Enterprise Risk Management – Global Best Practices A Higher Standard for Risk Professionals www. prmia. org David Millar Chief Operating Officer The Professional Risk Managers’ Association
Agenda • Definition of ERM • The risks that make up ERM • Standard ERM frameworks • Some case studies • The components of risk • Risk architectures • The benefits of ERM • Implementation issues • Some more case studies • Ten questions for best practice ERM A Higher Standard for Risk Professionals www. prmia. org
A definition of ERM “Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. ” COSO Standards A Higher Standard for Risk Professionals www. prmia. org
Breakdown – “a process” • Procedures, a framework, a set of standards, rules, etc governing activities and implementing controls • Involves many (possibly all) employees in an entity (company) ü Is written down somewhere and must be kept up to date ü There will be a person (not persons) ultimately responsible for the processes, i. e. Head of Group Risk, Chief Risk Officer ü Involves communication (in both directions) as well as activities ü Needs to be managed, monitored and, increasingly so, reported to the regulators and disclosed to the public. A Higher Standard for Risk Professionals www. prmia. org
Breakdown – “in a strategy setting” → etc Project risk Enterprise risk ERM view ↓ etc, etc A Higher Standard for Risk Professionals → etc, etc i. e. complex dependencies www. prmia. org
Breakdown – “across the enterprise” Bank TV Farming Oil A single view of risk across the entire company or group Shipping A Higher Standard for Risk Professionals www. prmia. org
Breakdown – “identify potential events” “manage risks” % Expected Losses • Categorise Unexpected • Identify Loss (but identified • Assess risk) • Consolidate “Tail” • Monitor data • Mitigate $ A Higher Standard for Risk Professionals OR o Model o Record o Evaluate o Report o Disclose www. prmia. org
Breakdown – “risk appetite” “reasonable assurance” • Business strategy = risk x benefit (both need to be identified) • 100% risk-free is neither expected nor beneficial ü Risk appetite needs to be agreed at board level and documented ü An entity needs to identify risks (and their probability) and have a strategy to survive these events ü Risk is a commodity and can be hedged ü Risk can be covered internally ü Risk can be insured externally ü The requirement is to be able to apply measures A Higher Standard for Risk Professionals www. prmia. org
A Higher Standard for Risk Professionals www. prmia. org The risks that make up ERM
ERM What risks are included in ERM Definitely • Strategic • Credit • Market • Operational • Local disaster • Political / terrorism • External fraud • Mismanagement Probably • Legal • Regulatory • Technology • Human Resources • Reputational • Material supplies • Energy supplies • Share liquidity • Internal fraud A Higher Standard for Risk Professionals Maybe … • Weather • Political / government • Global disaster • Ethical www. prmia. org
Measure risk where possible …. Example of the relative losses due to risk events measured in an European bank. Note that reputational and strategic losses have not been attributed or measured. 1. 23% 4. 76% 28. 43% Note: In this example, ALM Risk is classified as Interest Risk and Liquidity Risk across the balance sheet. Market risk is Pricing & Currency Risks only. 38. 09% 27. 49% Source: Diagram - West. LB, March 2004, Ratio - DM A Higher Standard for Risk Professionals www. prmia. org
… even if not apparently possible • You may not have: – – Overall probability = 0. 15%, Probability in this unit = 0. 27% Average impact = $49, 500, Maximum loss = $346, 350 • But you can have: – – Probability = very likely Effectiveness of this unit = moderate Impact = serious Losses = in range $200, 000 to $500, 000 • Enough to create a traffic light system A Higher Standard for Risk Professionals www. prmia. org
Some initial definitions – strategic risk • Strategic risk creates adverse impact on an entity, its earnings or capital derived from: – adverse business decisions, – improper implementation of decisions, or – lack of responsiveness to industry changes. • It involves an entity’s – strategic goals, – the strategies to achieve those goals, – the resources available and – the quality of implementation. • Resources include communication channels, operating processes, delivery networks, and managerial capacity and capability. • These are evaluated against the impact of regulatory, economic, technological, competitive, , and environmental changes. A Higher Standard for Risk Professionals www. prmia. org
