Dubai Nov08 Erm Gs Khoo


Published on

This file contains info related to my presentation on ERM implementation in the context of financial & regulatory convergence - requirements from SOX, Basel 2, COSO, and IAS/IFRS

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Dubai Nov08 Erm Gs Khoo

  1. 1. Structuring ERM for Your Organization in an Era of Regulatory Convergence (Basel II, SOX, COSO, IAS): ERM from a Risk-Return Perspective Guan Seng Khoo, PhD Head, Group Risk (Models Validation) Standard Chartered Bank
  2. 2. Agenda • Introductory Remarks ERM from a Risk-Return Perspective • Identifying the top risks of your organization • How to develop an appropriate ERM framework: Speaking the Same Language Integration-centric approach Implementing a common risk language that’s “aggregatable” & flexible • The Structure to Governing Risk (Proposed) • Developing the KPIs to measure the result of your ERM framework • How to achieve balance on cost of compliance • Concluding remarks
  3. 3. High Oil Price Economic Strategic Slowdown, Business/ Credit crunch Market Risk Credit risk Hedging Earnings volatility Regulatory/ Reputation risk Operational/ Market risk Staff turnover HR operational risk
  4. 4. Liquidity & Enterprise Risk Management Organization 4. Identify options 1. Identify principal for mitigation business risks Division 1 Division 2 Insurance Facility 1 Facility 2 Envisioning meeting Loss control / mitigation Risk financing alternatives Unit 1 Criteria for Risk Unit Operations Response Plan Frequency of Loss Response Loss Event Actions Priority Major Mod. Minor Criteria Management Assets People Systems Expected Loss Facility 1 Annualized Frequencies for Facility 2 Risk Division 2 Facility 3 2. Develop 3. Prioritize Risk Major Mod. Minor Facility 4 Enterprise-wide Loss Loss Loss Management Plans Risk Contribution for Risk Profiles Division 2 High Risk Loss Exposure for Division 2 Who decides acceptability Data from past losses Priority Division Facility Unit Loss Event Risk Certainty of risks? Data from prior studies How quickly to resolve? Risk mapping Who implements solutions?
  5. 5. 1. Introductory Remarks: Always Bear in Mind to be Never Complacent • Even during good times, unexpected negative events can occur – stressed environments! Recall: • space shuttle Columbia • Tsunami Tidal Wave & Impact in SE & South Asia • London 7/7, New York 11/9, etc. • Mumbai flood July 2005 – no BCP • Hurricane Katrina – impact on oil and lifestyle in Asia • Sustained high oil prices • Toxic mortgages/subprime contagion
  6. 6. Reminder • Any EWRM framework must consider potential impact of crises. • Preparation & implementation should be based on the old military saying, “the more you sweat in peace the less you bleed in war”. • That is, EWRM implementation should have a comprehensive program to test portfolios, staff readiness, systems, processes, etc. so as to be better prepared when a unexpected negative event occurs. • Initial assessment/test of the attributes of an institution’s portfolio of infrastructure, human resource, systems and processes, to withstand scenarios that are likely to occur and calculating the losses should a crisis come to pass – Test first to unearth the inefficiencies & loopholes
  7. 7. What You Hope to Achieve • Every organization is different and has its own priorities with respect to the risks and challenges it faces and the impact they will have • However, the greatest challenge has always been the internal environment and the “silo” mindset of the organization, with different groups having their own agenda and priorities • This presentation also proposes some strategies to help overcome the challenges posed by this type of organizational culture, namely: To obtain “buy-in” from senior mgt & BOD Illustrate a possible outcome, which is aligned with regulatory reporting requirement and also value-adds to the information management process of the enterprise In order to implement, must be aware of the demanding and constraining environment of diverse regulatory and supervisory expectations, e.g. Basel II, IAS and SOX Implementation must take into account overlapping issues and aggregating the risk measures in order to have a bird’s eye-view of the enterprise Implementation should be straight-forward and simple in terms of outcome and reporting Strong guidance & leadership critical to a (reasonably) successful implementation
  8. 8. ERM from a Risk-Return Perspective: Value-for-Money • Risk-Return considerations: 3-D ⇒ Pro-active risk mgt Opportunity, instead of being reactive e.g., cut down on fraud, enhance reputation and market growth, etc. Uncertainty, e.g. impact of regulatory changes, fraudulent activity occurrence, etc. Threat, e.g., high oil prices, terrorism, etc.
