3. Enterprise Risk Management ‐ Definition
• Risk Management: The sequence of activities aimed to reduce or eliminate an entity’s financial risk and
uncertainty
• Definitions of Enterprise Risk Management (ERM):
– Process to make consistent and conscientious risk management decisions at the entity rather than
any sub‐unit level. This process must, at a minimum, involve attempts to identify, measure, and
address risks in a manner consistent with the board and/or managements preconceived articulations
of desired risk appetite and culture. – Integrated from below definitions
– Integrated approach to risk management that evaluates exposures at the entity rather than unit
level. Attempts to coordinate risk management duties to maximize efficiency and value added while
reducing hedging and other transaction costs. ‐ GARP
– Enterprise risk management (ERM) is the process of planning, organizing, leading, and controlling the
activities of an organization in order to minimize the effects of risk on an organization's capital and
earnings. ‐ Investopedia
• Costs
– Identifying and aggregating
• Benefits
– Increased organizational effectiveness
– More effective risk transfer and reporting
– Improves business efficiency and performance
LO2‐5
4. Enterprise Risk Management ‐ Participants
• Participants in the EMR process typically include the Board of Directors, Senior
Management, Trading Room Management, Operations, Finance, and Risk Management.
• Board of directors: A group of individuals that are elected as…representatives of the
stockholders to establish corporate management related policies and to make decisions on
major company issues.
• Strong boards watch out for shareholders interests and proactively address “Agency Risk”
by:
– Maintaining majority independence from management…having strong representation
from shareholders and generally not allowing the CEO to also be Chairman of the board
– Limiting managements ability to assume risks by reviewing the Risk Appetite
Frameworks (RAF)
– Establish Compensation Committee with goal of aligning compensation with RAF
– Establish Audit Committee with goal of ensuring financial statements reflect economic
reality
– Approve all major transactions
Board of Directors
LO2‐5
5. Enterprise Risk Management ‐ Participants
Board of Directors
Senior Management
• Approves business plans and targets
• Sets risk tolerance
• Establishes policy
• Responsible for performance
• Participants in the EMR process are interdependent
Trading Room Management
• Establishes & manages risk exposure
• Responsible for deal capture
• Signs off on official P&L
Operations
• Books and settles trades
• Reconciles Front/Back office
positions
• Prepares daily P&L via MtM
valuation of positions
Finance
• Develops valuation and
finance policy
• Ensures integrity of P&L
• Manages business planning
process
Risk Management
• Develops risk policies
• Monitors compliance to limits
• Manages risk committee
process
• Validates models
• Provides independent view of
risks
Interdependent
LO2‐5
6. Components Best Practices Challenges
Corporate Governance
(including risk
appetite)
Board and senior management succeed in
communicating a meaningful RAF and have a
clear understanding of the entity’s risks.
Board is independent from management with
strong representation from shareholders.
Board risk committee independent from audit.
Connection RAF with culture (real actions).
Building processes and culture needed to clearly
communicate material risks.
Conflict of interest between debtholders & shareholders
Product Line
Management
(Accountability)
Line managers are able to make independent risk
management decisions consistent with RAF
Appropriately applying the RAF to new risks and/or
changing risk profiles. Clear line of responsibility and
accountability
Portfolio Management
(holistic view of risks)
Quantification process and strategy applied take
interactions across risks into account
Appropriately modeling and/or accounting for hedging
and risk correlations
Risk Strategy Strategies are evaluated using cost/benefit
analysis to determine which is most effective
Accounting for the opportunity cost and operational risks
associated with hedging and other more complex
strategies
Risk Analytics
(Quantification)
Approaches are consistent with purpose and
appropriately acknowledge and communicate
non‐quantifiable risks
Identifying all material risks, particularly those that are
not easily quantifiable.