Financial risk Credit risk The risk that counterparty to a financial obligation will default on repayments linked to the obligation Market risk The risk that investments will lose value based on the daily fluctuations of the market of share prices, currency rates and interest rates. Liquidity risk The risk that arises from the difficulty of selling an asset. The difference between the book value of the asset and the likely price to be obtained. What about physical assets such as plant and property? ALM risk A risk? I believe that Asset & Liability Management is not a risk but a framework of financial management of risks comprising the above three risks. A Higher Standard for Risk Professionals www. prmia. org
Operational risk Operational The risk of loss resulting from inadequate or failed internal risk processes, people and systems or from external events, including legal risk but excluding strategic and reputational risk • Internal fraud - intentional misreporting of positions, employee theft, and insider trading on an employee’s own account. • External fraud - robbery, forgery, cheque fraud and computer hacking. • Employment practices - compensation claims, violation of health and safety rules, organised labour activities, discrimination claims, and general liability. • Clients, products, business practices – breach of trust, misuse of information, improper activities, money laundering, and sale of unauthorised products. • Damage to physical assets - terrorism, vandalism, earthquakes, fires and floods. • Business disruption and system failures - hardware and software failures, telecommunication problems, and utility outages. • Execution, delivery and process (middle) management - data entry errors, handling failures, incomplete legal documentation, unapproved access given to client accounts, non-client counterparty misperformance, and vendor disputes. From - Basel Committee on Banking Supervision, Sound Practices for the Management and Supervision of Operational Risk, February 2003 A Higher Standard for Risk Professionals www. prmia. org
Other risks Regulatory risk The risk of penalties, restrictions on business or closing of business due to failure to adhere to regulatory requirements – less a risk, more a symptom, or a control Government risk Impact of political changes on the business – strategic risk? Technology risk Choosing wrong technology, fail to anticipate new technology, falling behind competition –in strategy risk? Legal risk Human Capital risk Risk from uncertainty due to legal actions or uncertainty in the applicability or interpretation of contracts, laws or regulations – usually included in operational risk Lack of resources, lack of the right resources – could be in operational or strategic risk Supplies failures risk Lack of raw materials, or geological developments for mining organisations – where does this go in the risk scenario? Project risk A combination of risk types applied to a single project – can be a subset of ERM at a low level for a fixed time. Corporate name, brand image, “word of mouth” – impact on public and analysts – include “ethical risk”? Reputational risk A Higher Standard for Risk Professionals www. prmia. org
A Higher Standard for Risk Professionals www. prmia. org Some case studies
Shell (2003 -4) • • Shell are quoted on both Dutch and UK exchanges and on the NYSE (via ADRs) as Shell Transport & Trading and Royal Dutch petroleum) Shell overstated its proven oil reserves from 1998 to 2004 by up to 25%. Management were rewarded on the basis of reserves quoted. The misrepresentation could no longer be hidden in the accounts and directors of Shell began to be worry about the Sarbox implications. The FSA and SEC indicated in 2001 that they were unhappy about the figures. Shell said their views were “immaterial or overly pessimistic”. Shell have now been found to have committed “market abuse” including the release of false data leading to inflated share prices. Shell are fined $140 M and have to put in extensive controls to prevent a repeat, There are criminal proceedings against individuals. There is market concern that other oil companies have been doing the same. This will also impact the ratings of the sovereign oil countries. A controls loss which will impact on share price. A Higher Standard for Risk Professionals www. prmia. org
Metallgesellschaft (1993) • A metal company, owned by Deutsche. Bank, Allianz/Dresdner, Daimler-Benz and the Kuwait Investment Authority, which moved into risk management services and energy derivatives. • It sold 10 year oil contracts at fixed prices over spot with an option to terminate early if the NYMEX price > MG selling price. MG then paid half the difference between the futures price and the MG prices. • It managed this through volume dealing and a hedging strategy. Studies have shown this strategy was mathematically valid. • It failed as the size of the deals impacted the market causing liquidity issues and creating cash flow problems. US (then) accounting rules allowed hedge proceeds to be netted, German rules did not, creating an poor balance sheet which effected credit rating and reputation. • The Management and Supervisory Boards pleaded ignorance of the situation. MG announced losses of $1. 5 billion at the end of 1993. A Higher Standard for Risk Professionals www. prmia. org