  9. 9. Risk in 3 Dimensions • Every risk event can potentially lead to an “upside” return, status quo or “downside” loss • Hence, ERM isn’t just about negative risk containment or avoidance, • But, also about strategizing to leverage on the risk awareness and activities to enhance returns, • To ensure the corporation’s growth and business continuity and to outperform the average
  10. 10. 2. Identifying the Top Risks of Your Organization • In order to identify and prioritize the top risks, need to first measure or quantify them • Use an ERM matrix based on global best practices and accepted principles • Look for guidance from experts (internal or external) • Categorize all possible risks & stakeholders • Localize the risk concentrations and further analyze these risks based on probability and impact at different levels and hierarchy of the organization
  11. 11. Establishing ERM Risk Categories Defined by the Regulatory Agencies OCC Risk Categories Fed Risk Categories Credit Risk Credit Risk Interest Rate Risk Market Risk Liquidity Risk Liquidity Risk Price Risk Operational Risk Foreign Exchange Risk Legal Risk Transaction Risk Reputational Risk Compliance Risk * Stick to prescribed regulatory definitions, removes ambiguity, don’t re-invent Strategic Risk * For BOD, senior mgt – ease of understanding & buy-in Reputation Risk
  12. 12. Next Steps: Understand your risk, your goals, and your priorities • Based on the risk appetite & ERM matrix, concentrate on the core risks that the organization must either accept, prevent from occurring, must lessen the impact if they occur, or mitigate by transferring the risk away from the key tasks. • Each risk is then analyzed by assigning it weighting factors such as those shown in the following matrix. • This matrix weighs the probability of a risky event: The risk that it will occur only once (Low, Medium, High) as well as the risk that it will occur multiple times (Low Medium, High). • The matrix also weighs the impact, should the event occur: The impact on a single department or product (Noticeable, Moderate, High) as well as the impact on the entire company or division (Noticeable, Moderate, High). • The total risk of an event is the product of the probability and impact. This step gives us an objective approach to prioritizing risk and how the risk can be managed.
  13. 13. Prioritizing in terms of e.g.: - Exposure loss - Cost of recovery - Reputation - etc.
  14. 14. 3. How to Develop an Appropriate ERM framework: The ABC of ERM Implementation • Internal Environment Challenges • Getting the buy-in • Mindset change management: - From Silo-based to Enterprise-wide Holistic View - From Rules-based to Performance-based Environment • How to overcome (some suggestions): - SAP: show a possible outcome - KISS, e.g., speak the same, simple language - CLICK: provide creative leadership & strong guidance with conviction & know-how
  15. 15. SAP – Show a Preview • No matter how global or sophisticated your organization is, when you are embarking on an ERM implementation, engagement is the key to gaining the buy-in from all levels of the organizational hierarchy – easier said than done though! • One approach is to illustrate to the key personnel at all levels a prototype model of what they are going to get and how they can benefit from it (the preview). The prototype can first be developed in-house by a project team that will eventually lead and drive the implementation program. Alternatively, it could be based on an existing solution or system being used by other organizations ahead of the implementation curve, which the project team has access to. This initial effort in prototyping an interim system or model that can be shown to senior management or directors in the form of an ERM cockpit or dashboard (ala movie poster) brings a lot of benefits to the subsequent deployment and implementation of the ERM system. • Firstly, much of the effort to produce the prototype will help the project team in establishing a foundation to support the creation of an ERM manual that will serve as the reference point for the establishment of management policies, procedures, and practices governing the initiation, definition, design, development, deployment, operation, maintenance, enhancement, and retirement of the ERM system.
  16. 16. SAP – Show a Preview 2 • Secondly, the preview of the ultimate ERM system provides visibility and transparency to the whole exercise, enhancing the confidence of the directors and senior management as it also provides an opportunity for them to have a first “taste” (encounter) of the final solution. More importantly, it also provides an avenue for them to be a critic, so that they can provide constructive feedback regarding the strengths and weaknesses of the interim system, which ultimately will be used by them – indirectly, they also become the stakeholders of the ERM implementation project based on their feedback and inputs. • Thirdly, the preview allows for the identification and validation of an opportunity to improve business accomplishments of the organization or a deficiency related to the ERM project specification, identification of significant assumptions and constraints on solutions to that need, and recommendation for the exploration of alternative concepts and methods to satisfy the need.
  17. 17. Corporate Performance Cockpit The actual value of “Asset Turnover Ratio” is 39 and pointed out by black needle. The The value 10 and 20 are two actual value is calculated on average of all threshold value of Interest subsidiary in year 2004. expense ratio.
