
What You Hope to AchieveWhat You Hope to Achieve• Every organization is different and has its own priorities with respect to the
risks and challenges it faces and the impact they will have • However, the greatest challenge has always been the internal environment
and the “silo” mindset of the organization, with different groups having their own agenda and priorities
• This presentation also proposes some strategies to help overcome the challenges posed by this type of organizational culture, namely:To obtain “buy-in” from senior mgt & BODIllustrate a possible outcome, which is aligned with regulatory reporting requirement and also value-adds to the information management process of the enterpriseIn order to implement, must be aware of the demanding and constraining environment of diverse regulatory and supervisory expectations, e.g. Basel II, IAS and SOXImplementation must take into account overlapping issues and aggregating the risk measures in order to have a bird’s eye-view of the enterpriseImplementation should be straight-forward and simple in terms of outcome and reporting Strong guidance & leadership critical to a (reasonably) successful implementation
ERM from a RiskERM from a Risk--Return Return Perspective: Perspective: ValueValue--forfor--MoneyMoney
• Risk-Return considerations: 3-D
Threat, e.g., high oil prices, terrorism, etc.
Uncertainty, e.g. impact of regulatory changes, fraudulent activity occurrence, etc.
Opportunity, e.g., cut down on fraud, enhance reputation and market growth, etc.
⇒ Pro-active risk mgt instead of being reactive
Risk in 3 DimensionsRisk in 3 Dimensions• Every risk event can potentially lead to an “upside” return, status quo or “downside” loss
• Hence, ERM isn’t just about negative risk containment or avoidance,
• But, also about strategizing to leverage on the risk awareness and activities to enhance returns,
• To ensure the corporation’s growth and business continuity and to outperform the average
2. Identifying the Top Risks of 2. Identifying the Top Risks of Your OrganizationYour Organization
• In order to identify and prioritize the top risks, need to first measure or quantify them
• Use an ERM matrix based on global best practices and accepted principles
• Look for guidance from experts (internal or external)
• Categorize all possible risks & stakeholders• Localize the risk concentrations and further
analyze these risks based on probability and impact at different levels and hierarchy of the organization
Interest Rate Risk
Liquidity Risk
Price Risk
Foreign Exchange Risk
Transaction Risk
Compliance Risk
Strategic Risk
Reputation Risk
Credit Risk
Market Risk
Liquidity Risk
Operational Risk
Legal Risk
Reputational Risk
Credit Risk
OCC Risk Categories Fed Risk Categories
Establishing ERM Risk Categories Defined by the Regulatory Establishing ERM Risk Categories Defined by the Regulatory AgenciesAgencies
* Stick to prescribed regulatory definitions, removes ambiguity, don’t re-invent
* For BOD, senior mgt – ease of understanding & buy-in
Next Steps: Understand your Next Steps: Understand your risk, your goals, and your risk, your goals, and your
prioritiespriorities• Based on the risk appetite & ERM matrix, concentrate on the core
risks that the organization must either accept, prevent from occurring, must lessen the impact if they occur, or mitigate by transferring the risk away from the key tasks.
• Each risk is then analyzed by assigning it weighting factors such as those shown in the following matrix.
• This matrix weighs the probability of a risky event: The risk that it will occur only once (Low, Medium, High) as well as the risk that it will occur multiple times (Low Medium, High).
• The matrix also weighs the impact, should the event occur: The impact on a single department or product (Noticeable, Moderate, High) as well as the impact on the entire company or division (Noticeable, Moderate, High).
• The total risk of an event is the product of the probability and impact. This step gives us an objective approach to prioritizing risk and how the risk can be managed.
Prioritizing in terms of e.g.:
- Exposure loss
- Cost of recovery
- Reputation
- etc.
3. How to Develop an 3. How to Develop an Appropriate ERM framework:Appropriate ERM framework: The ABC of ERM Implementation
• Internal Environment Challenges• Getting the buy-in• Mindset change management:- From Silo-based to Enterprise-wide Holistic View - From Rules-based to Performance-based Environment • How to overcome (some suggestions):- SAP: show a possible outcome- KISS, e.g., speak the same, simple language- CLICK: provide creative leadership & strong guidance
with conviction & know-how
SAP SAP –– Show a PreviewShow a Preview• No matter how global or sophisticated your organization is, when you are
embarking on an ERM implementation, engagement is the key to gaining the buy-in from all levels of the organizational hierarchy – easier said than done though!
• One approach is to illustrate to the key personnel at all levels a prototype model of what they are going to get and how they can benefit from it (the preview). The prototype can first be developed in-house by a project team that will eventually lead and drive the implementation program. Alternatively, it could be based on an existing solution or system being used by other organizations ahead of the implementation curve, which the project team has access to. This initial effort in prototyping an interim system or model that can be shown to senior management or directors in the form of an ERM cockpit or dashboard (ala movie poster) brings a lot of benefits to the subsequent deployment and implementation of the ERM system.