Citigroup (2004) • • August 2 nd - a quiet Monday holiday period in Europe. Citigroup traders started dumping European government bonds - € 11 B worth of sell orders in 2 minutes in 100 bonds on 11 markets using 13 trading platforms. The trading platforms were swamped - prices fell rapidly. An hour later, the Citigroup attacked again buying € 4 B of bonds cheaply. This trading coup netted the bank € 15 M+. Citigroup did nothing wrong. However – the market (Citigroup’s counterparties) claim they broke a gentleman’s agreement for orderly trading in government bonds, – governments (Citigroup’s clients) are angered that their bond prices have fallen overall and their trading platforms were trashed. • Citigroup claim high ethical values. The market would disagree. This is may have cost Citigroup more than the € 15 M profit in lost fees. A Higher Standard for Risk Professionals www. prmia. org
A Higher Standard for Risk Professionals www. prmia. org Standard risk frameworks
Risk frameworks Enterprise Risk assessments, indicators, controls and events data Financial Risks Credit Market Pricing Interest Rate Liquidity ALM Operational Risks Operational Disaster Fraud Terrorism Project A Higher Standard for Risk Professionals Other Risks Strategic & Regulatory Risks Supplies failure Legal Technology Government www. prmia. org
Enterprise Risk Framework • Enterprise risk frameworks: – … are the consolidation of many lower level, risk area specific risk frameworks - many of these will already be in existence (credit risk, project risk, ALM) – … can be built (and should be so planned) over time – … should be structured to suit individual need (business, regulations, share structure) – … must not detract from and works in harmony with current and local risk framework solutions • Do not get obsessed with quantification over qualification. • There are no complete pre-packaged solutions but a number of established ERM frameworks • Globally, most are building their own framework from scratch around established software packages or are modifying / expanding the COSO standards. A Higher Standard for Risk Professionals www. prmia. org
The COSO Framework • The Treadway Commission (1987) recommended that public companies must be able to “identify, understand, and assess the factors that may cause its financial statements to be fraudulently misstated”. • This was not enacted (lots of US lobbying) but a control framework was developed entitled "Committee of Sponsoring Organizations Internal Control - Integrated Framework" (COSO) – released in 1992. • COSO ERM project launched in 2001, builds on COSO Internal Control Framework, consists of framework and application guidance. Draft released in 2003 and full version released in August, 2004 (www. cpa 2 biz. com/CS 2000/Products/CPA 2 BIZ/Publications/COSO+E nterprise+Risk+Management+-+Integrated+Framework. htm). • The SEC rule-making for Sarbanes-Oxley Section 404 mandated that a company’s internal control over financial reporting be based on a recognized internal control framework. The COSO framework was suggested by the SEC but they will accept locally-approved risk frameworks from overseas if they match COSO. A Higher Standard for Risk Professionals www. prmia. org
The COSO structure Allows structured risk management Is enterprise-wide Allows objectives to be assessed with different criteria Allows controls to be looked at from different perspectives Source: 2003 COSO Draft A Higher Standard for Risk Professionals www. prmia. org
The COSO Components Internal Environment Reference – for later reading Lays down a philosophy and culture (unexpected as well as expected events), considers all activities. Objective Setting Event Identification Risk Assessment Risk Response Enables management to consider risk appetites, policies and tolerances when setting objectives. Identifies risks and opportunities. Concentrates on internal and external risks that effect objectives. Looks at impact and likelihood – qualitative and quantitative measures – inherent and residual risk. Identifies and evaluates possible responses – costs v. benefits – impact of responses. Control Common standard throughout organisation – ensures Activities policies are adhered to and responses carried out. Information & Provides top level information – communicates events Communication and impact up, down and across the organisation. Monitoring Monitors effectiveness against agreed measures – evaluates responses – allows scenario testing. Source: 2003 COSO Draft A Higher Standard for Risk Professionals www. prmia. org