  18. 18. Example: ABC Bank KRIs & KPIs Risk Risk Near Misses Losses Performing Indicators Assessment Indicators Op Expense Debt to Asset - Lack of products - Internal Fraud - Focus on - Lack of expertise - Market Share business process - Slow response - Share price of improvements time parent - Enhance internal - No targeted - etc. NPL & controls (checks & Rate of ROE market LLP balances) - Lack of risk- - etc. based pricing Asset RAROC turnover
  19. 19. KISS – Keep It Simple, Stupid • Another key consideration is simplicity. The final ERM system should be easy to use and: • emphasize user friendliness over ease of technical design and application software development • stick to prescribed terminologies understood by all, e.g., establishing ERM Risk Categories that have already been defined by the Regulatory Agencies, in order to reduce ambiguity among the stakeholders and users of the ERM • provide easier, secure, reliable access to data • tailor management information reports to customer needs • provide automated tools to facilitate end user access to and use of data • provide readily available help within the application software and provide for computer based training modules • reduce the reliance on paper • provide easier, secure access and management to electronic records, e.g., digital access rights mgt. • While the ERM system could be quite granular in terms of the depth of information to be retrieved and displayed, the project team should always bear in mind that at the senior management and directors’ level, the big picture is more critical. Hence, the ERM should allow for customization and access along the different levels of usage across the organizational hierarchy so that line managers, auditors and directors can access the same repository of information but view the information differently according to their needs and functional roles – different access rights can be put in place.
  20. 20. ERM Implementation in the Context of a Diverse Regulatory Environment (Basel II, IAS, SOX, etc.) “Speaking the Same Language” Principle: SSL
  21. 21. Why Comply? “...Simply complying with the rules is not enough. … if companies view the new laws as opportunities - opportunities to improve internal controls, improve the performance of the board, and improve their public reporting— they will ultimately be better run, more transparent, and therefore more attractive to investors.” William Donaldson, SEC Chairman, 4 November, 2004
  22. 22. Integration of Risk & Finance Synergy Examples Basel II IAS • Advanced IRB Approach • Fair Value Accounting for Credit Risk • Impairment value Loan • AMA for Operational Impairment • Hedge effectiveness Risk • Income recognition • Pillar 2 & 3 Risk Integration-Centric Approach Mitigation IPSB Organizational SOX • High level standards Structure • Internal controls • Liquidity risk effectiveness testing • PRMR • Internal controls • PRCR Controls disclosure Testing • PROR • Whether it is SOX, Basel II, International Accounting Standards (IAS), etc., integrating information in support of compliance is not a one-off proposition. • Compliance requires ongoing and constant enforcement. • It’s never a matter of simply checking a box and then moving to another project. • Compliance-driven requirements are usually phased in, evolve constantly, and invariably become more complex and stringent over time. • An integration-centric approach enhances the flexibility, and thus the value, of such an architecture because you can design the data integration capabilities necessary to meet whatever happens regulation wise. • You have a supple, adaptable and (over time) familiar framework for integrating new data and types of data in new ways. • In contrast, a non-integration-centric approach means having to recollect data for each new compliance mandate that comes along. • An integration-centric approach allows institutions to standardize their risk language in terms of the underlying Basel II risk-compliance categories or items and the overlapping risk parameters in the context of associated regulations (SOX, IAS, etc.)