• Firstly, much of the effort to produce the prototype will help the project team in establishing a foundation to support the creation of an ERM manual that will serve as the reference point for the establishment of management policies, procedures, and practices governing the initiation, definition, design, development, deployment, operation, maintenance, enhancement, and retirement of the ERM system.
SAP SAP –– Show a Preview 2Show a Preview 2• Secondly, the preview of the ultimate ERM system provides
visibility and transparency to the whole exercise, enhancing the confidence of the directors and senior management as it also provides an opportunity for them to have a first “taste” (encounter) of the final solution. More importantly, it also provides an avenue for them to be a critic, so that they can provide constructive feedback regarding the strengths and weaknesses of the interim system, which ultimately will be used by them – indirectly, they also become the stakeholders of the ERM implementation project based on their feedback and inputs.
• Thirdly, the preview allows for the identification and validation of an opportunity to improve business accomplishments of the organization or a deficiency related to the ERM project specification, identification of significant assumptions and constraints on solutions to that need, and recommendation for the exploration of alternative concepts and methods to satisfy the need.
The actual value of “Asset Turnover Ratio” is 39 and pointed out by black needle. The actual value is calculated on average of all subsidiary in year 2004.
The value 10 and 20 are two threshold value of Interest expense ratio.
Corporate Performance Corporate Performance CockpitCockpit
Example: ABC BankExample: ABC Bank KRIsKRIs
& & KPIsKPIs
RiskIndicators
Op Expense
NPL & LLP
Assetturnover
PerformingIndicators
Debt to Asset
Rate of ROE
RAROC
Near Misses
- Lack of products- Lack of expertise- Slow response time - No targeted market- Lack of risk- based pricing
Losses
- Internal Fraud- Market Share- Share price of parent- etc.
RiskAssessment
- Focus on business process improvements- Enhance internal controls (checks & balances)- etc.
KISS KISS –– Keep It Simple, StupidKeep It Simple, Stupid• Another key consideration is simplicity. The final ERM system should be easy to use
and: • emphasize user friendliness over ease of technical design and application software
development• stick to prescribed terminologies understood by all, e.g., establishing ERM Risk
Categories that have already been defined by the Regulatory Agencies, in order to reduce ambiguity among the stakeholders and users of the ERM
• provide easier, secure, reliable access to data• tailor management information reports to customer needs • provide automated tools to facilitate end user access to and use of data • provide readily available help within the application software and provide for computer
based training modules • reduce the reliance on paper • provide easier, secure access and management to electronic records, e.g., digital
access rights mgt.• While the ERM system could be quite granular in terms of the depth of information to
be retrieved and displayed, the project team should always bear in mind that at the senior management and directors’ level, the big picture is more critical. Hence, the ERM should allow for customization and access along the different levels of usage across the organizational hierarchy so that line managers, auditors and directors can access the same repository of information but view the information differently according to their needs and functional roles – different access rights can be put in place.
ERM Implementation in the ERM Implementation in the Context of a Context of a
Diverse Regulatory Diverse Regulatory EnvironmentEnvironment
(Basel II, IAS, SOX, etc.)(Basel II, IAS, SOX, etc.)““Speaking the Same LanguageSpeaking the Same Language””
Principle: SSLPrinciple: SSL
Why Comply?
“...Simply complying with the rules is not enough. … if companies view the new laws as
opportunities - opportunities to improve internal controls, improve the performance of
the board, and improve their public reporting— they will ultimately be better run, more
transparent, and therefore more attractive to investors.”
William Donaldson, SEC Chairman, 4 November, 2004
IntegrationIntegration--Centric ApproachCentric Approach
• Whether it is SOX, Basel II, International Accounting Standards (IAS), etc., integrating information in support of compliance is not a one-off proposition.
• Compliance requires ongoing and constant enforcement. • It’s never a matter of simply checking a box and then moving to another project. • Compliance-driven requirements are usually phased in, evolve constantly, and invariably become more
complex and stringent over time. • An integration-centric approach enhances the flexibility, and thus the value, of such an architecture
because you can design the data integration capabilities necessary to meet whatever happens regulation wise.
• You have a supple, adaptable and (over time) familiar framework for integrating new data and types of data in new ways.
• In contrast, a non-integration-centric approach means having to recollect data for each new compliance mandate that comes along.
• An integration-centric approach allows institutions to standardize their risk language in terms of the underlying Basel II risk-compliance categories or items and the overlapping risk parameters in the context of associated regulations (SOX, IAS, etc.)