Determining appropriate approach (ex. VaR vs Expected
Shortfall….what confidence level)
Data Technology Fully integrated and standardized data
warehouses
Building and maintaining the technological infrastructure
to support risk quantification (i.e. measurement)
Stakeholder
management (market
discipline)
Effective and transparent communication of risk
management practices to all internal and external
stakeholders
Lack of connection between stakeholder business
planning and risk appetite
Enterprise Risk Management ‐ Components
LO2‐5
8. RAF specifies the amount and type of overall risk an organization is willing to accept to obtain objectives
Challenges in determining RAF
• Qualitative vs Quantitative articulation of risk appetite
– Qualitative articulation requires continual review based on nature of the risks, potentially supported by
stress testing or other analysis
– Quantitative threshold (ex. entity sets maximum VaR)
• Accounting vs economic exposures
• Time horizon (ex. is the hedging strategy focused on short or long term profits)
• Consideration of the existing profile, risk capacity, risk tolerance, attitude toward risk
• Flexible enough to apply to full breadth of risks while also providing clear guidance on which strategy
to employ given the nature of the risk.
Best practices for implementing RAF
• Clear statement of risk appetite – First step of the Board in constructing the RAF.
• Communication in plain language – Visible participation from executives in setting and enforcing RAF
• Communication of limits ‐ Determining how limits are set (ex. notional size vs VaR) and
communicating background and reasons for limits.
• Responsibility for Risk – Clear delegation of risk to business unit managers
• Transaction approval – Individuals tasked with transaction approval should clearly communicate how
each transaction is consistent with the RAF
Establish Risk Appetite
Framework (RAF)
Step 1: ERM Process ‐ RAF
10. Quantifiable Risks:
• Credit Risk – The possibility of default by the counterparty to a financial transaction. Sub‐classes
include the risk of default, bankruptcy, downgrade, and settlement
• Interest Rate Risk – Risk of unfavorable movements in interest rates to both assets and liabilities
(closely related to foreign exchange risk)
• Liquidity Risk – Possibility of sustaining significant losses due to the inability to take or liquidate a
position at a fair price. Sub‐classes include funding liquidity risk and trading liquidity risk
• Market Risk ‐ Risk of loss from price or volatility movement in financial markets. Sub‐classes include
interest rate, equity, foreign exchange, and commodity.
Quasi‐Quantifiable Risks:
• Operational Risk – Risk of loss due to inadequate monitoring systems, management failure, defective
controls, fraud, or human error. May also include technology failures and natural disasters
• Model Risk – Risk that models used by the entity are mis‐specified or used inappropriately
• Legal and Regulatory Risk – Risk of lawsuits or a change in laws or specific regulations
• Business Risk – Risk of unexpected drops in revenue or increases in costs due to external factors such
as shifting supply/demand or disruptions in the supply chain.
• Strategic Risk – Risk of losses due to changes in business model and/or direction as caused by internal
executive leadership.
• Reputation Risk – Risk that the public will lose trust in the entity. Trust in this context refers to the
belief that the entity will both 1) be able to fulfill its obligations to creditors and counterparties and 2)
is ethical in its business dealings
Identify
Individual Risks
Step 2: ERM Process – Identify Individual Risks
11. • Key discussion topic for next two Lunch and
Learns:
– Part 2: Introduction to Risk Metrics –
September 10
– Part 3: Value at Risk vs Expected
Shortfall – September 24
• Common Risk Metrics
– Standard deviation (Volatility)
– Value at risk (VaR)
– Expected shortfall (ES, CVAR)
• Key decisions in constructing the measure
– Time period
– Confidence Level
– Estimation method
• Aggregation to the portfolio level
– Mapping of risk to common risk factors
in order to aggregate to entity level
Quantify
Risk exposure
Step 3: ERM Process – Quantify Risk Exposure
Trade
Trade
Trade
Risk
Factor
Risk
Factor
Portfolio
12. Description
Example(s)
Limitations
Strategy:
Avoid Transfer Mitigate Assume
Avoid Transfer Mitigate Assume
Abstain from the
market, counterparty,
or practice
Contractual shifting of
a pure risk from one
party to another
Systematic reduction in
the extent of exposure
to a risk and/or the
likelihood of its
occurrence
Accept the risk and
hold sufficient
capital/liquidity
commensurate with
the risk
Board rejects
management requests
to relax underwriting
standard to allow loan
underwriting without
proof of stated income.