The COSO Control Model Reference – for later reading CONTROL ENVIRONMENT • Integrity and Ethical Values • Commitment to Competence • Board of Directors/Audit Committee • Management Philosophy and Operating Style • Organization Structure • Assignment of Authority and Responsibility • Human Resource Policies and Practices RISK ASSESSMENT • Entity-Wide Objectives • Activity-Level Objectives • Risk Identification • Change Management CONTROL ACTIVITIES • Top Level Reviews • Direct Functional or Activity Management • Information Processing • Physical Controls • Performance Indicators • Segregation of Duties • Controls Over Information Systems – Data Centre – Application Development & Maintenance – System Software – Access Security – Application Controls INFORMATION AND COMMUNICATION • Information • Communication MONITORING • Ongoing Monitoring • Separate Evaluations • Reporting Deficiencies A Higher Standard for Risk Professionals www. prmia. org
AS/NZS 4360 -1999 • • • The world’s first ERM standard? Australia New Zealand Standard 4360 : 2004 www. riskmanagement. com. au - 2 volumes (from AUD$ 94. 50 in pdf format) Risk Scoring – Consequence x Likelihood Risk Assessment - Qualitative and / or Quantitative Updated Sept ’ 04 – to include risk opportunity features A Higher Standard for Risk Professionals www. prmia. org
Reference – for later reading AS/NZS 4360 -1999 – Contents 1 Scope and general 10 Recording the risk management 6. 5 Analysing opportunities 2 Risk management process 6. 6 Methods of analysis overview 10. 1 Overview 6. 7 Key questions in analysing 3 Communication and consultation 10. 2 Compliance and due diligence risk 3. 1 General statement 6. 8 Documentation of the 3. 2 What is communication and 10. 3 Risk register analysis consultation? 10. 4 Risk treatment schedule and 7 Risk evaluation 3. 3 Why communication and action plan 7. 1 Overview consultation are important 10. 5 Monitoring and audit 7. 2 Types of evaluation criteria 3. 4 Developing a process for documents 7. 3 Evaluation from qualitative communication and consultation 10. 6 Incident data base analysis 4 Establish the context 10. 7 Risk Management Plan 7. 4 Tolerable risk 4. 1 Context 11 Establishing effective risk 7. 5 Judgement implicit in 4. 2 Objectives and management criteria environment 11. 1 Policy 7. 6 Evaluation criteria and 4. 3 Stakeholder identification 11. 2 Management commitment historical events and analysis 11. 3 Responsibility and authority 8 Risk treatment 4. 4 Criteria 11. 4 Resources and infrastructure 8. 1 Introduction 4. 5 Consequence criteria 11. 5 Culture change 8. 2 Identify options 4. 6 Key elements 11. 6 Monitor and review risk 8. 3 Evaluate treatment options 4. 7 Documentation of this management effectiveness 8. 4 Selecting options for step 11. 7 The challenge for leaders- treatment 5 Risk identification Integration 8. 5 Preparing treatment plans 5. 1 Aim 11. 8 The challenge for managers 8. 6 Residual risk 5. 2 Components of a risk Leadership 9 Monitoring and review 5. 3 Identification process 11. 9 The challenge for all 9. 1 Purpose 5. 4 Information for Continuous improvement 9. 2 Changes in context and identifying risks 11. 10 Key messages and risks 5. 5 Approaches to identifying questions for managers 9. 3 Risk management risks assurance and monitoring 12 References 5. 6 Documentation of this 12. 1 Standards and Handbooks 9. 4 Risk management step 12. 2 Further reading performance measurement 6 Risk analysis 9. 5 Post-event analysis 6. 1 Overview 6. 2 Consequence and likelihood tables 6. 3 Level of risk 6. 4 Uncertainty A Higher Standard for Risk Professionals www. prmia. org
• • • Other Frameworks Reference – for later reading The UK’s Turnbull Committee’s 1999 report was updated in 2005 - http: //www. frc. org. uk/corporate/internalcontrol. cfm The Canadian Institute of Chartered Accountants created the Criteria of Control (Co. Co) Board, now the Risk Management and Governance Board, and published the Co. Co Guidance on Control (1995) (www. cica. ca). The Association of Insurance & Risk Managers (www. airmic. com), The Institute of Risk Management (www. theirm. org) and The National Forum for Risk Management in the Public Sector (www. alarm-uk. com), have created a Risk Management Standard for their members. Available free at their websites. The King Committee on Corporate Governance (King II) from South Africa. Copies for R 600 plus postage – from http: //www. iodsa. co. za/downloads/reports/kingreport_orderform. pdf Another available standard is that from the UK's Treasury Department. This is available from http: //www. hmtreasury. gov. uk/media/3/5/FE 66035 B-BCDC-D 4 B 311057 A 7707 D 2521 F. pdf A Higher Standard for Risk Professionals www. prmia. org
A Higher Standard for Risk Professionals www. prmia. org Risk components