Basel II
• Advanced IRB Approach for Credit Risk
• AMA for Operational Risk
• Pillar 2 & 3
IPSB
• High level standards
• Liquidity risk
• PRMR
• PRCR
• PROR
SOX
• Internal controls effectiveness testing
• Internal controls disclosure
IAS
• Fair Value Accounting
• Impairment value
• Hedge effectiveness
• Income recognition
Loan Impairment
Organizational Structure
Controls Testing
Risk Mitigation
Synergy Examples
Integration of Risk & Finance
Time-Series Analysis for Hedge Effectiveness Test
Key:
Basel IIBasel II--compliant Integrated Approach to Risk Managementcompliant Integrated Approach to Risk Management
ReportsReporting Data
CalculatorsR
egulatory Reporting D
ata Mart
Regulatory R
eporting Data M
art
Basel II Calculation
Engines
Basel II Calculation
Engines
G\LG\L
Market & External
Market & External
RegulatoryRegulatory
DisclosureDisclosure
InternalInternal
Financial and Management Accounting
Financial and Management Accounting
IAS Calculation Engines
IAS Calculation Engines
Basel 2Basel 2
IASIAS
SharedShared
-- Risk Models & MeasurementsRisk Models & Measurements
Severity
Frequency
economic capital (EC) by scenario type
Monte-Carlo simulation
De-pegging of USD/RMB CaR1Asian Financial crisis/Pandemic flu CaR2Terrorist threat & rise in NPL CaR3Succession & general election CaR4Sectoral distress, e.g., dotcom bust CaR5Fall in FDI (threat from China/India) CaR6Bank merger & loss of market share CaR7
_____Average Economic Capital
Severity
Calculation engines act on Ratings, Calculation engines act on Ratings, Loss Distribution to yield the PD Loss Distribution to yield the PD (PE), LGD (LE), EAD, (PE), LGD (LE), EAD, VaRVaR as well as well as EC (as EC (CaRCaR))
Adjust severity & frequency distribution
Risk Category
Event Type Level 1
Event level 2
People Risk
Internal Acts Unauthorized Activity, Theft & Fraud Etc.
Employment Practices & Workplace Safety
Etc.
Process Execution, Delivery & Process Mgt
Transaction Capture, Execution, Monitoring & Reporting Etc.
Client, Products & Business Practices
Disclosure, Fiduciary,Improper Business PracticesEtc.
Systems Business Disruptions & system Failures
Hacking, PhishingEtc.
External Events
External Fraud
Etc.
SOX Risk
Misstatement of Client Fees
Common Risk
Basel II – Clients, Products & Business
Practices
Internal Audit Risk
Firm enters into a business relationship
with inappropriate parties or does not accurately
profile the client
Compliance Risk
Firm opens accts with persons intending to
launder money and does not detect, report or record suspicious activities by its
customers
Operational Risk
Failure to follow firm’s policies & procedures
Illustration: Implementing a Common Risk Illustration: Implementing a Common Risk Language that is Flexible & Language that is Flexible & ““AggregatableAggregatable””
IAS Risk
Overstatement of Hedge
Effectiveness, Fair Value
Measurement
ERM matrix provides:
- single enterprise-wide view & encompasses regulatory definition of risk categories
- ratings across whole hierarchy of organization
- comparative analysis
- segmented information for IA as well
- simplicity & ease of use
CLICK – Creative Leadership with Insight, Commitment & Know-how
• No matter how good the planning, budgeting and resource provisioning are, if the ERM implementation is performed by the “blind leading the blind”, e.g., buying off-the-shelf system and models, and with a lack of conviction and commitment, the final outcome would yield a white elephant.
• Risk management must be applied to all phases throughout the life cycle of the implementation. Risk, as used in project management, is associated with a lack of resources, information, and/or control. Risk management is distinguished from "problem management" in that risk management is concerned with situations that may or may not occur, whereas problem management is concerned with known difficulties that are a result of a risk having occurred. An analysis of risk and any strategy adopted to control risk should at least consider the effect of one or more of three factors: lack of resources (such as personnel or funding); lack of information (for example, completeness and confidence); or lack of control over the decision-making process (such as external project decisions affecting the project plans and assumptions).
• Applying risk management to the ERM production or infrastructure system stage includes considering backup and recovery in service level agreements and plans. Management responsibility for a risk must be assigned to individuals and units that can affect the risk's root causes. The Project Manager shall be responsible for managing project risks over which the Project Manager can exert direct control.
• Risks that affect the project, but are not under project control, shall be explicitly assigned to either the Program Sponsor or the CRO, as appropriate. Situations external to the project that could be sources of risk to the project shall be coordinated through the Project Manager. Risk shall be a consideration in a Review Board and management decisions. Project risk situations, plans, and progress against risks must be considered at all project reviews.