Entity transfers risk of
counterparty A to
counterparty B via a
credit default swap
(CDS).
Hedge interest rate risk
using derivatives.
Blocking emails sent to
external email
addresses
Board accepts
management requests
to relax underwriting
standards. Forecasts of
future losses are used
to calculate increase in
capital buffers.
May prevent entity
from entering into
profitable markets,
counterparty
relationships, or
practices
May not remove all
risk. In example, entity
has exchanged risk of
counterparty A default
with counterparty B
and may have basis
risk if using a proxy
CDS
Derivatives are
complex (operational
risk) and can be costly
More on this topic
during next
Capital can be costly to
hold. Critical that
estimates of expected
losses from risk are
adequate.
Step 4: ERM Process – Strategy
13. Step 5: ERM Process – Monitor
• Risk Management is not a static process
– Must be initially set, continually monitored, and updated as needed
– Monitoring determines if risk management activities are consistent
with risk appetite
– Deviations in monitoring suggest that risk appetite or risk mitigation
process needs to be reviewed.
• Monitoring methods
– Backtesting and confidence intervals
– Stress testing
• Causes of Risk Management Failure
– Ignoring known risk
– Improper incorporation of risk
– Unidentified risk
Monitor Performance:
Amend as needed
14. Financial Disasters – Misleading Reporting Cases
Case Cause Lesson
1976 ‐ Drysdale Securities borrows
$300 million in unsecured funds
from Chase Manhatten
Drysdale misled Chase by exploiting
a flaw in the system for computing
the value of collateral
1. Understand transaction risks
2. Build accurate valuation models
3. Employ a risk control function
1992: Kidder Peabody’s head of
gov’t bond trading desk, Joseph
Jett, reported large artificial profits
Jett misled KP by exploiting a flaw in
system regarding PV of forward
contracts on gov’t bonds.
1. Understand trading strategies
2. Build accurate valuation systems
1994: Nick Leeson at Barings Bank
switched from hedged to specula‐
tive strategy to recoup losses
Lack of operational oversight & dual
role as trader & settlement officer
allowed concealment of losses
1. Employ operational oversight
2. Separate role of trader and
settlement officer
1997: John Rusnak at Allied Irish
Bank hid losses by bullying the back
office into not confirming trades
Rusnak created fake trades to offset
real trades in order to hide large
currency positions
1. Require immediate cash
settlement in OTC markets
2. Same as Barings Bank
1997: Union Bank of Switzerland
lost millions from equity derivatives
positions and exposure to LTCM
Inadequate action from firm’s risk
controllers. Dual role of Senior risk
manager as head of quant analytics.
1. Double check hedging strategies
2. Build accurate valuation models
3. Independent risk control team
2008: Jerome Kerviel at Societe
Generale lost billions from
unauthorized trading activity
Kerviel hid unauthorized trades by
creating fake hedges that he hide by
canceling just before review
1. Build robust valuation systems
that keep history of records
LO6
15. Financial Disasters – Large Market Movement Cases
Case Cause Lesson
1991 – Metallgesellschaft’s failed
stach‐and‐roll strategy caused cash
shortage requiring an unwind.
Cash flow timing differences
between long dated shorts and
short dated futures used to hedge
1. Hedging price risk can still leave
funding liquidity risk (LR)
2. Large positions have trading LR.
1998 – LTCM’s extreme leverage,
lack of diversification & inadequate
risk models put LTCM in a cash flow
crisis when Russian default created
intolerable market‐to‐market and
margin calls
LTCM’s relative value, credit spread
& equity volatility strategies failed
to consider extreme scenarios like
Russian default which triggered
concern with other countries. LTCM
often did not post IM for OTC trades
1. Require post & collect IM
2. Incorporate liquidation costs into
prices in case of adverse events
3. Supplement VaR with stress
testing when evaluating financial
risk (ex. credit risk)
Financial Disasters – Customer Conduct Cases
Case Cause Lesson
1991 – Bankers Trust (BT) provided
Proctor & Gamble with intentionally
complex strategy for reducing
funding costs using derivatives.