Financial and Non-Financial Risk Non-Financial (will include some financial) Pure Financial Enterprise Risk is essentially non-financial with a large financial component. Enterprise Risk -------------- Risk data -------------Strategic Risks Financial (Trading) Risks Credit Market Pricing Interest Rate Liquidity ALM A Higher Standard for Risk Professionals Operational (Procedural) Risks Operational Disaster Fraud Terrorism Project Legal Other Risks Regulatory Reputational Pandemic Environment Government www. prmia. org
Financial risk • Financial Risk – Balance Sheet Risk • Assets (what you have or what is due to come into your possession at a future date) and Liabilities (what you owe to someone else) can all be given a numeric financial value and these values can be balanced. • However, the value of these can vary: – The market price can go up or down – The value you give can be right or wrong – The expected payment for services given or taken can vary – The currencies involved can move against each other – You may not receive what is owed to you – You may not be able to realise the validly quoted price A Higher Standard for Risk Professionals www. prmia. org
Financial risk • All financial risk can be modelled (in theory and as long as you get the modelling factors right) • • The risk are a combination of many, volatile parameters An asset or a liability can be given a value – and the risk that an asset or liability can vary in value (to zero in the case of default) can also be given a value This value can then be protected through: • – Hedging – buying an liability or asset which varies in price exactly opposite to the value of the original asset or liability – Insurance – purchasing a policy that pays up in the event of the value of the asset or liability changing by more than an agreed value. – Capital – storing money away against a rainy day A Higher Standard for Risk Professionals www. prmia. org
Non-financial (operational) risk • Has financial and non-financial impacts • A much wider range of categories of types of risk • A much smaller volume of incidents (risk or loss events) • Cannot always be quantified • Less historic data • Less commonality of recording incidents • May be dependent on qualitative analysis • Can have a much greater impact than financial risk • Incidents are not always obvious • Recording depends on human intervention, attitude, willingness and interpretation A Higher Standard for Risk Professionals www. prmia. org
What are the components to nonfinancial risk management? • Risk identification • Risk (and other components) categorisation • Organisational modelling • Risk assessment • Loss event recording • Management and mitigation • Reporting and analysis A Higher Standard for Risk Professionals www. prmia. org
The building blocks of non-financial risk • Risk categorisation – Descriptions – Likelihood (probability) – Impact – both inherent and residual • • Risk structure (s) Risk controls Risk indicators Risk events (incidents or transactions) – – Parameters Potential impact Actual impact Knock-on effects A Higher Standard for Risk Professionals www. prmia. org
A risk structure RISK REGISTER Attributes 2 1 – flat table 2 3 4 etc A Higher Standard for Risk Professionals www. prmia. org
A risk structure PRIME RISK STRUCTURE 1 RISK REGISTER Attributes 2 1 – flat table 2 One to many 3 4 etc 1 Up to N levels, risks linked at lowest level A Higher Standard for Risk Professionals 2 i. e. People, Processes, Systems and External – by board director responsibilities – with alternative frameworks i. e. Geography – Product Line – Regulation (FSA, Health & Safety, Data Protection, etc) www. prmia. org
A risk structure PRIME RISK STRUCTURE 1 RISK REGISTER Attributes 3 Attributes 2 A – flat table 1 – flat table 2 One to many EVENTS REGISTER 3 B Many to many C 4 D etc 1 Up to N levels, risks linked at lowest level A Higher Standard for Risk Professionals 2 3 i. e. People, Processes, Systems and External – by board director responsibilities – with alternative frameworks i. e. Geography – Product Line – Regulation (FSA, Health & Safety, Data Protection, etc) i. e. ORX structure - BBA GOLD structure - Basel structure www. prmia. org
A risk structure PRIME RISK STRUCTURE 1 RISK REGISTER Attributes 3 Attributes 2 A – flat table 1 – flat table 2 One to many EVENTS REGISTER B Many to many 3 C 4 D etc 1 Attributes 4 Α – flat table β Up to N levels, risks linked at lowest level 2 γ CONTROLS REGISTER A Higher Standard for Risk Professionals δ etc i. e. People, Processes, Systems and External – by board director responsibilities – with alternative frameworks i. e. Geography – Product Line – Regulation (FSA, Health & Safety, Data Protection, etc) 3 i. e. ORX structure - BBA GOLD structure - Basel structure 4 i. e. Manual controls - Automated controls - Management controls, Accounting controls, etc www. prmia. org