• Strong guidance must come from the Program Sponsor, Project Manager and Team so that the ERM implementation is carried out with a clear view of the objective and an insightful understanding of what it hopes to achieve. Coupled with the commitment of the team and management with the backing of the whole enterprise, and the strong political will of the stewards and stakeholders of the ERM project, the likelihood of a successful implementation will be enhanced.
Establishing ERM: The 7 Elements of the Risk Management ProcessEstablishing ERM: The 7 Elements of the Risk Management ProcessAka Aka ““The 7 Habits of Highly Effective Risk ManagersThe 7 Habits of Highly Effective Risk Managers””
Board Involvement
Risk Management Policies
Senior Mgt. Involvement
Decision-Making Process
Analytics
Reporting / Monitoring
Internal Controls
The decision process is backed by adequate analytical support and information management infrastructure
An active board of directors reviews strategic alternatives and develops corporate objectives and then formally approves policies. Also, evaluates whether business is being properly managed
The analytical support utilizes efficient models which analyze both qualitative and quantitative data.
All of the above take place within a strong and practical internal control regime
Provides broad guidance within which senior management operates and executes the firm’s objectives
Senior management then develops strategies consistent with corporate objectives and policies, and ensures that their execution is supported byan effective decision process
The analytical process in turn generates ongoing reports for performance monitoring, benchmarking and further consequent actions
PPlanninglanning
MeasuringMeasuringPPerformanceerformance
PPricingricingProductsProducts
PProvidingrovidingfor riskfor risk
PPrioritisingrioritisingresourcesresources
PPaying foraying forPerformancePerformance
Incorporating the 6 Incorporating the 6 PPrinciples rinciples of Shareholder Valueof Shareholder Value
aka aka ““6 Sigma6 Sigma””
Enhanced Shareholder
Value
WHAT (do you have)WHAT (do you have)In terms of “Hard” & “Soft” Infrastructure:• Corporate Culture• People• Process• Technology: Systems & IT
ERM Infrastructure ERM Infrastructure Component ViewComponent View
Foundation WarehouseDataMartDataScrub&CleanseDataSorterDataArchivalDataFeedManagerDataStream
RISK DECISIONSUPPORT SYSTEM
INFRASTRUCTURE MINDWARE
MarketIntelligence EnginesClientMS Engines
Simulation EnginesSurveillance EnginesScoring/Rating EnginesScenario AnalyzerSearch EnginesPortfolio Mgmt Engines
Methodologies
QuantitativeLinear/Non-Linear (AI)
Extreme Value Theory
etc.
QualitativeExpert Judgment
Structured Scenarios Technology & Know-How
Policy
Enterprise
Reporting Consolidation & Document ManagementBoard Involvement
Risk Management Policies
Senior Mgt. Involvem
ent
Decision-Making Process
Analy
tics
Reporting / Monitoring
Internal Controls
Soft Hard
Balanced ERM Implementation Approach
Model
Human Resources
Calculator
Reporting
Data
IT
Managing Expectations
Training
Physical
MindStrategy
Flexibility
Innovation
““SOFTSOFT””WARE, WARE, ““MINDMIND””WARE, WARE, ““HARDHARD””WAREWARE
““HEARTHEART””WAREWARE
People
3 in 1 Basic Pillars3 in 1 Basic Pillars
ProcessProcess TechnologyTechnology
4. The Structure to Governing Risk4. The Structure to Governing Risk EWRM Infrastructure FundamentalsEWRM Infrastructure Fundamentals
Corporate Culture
Corporate Culture
The 4 Pillars & EWRM Success The 4 Pillars & EWRM Success
People
Greatest challenge is not having the human resource expertise in terms of
depth & breadth *e.g. BI implementation in ERM
Hence, advisory services & training
should be part & parcel of good ERM project
management governance
Pillar 1Pillar 1
Managing Managing expectationsexpectations
*e.g., *e.g., Transfer of expertise,Transfer of expertise,
Mindset change management Mindset change management
HR/People Responsibility HR/People Responsibility Governance Framework in EWRMGovernance Framework in EWRM
• Board responsibilities– Strategic oversight; alignment
• CEO responsibilities– Assign resp./accountability/
authority; oversee compliance• Executives responsibilities
– Project implementation commensurate with risk; integrate with operations
• Senior Managers responsibilities– Risk assessment, implement
policies, oversee implementation operations
• All employees responsibilities– Awareness; compliance;
reporting
• HR Implementation Program – Providing support for networks,
systems (ref. ISO17799)– Periodic assessment of risk– Policies/procedures to address
security risks and implementation obstacles; full lifecycle
– Operational awareness training– Periodic testing; remedial action
processes– Incident response procedures– Business continuity plans
• Reporting– Adequacy, effectiveness,
acceptable residual risk reported to executives
– Independent evaluation reported to the board
ProcessProcess
Pillar 2Pillar 2
Workflow checklist of critical business processes in project implementation
ERM managers/supervisors check that parameters and conditions used to evaluate key risk measures are sound and rigorous – How?