PG failed to fully investigate the
strategy which BT staff bragged
about being misleading (calls were
recorded)
1. Tighter controls on dealing with
clients and vendors
2. Record calls with caution
3. Match trades with client needs
2001 – Enron was able to secretly
borrow from JPM & Citi by shorting
oil for future delivery in exchange
for cash. Once uncovered, JMP and
Citi paid hefty fines.
It was revealed that JPM & Citi
understood Enron’s intent, but
participated in the transactions
anyway so they would not be
recognized as loans on the BS.
1. Failure to perform due diligence
can result is reputation risk
2. Avoid participating in
inappropriate actions on the part of
customers.
LO6
27. Risk Adjusted Return Measures
• Treynor measure = risk premium over systemic risk
– Appropriate for comparing diversified portfolios
• Sharpe measure = risk premium over total risk
– Always applicable because it uses total risk
• Jensen’s alpha = asset’s excess return over CAPM
– Appropriate for comparing portfolios with same beta
• Sortino ratio = variation of the sharpe ratio that is
more appropriate for asymmetric returns.
– Replaces Rf with Rmin, a minimum acceptable return
– Replaces total risk with square root of mean squared
deviation (MSD) from Rmin
CAPM
Semi‐standard
deviation
LO10
31. The Law of One Price and Arbitrage
• The Law of One Price: Identical assets selling in
different locations should be priced identically
• Arbitrage is the action of buying an asset in the
cheaper market and simultaneously selling that asset in
the more expensive market.
– Simultaneous trades should continue until the asset trades
at one price in both markets (i.e. arbitrage opportunity is
fully exploited)
– Net investment must be zero (long paid for with short)
– Risk free (Betas on long are offset by Betas on short)
– Return may equal or exceed risk free rate
• Arbitrage Pricing Theory (APT) assumes that:
– Return is derived from a multifactor model
– Unsystematic risk is completely diversified away
– No arbitrage opportunities exist.
LO11
33. Modeling Returns
CAPM Arbitrage Pricing Theory Fama French 3xFactor
Describes expected returns as a
function of the asset’s level of
systemic risk (β)
Special case of APT where the only
factor is systemic risk.
Steps to derive:
1. Recognize that investors are
only compensated for Beta
2. Return is a linear function of β
because E(Return) and β are
weighted averages of assets
3. Use risk free asset and market
portfolio (from SML) to solve
for slope of CAPM
Describes expected returns as a
linear function of exposures to
common (i.e. macro) factors
Macroeconomic factors are
determined by the modeler
Steps to derive:
1. Create Factor Portfolios (FP) ‐
Well diversified with exposure
to only one factor
2. Derive returns for each FP –
E(R1) corresponds to F1…etc
3. Derive risk premiums (F) –
Where F1 = E(R1) ‐ RF
Describes excess returns above the
risk free asset as a function of three
factors:
1. Market return
2. SMB (i.e. Size ) = Small firm
returns Minus Big firm returns
3. HML (i.e. Book‐to‐market) =
High BtM firms Minus Low BtM
Rational for SMB and HML is that
both tend to have higher E(R)
Special case of APT where specific
factors are given.