A risk structure with indicators PRIME RISK STRUCTURE RISKS EVENTS Attributes 1 – flat table A – flat table 2 B 3 C INDICATORS 4 etc D etc Attributes 4 a – flat table b c d Up to N levels, risks linked at lowest level etc 4. Attributes 4 Α – flat table Transaction indicators, HR indicators, External indicators such as weather, etc β γ δ CONTROLS A Higher Standard for Risk Professionals etc www. prmia. org
Risk categorisation (Merrill Lynch Capital) • 52 risks grouped into categories – – – – – People Financial Credit Reporting & Control Customer Suitability & Servicing External Technology Legal/Regulatory Reputational (!) Employee Fraud Resource Management Involuntary Downsizing / Restructuring / Constrained Resources Loss of Key Individuals / Teams Lack of Training/Experience / Knowledge / Ability Knowledge Capital Risk Efficiency Risk Leadership Risk Authority / Limit Risk Performance Incentives Risk Change Readiness Risk Alignment Risk People Risk: The risk of loss related to management and deployment of people including inappropriate resource management (e. g. , lack of training and constrained resources) inappropriate management oversight, employee irregularities, discrimination, harassment and turnover. A Higher Standard for Risk Professionals www. prmia. org
A Higher Standard for Risk Professionals www. prmia. org Architecture - how does it all fit together?
An ERM architecture consists of interlocking parts Transaction Compliance – transparency, best execution, Conduct Of Business, etc. Transaction Processing – direction and control, disclosure, etc Risk Management – quote, buy/sell, clear, settle, report, etc. A similar model could be created for the retail financial or insurance businesses MIS and Internal Audit – strategic capital adequacy, risk management, event repair, etc. Business Controls – trading limits, management processes and authorisations, etc. A Higher Standard for Risk Professionals www. prmia. org
Types of risk Enterprise Risk assessments, indicators, controls and events data Strategic Risks Financial (Trading) Risks • Credit • Market Pricing • Interest Rate • Liquidity • ALM A Higher Standard for Risk Professionals Operational (Procedural) Risks • Operational • Disaster • Fraud • Terrorism • Project Other Risks • Regulatory • Pandemic • Legal • Environment • Government www. prmia. org
A risk MIS view Board/Senior Management Risk MIS Risk indicators Days debtors ALM / ALCO Limits and positions Capital allocation Oil reserves etc. Manufacturing CRM A Higher Standard for Risk Professionals Sales systems Transaction data and local KRIs HR management Operational Risk System Accounts Credit Risk System Response time % leavers Liquidity Risk System Market Risk System Parts returned Net sales www. prmia. org
An enterprise risk MIS view Board/Senior Management Strategic Risk System Enterprise Risk MIS Corporate Goals Risk indicators Days debtors ALM / ALCO Limits and positions Capital allocation etc. A Higher Standard for Risk Professionals Oil reserves Manufacturing Transaction data and local KRIs CRM Sales systems Credit Risk System Accounts Operational Risk System HR management Liquidity Risk System Market Risk System Response time % leavers Risk Appetite Parts returned Net sales External Information • Competitor reports • Demographics • Weather trends • Financial trends • Gartner, etc • New technologies • Political moves • Etc. www. prmia. org
A corporate MIS view Board/Senior Management Corporate MIS Strategic Risk MIS Enterprise Risk System Corporate Goals Risk Appetite Risk indicators Days debtors External Information Parts returned Net sales • Competitor reports • Demographics ALM / ALCO Limits and positions Capital allocation % leavers Oil reserves • Weather trends • Financial trends • Gartner, etc • New technologies • Political moves • Etc. etc. Manufacturing CRM Sales systems Operational Risk System HR management Credit Risk System Accounts Liquidity Risk System Market Risk System Response time Regular corporate performance data Transaction data and local KRIs A Higher Standard for Risk Professionals www. prmia. org
Data implications Financial (credit, market, liquidity, etc) risk Non-financial (operational and strategic) risk • Real-time • Once a day for input • High availability • Once a month for reporting • High performance requirements • Very large amounts of data • Kept for a long time • Data comes from existing core systems • Low performance requirements • Relatively small amounts of data • Kept for a long time • Data collection systems need to be developed A Higher Standard for Risk Professionals www. prmia. org
A Higher Standard for Risk Professionals www. prmia. org The benefits of ERM