Business Process Management: Business Process Management: Assessment of Process Workflow, Assessment of Process Workflow, Scenario Analysis complemented by Scenario Analysis complemented by documentation & policy manuals documentation & policy manuals
Business Process Business Process Governance Governance
Design a process Design a process datadata--warehousewarehouse****
Enterprise PerformanceEnterprise Performance
““WHATWHAT““ResultsResults
““HOWHOW““HistoryHistory
““WHYWHY““CausesCauses
Business PerformanceBusiness Performance
Bus
ines
s In
telli
genc
eB
usin
ess
Inte
llige
nce
Finance & balance +Finance & balance +static indicatorsstatic indicators
Liquidity / Cashflow
Return on Investment
RAROC
ROA
Process Performance = Indicators + Processes
Time
Cost
Quality
Risk
Enterorder
can be doneautomatically
Orderentered
Matchorder
Data transferedto OMAR
SETS
SETS
Checkorder
completely filled
Orderchecked
OMAR
CustomerTrading
CustomerTrading
Order isfor SETS
Large Capsselected MidCaps
Completeorder
Price
Ordercompleted
OMAR CustomerTrading
Business Process
Performance Indicators + Process Chain
Bus
ines
s Pr
oces
s In
telli
genc
e
TechnologyTechnology
Pillar 3Pillar 3
The third pillar seeks to leverage the ability of technology to provide discipline and consistency to help the ERM personnel and staff to optimize the business processes via the appropriate enabling tools & systems
Hence, ERM team performs stress tests to ensure ERM implementation adequacy in times of shocks or unforeseen obstacles
Enhance transparency & reputation Enhance transparency & reputation of project management deliveryof project management delivery
Technology Infrastructure Technology Infrastructure ReadinessReadiness
Scenario AnalysisScenario AnalysisCauses
Failure of relevant key risk
factors
Scenario
(Potential Event)Severity of potential loss
Frequency of potential loss
Range of frequency
Range of severity
Typical severity
Typical frequency
Evaluation
KPIs/KRFs
ERM Project Management GovernanceERM Project Management Governance• Project GovernanceTo evaluate the adequacy of the control in place
for the following risks:1. Lack of procedures leads to inconsistencies of
approach, and potentially project failures or inefficiencies.
2. Not sponsored by the business or out of scope.3. etc.• Quality ManagementTo evaluate the adequacy of the control in place
for the following risks:1. Quality is not an integral part of the project.2. Poor quality procedures may lead to poor
deliverables and customer dissatisfaction3. etc.• Project PlanningTo evaluate the adequacy of the control in place
for the following risks:1. Plans are unreadable and difficult to manage.2. Poor plans lead to increased costs and delays.3. etc.• Risk & Issue ManagementTo evaluate the adequacy of the control in place
for the following risks:1. Risks and issues are identified and managed2. etc.
• Financial ManagementTo evaluate the adequacy of the control in place for the following risks:1. Costs associated with the project are unknown or inconsistent.2. Costs are not being recorded properly leading to inaccurate financial reporting.3. etc.• Monitoring & ReportingTo evaluate the adequacy of the control in place for the following risks:1. Progress against plan and budget is not monitored leading to possible loss of management control.• Project Close-DownTo evaluate the adequacy of the control in place for the following risks:1. The project has delivered acceptable products within time and cost.2. Poor security or controls can lead to loss of confidentiality, integrity or availability of information services. 3. etc.
Corporate CultureCorporate Culture
• Strengthening Corporate Governance from Viewpoints of:Boards of DirectorsManagementInternal Control FunctionsOvercoming Silos
In +1 PillarIn +1 Pillar
Achieving a usable & relevant Achieving a usable & relevant ERM system?ERM system?
• No One Answer (depends on scale of implementation, location, global or localized, etc.)
• Ability to standardize & measure project implementation risk-based indicators based on some key criteria:
- risk-return considerations, e.g., risk appetite, growth vs. pricing (adaptability) - cost-effectiveness, e.g., shared services, integrated data-warehouse, manual vs.
automation, via ABC (Activity-based costing), etc.- adaptability and transferability, e.g., tackle issues of obsolescence, cross-geographic
applications, etc.- Alignment with corporate governance objectives - Based on identification of the top risks (known & unknown problems) faced by your
organization- Prioritizing Risk based on Impact & Probability - Seek benefits beyond “downside” risk management & cost issues to transform overall
corporate performance, competitiveness, and shareholder value from ordinary to exceptional
- Aim to minimize operational surprises and losses: What’s the likelihood of risks “falling through” silo gaps?