Steps to derive is similar to APT
Risk Premium
LO11
35. Impacts and dimensions of data quality
• Impacts from poor data quality
1. Financial: Lower revenues, higher expenses
2. Confidence‐based: Managers making incorrect business decisions
3. Satisfaction impacts: Customer and employee dissatisfaction
4. Productivity impacts: Reduced production output; delays
5. Risk impacts: Underestimation of risk
6. Compliance impacts: May not be in compliance (ex. Sarbanes‐Oxley)
• Dimensions of data quality (acceptable data)
1. Accuracy: Degree to which data reflects real world
2. Completeness: Extent to which expected attributes ate provided
3. Consistency: Reasonable comparison of values across data sets. Three types:
1. Record Level – Consistency between one set of values within same record
2. Cross Record Level – Consistency in values across records
3. Temporal Level – Record level consistency across time
4. Reasonableness: Conformity with consistency expectations
5. Currency: Lifespan of data, is the data still considered useful or is it stale?
6. Uniqueness: May not be in compliance (ex. Sarbanes‐Oxley)
LO11
36. Operational Data Governance
• Operational data governance refers to the collective set of rules and
processes (i.e. program) regarding data that allow an organization to have
sufficient confidence in the quality of its data
• Data Quality Scorecard may help monitor the success of said program
– Processes for creating scorecard
1. Basel Level Metric is any single quantitative measure using clear criteria
2. Complex Metric is any combined score potentially using weights of multiple scores
and may be customized to incorporate qualitative reporting. Scorecard could
report metric by 1. data quality issue, 2. business process, or 3. business impact.
– Motivation: Can provide management with warning signs and lead to corrective actions
– Mechanics: Can improve accountability by tying into hierarchy of organization
• Data Validation vs Data Quality Inspection:
– Data Validation is a one‐time step to determine if data confirms to defined business
specifications
– Data Quality Inspection is ongoing set of steps aimed to:
• Reduce number of error to a tolerable level
• Spot data flaws and make appropriate adjustments
• Quickly solve the cause of errors and flaws
LO11
38. Risk Data Aggregation
• Benefits:
– Anticipate Problems by understanding risks holistically
– Identify routes to return to financial health in times of stress
– Improves resolvability in the event of bank stress or failure
– Increase efficiency, reduce chance of loss, and ultimately improve profitability
• Principals
1. Governance
2. Data architecture and IT infrastructure
3. Accuracy and Integrity
4. Completeness
5. Timeliness
6. Adaptability
7. Accuracy
8. Comprehensiveness
9. Clarity and usefulness
10. Frequency
11. Distribution
LO13
43. GARP Code of Conduct
LO14
• GARP Code of Conduct contains set of key principals designed to support
financial risk management practices.
– Developed for FRM and other GARP certifications.
– When encountering situation not specifically addressed in code, act ethically
• Principals
1. Professional Integrity & Ethical Conduct: Act ethically everyone, maintain appearance
of independence (ex. avoid gifts), don’t be deceptive, don’t compromise GARP or FRM
(ex. cheating on exam)
2. Conflicts of interest: Act fairly and disclose conflicts of interest
3. Confidentiality: All work is confidential unless given permission by employer/client
• Professional Standards
1. Fundamental Responsibilities: Do not knowingly disobey rules. Can’t delegate ethical
responsibilities, provide risk management advice that suits the employer/client. Don’t
overstate accuracy or certainty of results
2. Adherence to generally accepted (Best) practices in risk management: Perform all
work in a manner that is independent from interested parties (be objective). Keep up
with best practices and clearly state any departure from best practices, distinguish
between fact and opinion
45. Hedging: A Risk Mitigation Strategy ‐ Definition
• Definition: A risk mitigation strategy used to neutralize risk by entering into an
offsetting position to an existing investment.
• Hedging is often accomplished using derivatives.
• Advantages
– Lower earnings volatility – This improves market capitalization and in turn can reduce costs of
capital
– Increase certainty of operational costs such as commodity prices (also related to earnings
volatility)
• Disadvantages
– Complexity – Failed strategies can result in worse outcomes than assuming the underlying
risks (i.e. higher operational risks)
– Costs – Hedging strategies can be costly to implement, monitor and maintain.
• Key questions:
– Are the risks of hedging consistent with risk appetite (i.e. RAF)?
– What are the counterparty risk exposures and associated capital costs?
– What are the liquidity and tax implications?