Enterprise risk management Organisations believe Enterprise Risk Management (ERM) can help increase the value of their companies. This belief is founded upon ERM’s potential to: Ø avoid “land mines” and other surprises Ø improve the stability and quality of earnings Ø enhance growth and return by more knowledgeably exploiting risk opportunities and managing/allocating capital Ø identify specific opportunities such as natural synergies and risk arbitrage Ø reassure their many stakeholders that the business is well managed — stakeholders that include investors, analysts, rating agencies, regulators and the press. A Higher Standard for Risk Professionals www. prmia. org
The benefits of ERM Support objectives, improve earnings and cash flow, manage growth, capture opportunities Optimising risk Advanced Defensive Managing risk Transferring risk Reduce losses, lower insurance costs, anticipate and mitigate losses Report risk, analyse past risks, insure against risks A Higher Standard for Risk Professionals www. prmia. org
Examples of ERM Benefits n n n n Multimillion-dollar project undertaken once risk profile understood Offshore outsourcing program cancelled once high risk was assessed Natural hedge discovered Facilitated M&A process Reduced insurance rates Business line discontinued following correct allocation of credit failure and reputational knock-on impact of other businesses Decided not to discontinue product once risk was understood Price revisions implemented after a risk review demonstrated true cost of manufacture and delivery A Higher Standard for Risk Professionals 5 4 www. prmia. org
A Higher Standard for Risk Professionals www. prmia. org Implementation considerations
Creation of an internal risk culture An internal risk culture is the sum of the individual and corporate values, attitudes, competencies and behaviour that determine commitment to and style of risk management. • It includes both an enterprise risk and an internal control culture • It requires clear lines of responsibility, segregation of duties and effective internal reporting • It requires high standards of ethical behaviour at all levels • Although a framework of formal, written policies and procedures is critical, it needs to be reinforced through a strong control culture • It is the responsibility of both the board and senior management A Higher Standard for Risk Professionals www. prmia. org
Why plan? • This is a major (significance, if not cost) programme • So first confirm all the reasons for doing it! – – – – Business improvement Organisational change Regulatory compliance Risk mitigation Shareholder/public image Removal of specific risk situations Company value • You need strategic objectives and a benefits target A Higher Standard for Risk Professionals www. prmia. org
Business considerations n The Board needs to develop and to communicate the long-term business risk vision and risk strategy. n Moving towards a shared risk culture must be supported by a management of change process. n It will effect all parts of the business and all these need to be aware and committed to success. Success depends on multi-level buy-in and cultural change. A Higher Standard for Risk Professionals www. prmia. org
Initial requirements • Board and senior management education. • Heads of department responsibilities. • Firm wide understanding of capital and compliance implications (benefits, threats and costs). • Establishment of peer support (or pressure) group of champions. • Awareness and support of programme. • Supervisor relationship and support. • Quick hits and ancillary benefits. A Higher Standard for Risk Professionals www. prmia. org
Start simply “Arguably, some ERM frameworks are simply too complex for many community banks, given their traditional nature, structure, and business lines. However, creating an ERM framework does provide even the smallest institutions with a structured and disciplined approach to aligning strategy, processes, people, technology, and knowledge. ” Source: Federal Reserve Bank of Philadephia A Higher Standard for Risk Professionals www. prmia. org
Commitment is needed from: – Owners/shareholders – The Board – Senior management – Departmental managers – Audit, asset and liability management and compliance – Human resources – Staff – Geographies Plan for it now. A Higher Standard for Risk Professionals www. prmia. org
A Higher Standard for Risk Professionals www. prmia. org Some final case studies
One. Tel (2001) • • Created in 1995 as a youth-oriented telecomms carrier and service provider (land-lines, mobile and internet) By 2000 was the 3 rd largest Australian internet provider and signing up subscribers very rapidly. One. Tel had gained its market by reselling the services of other providers and by aggressively discounting charges. However the balance of payments and receivables was very narrow, perhaps even unfavourable at times. In mid-2000 its billing system failed under pressure of volumes and complex payment structures. This resulted in cash flow problems as cash was not coming in to pay suppliers. In April 2001, directors (mis)forecast an AU$ 75 M cash surplus by the end of the year. Directors and major shareholders began to sell shares. In June 2001 administrators were called in and staff laid off. A Higher Standard for Risk Professionals www. prmia. org