At a practical level the Group risk framework needs to meet the At a practical level the Group risk framework needs to meet the expectations of different partiesexpectations of different parties
…… effective risk management combines effective risk management combines providing protectionproviding protection and and enabling business opportunitiesenabling business opportunities
Regula
tors a
nd ot
her
stake
holde
rs
Business Line• Ensure compliance with policy• Capital measurement/
allocation• Enhance shareholder value• Reduce earnings volatility• Lessons learnt form outside
the firm• Aggregated reporting• Loss transfer mechanisms• Methodology design
• Applicability of policy• Transparency of capital
calculation• Meet performance measures
set• Avoid losses as far as
practical• Lessons learnt within the firm• Business line reporting• Central and efficiency• Methodology implementation
Group
Financial Institution
Shareholders
• Effective allocation and efficient use of capital• A risk adjusted basis to performance measurement
• A cost effective risk management framework• Risk management aligned to value creation
• Effecti
ve ris
k ide
ntific
ation
• Robus
t con
trols
in lin
e with
the ris
k app
etite
• Adequ
ate ca
pital
to co
ver
unex
pecte
d los
ses
• Groupw
ide ris
k and
contr
ol
monito
ring r
egim
e
Enterprise Risk Management (ERM) FrameworkAn Overview
5. Developing the KPIs to measure the result of your ERM
framework
Developing Key Risk and Control Indicators and establishing an
early warning systemAll About KRIs, KCIs, KPIs & KTIs
Fundamentals of Enterprise Risk Management
ERM is a process, effected by an entity’s board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.
- Proposed by COSO (2003)
WHY ERMWHY ERMAre we taking the right risks?
• How are the risks we take related to our strategies & objectives?• Do we know the significant risks we are taking?• Do the risks we take give us a competitive advantage?• How are the risks we take related to activities that create value?• Do we recognize that business is about taking risks & do we make conscious choices concerning these risks?
Are we taking the right amount of risk?
• Are we getting a return that is consistent with our overall level of risk?• Does our organizational culture promote or discourage the right level of risk taking activities?• Do we have a well-defined organizational risk appetite?• Has our risk appetite been quantified in aggregate and per occurrence?• Is our actual risk level consistent with our risk appetite?
Do we have the right processes to manage the risk?
• Are our risk management processes aligned with our strategic decision-making process & existing performance measures?• Are our risk management processes coordinated & consistent across the entire enterprise?• Does everyone use the same definition of risk?• Do we have gaps and/or overlaps in our risk coverage?• Is our risk management process cost- effective?
KRIs
KPIs
KCIs
Inherently linked to organization’s risk
appetite & tolerance
Identifying Events
Analyzing Causes of Events
Risk Mapping
Risk Control Capital Management
Identifying Past Events
Analyzing Causes of Occurring
Events
Comparative Analysis by
Benchmarking
Prevention Measures for
Occurring Events
Capital Allocation etc.
Identifying Potential Events
Analyzing Causes of Occurring or
Expanding Losses
Detection Measures for
Occurring Losses
Risk Mitigation or
Transfer
VaR Engine
Scenario Analysis & Stress-Test Engine
Risk Measurement (Group, Business Line & Risk Types)
Market Data – IR, FX, Liquidity,
etc.
Potential Risk Scenario
Review of Audit & Inspection
Risk Management
Qualitative Management
Layer
Quantitative Management
Layer
Audit and Inspection
Layer
Enterprise Risk Management FrameworkComprehensive Foundation for Sustainable Delivery
KEY -- LinkingBusiness
Value& ERMLife-Cycle
Management
Compliance
HR & BPGovernance
ERM CAPITAL
PLANNINGBest PracticeOperations
Architecture& Standards
Information Management
CUSTOMER CUSTOMER SERVICESERVICE
Linking the Business Values & ERM Strategies – Ultimate keys to portfolio “success”
Other ConsiderationsOther Considerations
• Regulatory changes: Convergence & Overlap of Global Guidelines & Regulations, e.g., Basel 2, IAS39/FAS133, SOX, etc.
• Infrastructure (Resource, Process, Technology) Readiness
• Corporate Culture: Mindset Change Management
ERM Internal Control FrameworkERM Internal Control Framework e.g. Utilizing e.g. Utilizing COSOCOSO’’ss modelmodel
• Focus on the processes between each stage of ERM
• Suggested 8 components: Internal Environment, Objective Setting, Event Identification, Project Risk Assessment, Risk Response, Control Activities, Information & Communication, Monitoring
The COSO FrameworkCan view in context of 4
categories
Considers activities at all
levels of enterprise
8 components to ERM
Applying The COSO FrameworkApplying The COSO Framework• Internal Environment
– Code of conduct/ethics– Ethics hotline– Hiring and promotion– Audit committee oversight– Investigative process– Remediation
• Objective Setting– Policy to reduce loss event incidences– Incentivization– Development of database of known loss
event activities
• Event Identification– Monitoring of parameters, KRIs, KPIs– Comparison and evaluation of certain
attributes and trends against previously measured patterns and known signs of risk events
– Outlier and exception analysis
• Risk Assessment– Systematic process – Level within organization– Likelihood and significance– Via Risk Probability & Impact Analysis
• Risk Response– Evaluate threshold to mitigate – Discontinuation, realignment of process– New policies & procedures– Risk Response Options:
• Accept = Do nothing. Willing to take on risk
• Avoid = Back-out strategy. Disengage from process leading to risk
• Share = Shift some of risk to external parties (e.g., insurance, outsource, joint venture)
• Mitigate = Design processes to reduce risk exposures
• Control Activities– Linking controls to identified risk activities– Map type of loss events to business
process – Specify how possible future loss events is
to be minimized or contained
• Information/Communication– Information systems & technology– Knowledge management– Training/Inculcating Talent
• Monitoring– Ongoing monitoring by management– Separate “after the fact” evaluations by
internal audit– Etc.
KPI & EWS Examples KPI & EWS Examples
Benchmarking Governance:Benchmarking Governance:• Benchmarking for Financial Subsidiariese.g. RAROC, EVA, CAR, etc.• Benchmarking for Non-finance subsidiariese.g. Key Risk-based Performance Measures (KRPM), ROA,
ROE, Liquidity, etc.KRPM can be evaluated quantitatively or qualitatively (using a
rating matrix) Forward-Looking Strategic & Managerial Flexibility• e.g., Real Options-based Scenario Modeling
Example of Key RiskExample of Key Risk--based based Performance Measure (KRPM) Performance Measure (KRPM)
CriteriaCriteria (can be applied to both finance* & non(can be applied to both finance* & non--finance finance
subsidiaries)subsidiaries)• *Till Aggregated Economic Capital (market, credit, operational) for banking institutions can be evaluated
• Other Risk measures (Expected Loss, Economic Capital):?- Liquidity- Operational- Reputational- etc.
Low Stress
High Stress
Negative
2 1 or less
60% or more30%
10%
1% or less5%
5% or less
80% or more60%
20% or more10%
110% or less135%
20% or less40%
Liquidity
– Current ratio
Solvency
– Debt to Asset ratio Profitability
– Net Operating Income
Repayment Capacity
- Debt coverage ratio
Efficiency
- Operating expense ratio
- Interest expense ratio
- Asset turnover ratio
- Rate of return on equity
- Rate of return on assets
Balance Sheet Stress Test
Related Risk & Financial Analysis
Example
Using risk indicators - escalation limits and targets for monitoring liquidity & reconciliation
at one ATM/branch locationEscalation Limits and Targets
50
100
150
200
250
Jan-9
8Mar-
98May
-98Ju
l-98
Sep-98
Nov-98
Jan-9
9Mar-
99May
-99Ju
l-99
Sep-99
Nov-99
Jan-0
0Mar-
00May
-00Ju
l-00
Sep-00
Nov-00
Jan-0
1Mar-
01May
-01Ju
l-01
Date
ATM
Cas
h Fl
oat
HistoricalIdle cashbalance
EscalationLimit
– 1st warning
Base Limit/Goal
e
Cash Management (Operational Risk Management) Strategy
Economic Capital
Enhanced ProfitabilityStrategy (marketing campaign)
Liquidity PerformanceReputation
Cash Pooling
Liquidity Management
Branch Performance Bank Performance
Risk-Based Performance Benchmarking (PIT Snapshot)
ERM view (RAROC vs Hurdle)
0
2
4
6
8
10
12
14
16
18
0 2 4 6 8 10 12
Organization
RARO
C (%
)
Hurdle RateNOTE: Important to have supplementary trending indicator, e.g.,
‘Trending RAROC’
ForwardForward--Looking Scenario Modeling Looking Scenario Modeling e.g. Capitale.g. Capital--atat--Risk/Economic CapitalRisk/Economic Capital
• Time-horizon usually 1 year• Confidence level consistent with rating target
– Usually 99.95% or higher• Whole balance sheet
CaR
Probability of outcom
e
Level consistent with AA-rating
1 year
Worst Case
Expected
0
CurrentValue
Value