Long-Term Capital Management • • In 1994, LTCM founded based on the latest models from Nobel-prize winning economists Myron Scholes and Robert Merton. Major investors put in $1. 3 billion - 80 founding investors with a minimum of $10 million, including Bear Sterns President James Cayne. LTCM's strategy was convergence trading - finding government bonds mispriced relative to each other, taking long positions in the cheap ones and short positions in the rich ones. Differences in values tiny so the fund took large, highly-leveraged positions - equity of $5 billion and borrowings of over $125 billion. LTCM’s models showed that the long and short positions were highly correlated and so the net risk was small. In August 1998, Russia devalues and reneges on 281 billion roubles ($13. 5 billion) of Treasury debt. The result is a massive "flight to quality", with investors flooding into the "risk-free" government bond market. LTCM was caught out by the "price" of liquidity – if it became more valuable (in the crisis) its short positions would increase in price relative to its long positions. This was an unhedged exposure to a single risk factor. The Federal Reserve Bank of New York organises a rescue package under which a consortium of leading investment and commercial banks. A Higher Standard for Risk Professionals www. prmia. org
And today’s sub-prime crisis • • Structured products - instruments devised on the basis of grouped assets rather than the credit standing of the entity concerned, and where the cash flows of the entity are used to pay off the lender. US investment banks bundle up large quantities of sub-prime, adjustable-rate mortgages (borrowers normally unlikely to get loans) into a securitized structured product and sell to mainstream investors. These get high ratings from the credit rating agencies based on their underlying assets (property) and the issuing bank. Mortgage lenders borrow short on the inter-bank market and lend long to sub-prime clients, then bundle these loans and sell as above. The market was competitive – but safe as long as the initial lender could sell on the loans – so spreading market risk! Mortgage defaults in the US increase due to economy and interest rate issues. A small number of sub-prime lending specialists get into trouble. The credit ratings become suspect. The big banks react by suspecting everyone of being in trouble and withdrawing from the interbank markets – a liquidity problem A Higher Standard for Risk Professionals www. prmia. org
A Higher Standard for Risk Professionals www. prmia. org And finally
The Turnbull 10 questions for corporate risk management 1. Have you identified the potential business risks to the organisation? 2. Have you assessed the likelihood and consequence of the significant risk being realised? 3. Have you assessed those risks that could: • • • Damage your reputation? Affect your market position? Result in prosecution? 4. Have you established controls to manage significant business risks? 5. Have you established a positive culture for controlling the risks? 6. Have you established a contingency plan to mitigate disaster? 7. Have you established continuity management control arrangements? 8. Do you regularly audit compliance with control arrangements? 9. Do you regularly review these arrangements with respect to their adequacy and effectiveness? 10. Do you report annually on your risk and control measures? A Higher Standard for Risk Professionals Y/N Y/N Y/N www. prmia. org
The Turnbull 10 questions for corporate risk management 1. Have you identified the potential business risks to the organisation? 2. Have you assessed the likelihood and consequence of the significant risk being realised? 3. Have you assessed those risks that could: – – – Damage your reputation? Affect your market position? Result in prosecution? Can you 4. Have you established controls to manage significant business risks? answer “YES” 5. Have you established a positive culture for controlling the risks? 6. Have you established a contingency plan to mitigate disaster? to all 10 8. Do you regularly audit compliance with control arrangements? questions? 7. Have you established continuity management control arrangements? 9. Do you regularly review these arrangements with respect to their adequacy and effectiveness? 10. Do you report annually on your risk and control measures? A Higher Standard for Risk Professionals Y/N Y/N Y/N www. prmia. org
A Higher Standard for Risk Thank you Professionals For questions – david. millar@prmia. org Regarding membership or exams – support@prmia. org www. prmia. org
Скачать презентацию Enterprise Risk Management Global Best Practices A
44590998e68aec2d1a12e3f9ade0f010.ppt