In stressed In stressed environments, environments, typically greater loss typically greater loss in value, hence in value, hence leading to credit leading to credit downgradedowngrade
6. How to Achieve Balance on 6. How to Achieve Balance on Cost of ComplianceCost of Compliance
• Back to how risk is perceived with regards to threat, uncertainty and opportunity
• Compliance/Regulatory risk represents an uncertainty that can be managed via:
• connectivity and integration of ERM’s main risk management components,
• the coverage of the risk management process and the contexts under which it is considered
• The critical incorporation of corporate governance into the risk universe, including the audit and compliance assurance to be provided, and the critical success factors of the appropriate risk-and- return balance in providing superior client service and innovative products and solutions are encapsulated in the EWRM framework
• Benchmarking to Key Risk-based Performance Measures & Forward-looking Scenario Analysis
Post- Implementation: ERM Cycle
FI PROFILE
Internal/External Changes
RM Evaluation
Priority System
Supervision
Consider Changes to:•Agency Ratings •Ownership/Management/ Corporate Structure
•Business Strategy/Plan•CPA Report or Auditor•Legal or Regulatory Status
Risk-Focused Examination
•Identify Functional Activities•Identify/Assess Inherent Risk•Identify & Evaluate Controls•Determine Residual Risk•Establish Procedures and Conduct Evaluation
• Eval Report/Mgmt Letter
Develop Ongoing Internal Supervision
That Includes:•Frequency of Audit•Scope of Audit•Meetings with BL, Risk Management
•Follow-Up on Recommendations
•Financial Analysis Monitoring
Priority System Based on Ratios and Analysis to Measure:•Capital Adequacy•Asset Quality•Reinsurance•Reserves•Management•Earnings•Liquidity•Sensitivity to Market
Financial Analysis includes:•Risk Assessment Results •Financial Analysis Handbook Process
•Ratio Analysis (IRIS, FAST, Internal Ratios)
•Actuarial Analysis
Financial Analysis
ValueManagement
How muchCapital do I
need ?
Portfolio ofEnterprise
Risks
Portfolio ofCapital
Resources
ValueCreation
EconomicCapital
CapitalCosts
ReturnOn Risk
CapitalCosts
RiskStructure
Capital Adequacy
Risk and CapitalManagement
What typeof capital do
I need ?
ERM ValueERM ValueFrameworkFramework
Maximize valueby using economiccapital to relatea firm’s decisions on the risks it takes tothe decisions on the capital it uses to finance its business
7. Concluding Remarks7. Concluding Remarks EWRM DefinedEWRM Defined
While the final outcome is a working ERM system, ERM by itself is always a work in progress.
In a dynamic and changing business environment, ERM should be viewed as an evolutionary development and provide for an incremental delivery of products, services and tools that can help an organization manage its risks going forward.
It has to take into account the demands and needs of diverse regulatory drivers like Basel 2, IAS and SOX and yet, be able to aggregate and present the risk-based information in a uniform and simple language, understood by all and to be acted upon for the benefit of the organization.
Implications of a Good EWRM Implications of a Good EWRM Implementation Implementation
• Enhancing Business Continuity/Endurance • Enhancing Shareholder Value• Enhancing Profit & Performance • Ensuring Enforcement for Regulatory Compliance • Exploiting Opportunities via Managerial Flexibility
with Strategic Planning
Criteria for RiskResponse Plan
Priority ResponseCriteria
Liquidity & Enterprise Risk ManagementLiquidity & Enterprise Risk Management
Unit OperationsActionsLoss Event
Frequency of LossMajor Mod. Minor
High Risk Loss Exposure for Division 2Priority Division Facility Unit Loss Event Risk Certainty
Expected LossFrequencies for
Division 2MajorLoss
AnnualizedRisk
Mod.Loss
MinorLoss
Facility 1Facility 2Facility 3
Risk Contribution for Division 2
Facility 4
Organization
Division 1 Division 2
Facility 1 Facility 2
Unit 1
Assets PeopleManagement
Systems
1. Identify principal 1. Identify principal business risksbusiness risks
2. Develop 2. Develop EnterpriseEnterprise--wide wide
Risk ProfilesRisk Profiles
3. Prioritize Risk 3. Prioritize Risk Management PlansManagement Plans
4. Identify options 4. Identify options for mitigationfor mitigation
Envisioning meeting
Data from past losses Data from prior studies Risk mapping
InsuranceLoss control / mitigation Risk financing alternatives
Who decides acceptability of risks? How quickly to resolve?Who implements solutions?
““CLICKCLICK”” Thank YouThank You
GS Khoo, PhDGS Khoo, PhDHead, Global Risk (Models Validation)Head, Global Risk (Models Validation)Standard Chartered BankStandard Chartered BankOffice: +65 6427 5283Office: +65 6427 5283SS’’porepore cell: +65 9825 2148cell: +65 9825 2148Email: Email: [email protected]@standardchartered.comOr Or [email protected]@yahoo.com