  23. 23. Time-Series Analysis for Hedge Effectiveness Test
  24. 24. Basel II-compliant Integrated Approach to Risk Management - Risk Models & Measurements Key: Calculation engines act on Ratings, Basel 2 Calculators Reporting Reports Basel 2 Loss Distribution to yield the PD Data IAS IAS (PE), LGD (LE), EAD, VaR as well Shared as EC (CaR) Regulatory Shared Regulatory Basel II Severity Basel II Severity Calculation Calculation Regulatory Reporting Data Mart Regulatory Reporting Data Mart Disclosure Disclosure Engines Engines Monte-Carlo economic capital (EC) by Internal Internal simulation scenario type Frequency Market & Market & External External De-pegging of USD/RMB CaR1 Asian Financial crisis/Pandemic flu CaR2 Terrorist threat & rise in NPL CaR3 Succession & general election CaR4 IAS Calculation IAS Calculation Sectoral distress, e.g., dotcom bust CaR5 Engines Engines Financial and Financial and Fall in FDI (threat from China/India) CaR6 Management Management GL GL Bank merger & loss of market share CaR7 Accounting Accounting _____ Average Economic Capital Adjust severity & frequency distribution
  25. 25. Risk Event Type Event level 2 Category Level 1 Illustration: Implementing a Common Risk Language that is Flexible & “Aggregatable” People Internal Acts Unauthorized Risk Activity, Theft & Fraud Internal Audit Risk Etc. SOX Risk Firm enters into a Employment Etc. business relationship Misstatement IAS Risk Practices & with inappropriate parties of Client Fees Workplace or does not accurately Overstatement Safety profile the client of Hedge Effectiveness, Process Execution, Transaction Fair Value Delivery & Capture, Measurement Process Mgt Execution, Monitoring & Common Risk Reporting Basel II – Clients, Etc. Products & Business Practices Client, Disclosure, Products & Fiduciary, Business Improper Practices Business Compliance Risk Practices Operational Risk Etc. Firm opens accts with Failure to follow firm’s persons intending to Systems Business Hacking, policies & procedures Disruptions & Phishing launder money and does system not detect, report or record Etc. Failures suspicious activities by its customers External External Etc. Events Fraud
  26. 26. ERM matrix provides: - single enterprise-wide view & encompasses regulatory definition of risk categories - ratings across whole hierarchy of organization - comparative analysis - segmented information for IA as well - simplicity & ease of use
  27. 27. CLICK – Creative Leadership with Insight, Commitment & Know-how • No matter how good the planning, budgeting and resource provisioning are, if the ERM implementation is performed by the “blind leading the blind”, e.g., buying off-the-shelf system and models, and with a lack of conviction and commitment, the final outcome would yield a white elephant. • Risk management must be applied to all phases throughout the life cycle of the implementation. Risk, as used in project management, is associated with a lack of resources, information, and/or control. Risk management is distinguished from quot;problem managementquot; in that risk management is concerned with situations that may or may not occur, whereas problem management is concerned with known difficulties that are a result of a risk having occurred. An analysis of risk and any strategy adopted to control risk should at least consider the effect of one or more of three factors: lack of resources (such as personnel or funding); lack of information (for example, completeness and confidence); or lack of control over the decision-making process (such as external project decisions affecting the project plans and assumptions). • Applying risk management to the ERM production or infrastructure system stage includes considering backup and recovery in service level agreements and plans. Management responsibility for a risk must be assigned to individuals and units that can affect the risk's root causes. The Project Manager shall be responsible for managing project risks over which the Project Manager can exert direct control. • Risks that affect the project, but are not under project control, shall be explicitly assigned to either the Program Sponsor or the CRO, as appropriate. Situations external to the project that could be sources of risk to the project shall be coordinated through the Project Manager. Risk shall be a consideration in a Review Board and management decisions. Project risk situations, plans, and progress against risks must be considered at all project reviews. • Strong guidance must come from the Program Sponsor, Project Manager and Team so that the ERM implementation is carried out with a clear view of the objective and an insightful understanding of what it hopes to achieve. Coupled with the commitment of the team and management with the backing of the whole enterprise, and the strong political will of the stewards and stakeholders of the ERM project, the likelihood of a successful implementation will be enhanced.
  28. 28. Establishing ERM: The 7 Elements of the Risk Management Process Aka “The 7 Habits of Highly Effective Risk Managers” An active board of directors reviews strategic alternatives and develops Board Involvement corporate objectives and then formally approves policies. Also, evaluates whether business is being properly managed Provides broad guidance within which senior management operates and Risk Management Policies executes the firm’s objectives Senior management then develops strategies consistent with corporate Senior Mgt. Involvement objectives and policies, and ensures that their execution is supported by an effective decision process Decision-Making Process The decision process is backed by adequate analytical support and information management infrastructure The analytical support utilizes efficient models which analyze both qualitative and Analytics quantitative data. Reporting / Monitoring The analytical process in turn generates ongoing reports for performance monitoring, benchmarking and further consequent actions All of the above take place within a strong and practical internal control regime Internal Controls
  29. 29. Incorporating the 6 Principles of Shareholder Value aka “6 Sigma” Planning Paying for Measuring Performance Performance Enhanced Shareholder Value Pricing Prioritising Products resources Providing for risk
  30. 30. WHAT (do you have) In terms of “Hard” & “Soft” Infrastructure: • Corporate Culture • People • Process • Technology: Systems & IT
  31. 31. ERM Infrastructure Enterprise Component View Methodologies Quantitative Reporting Consolidation & Linear/Non-Linear (AI) Document Management Board Involvement Extreme Value Theory Reporting / Monitoring etc. Se n io MarketIntelligence Engines Risk Management Policies Qualitative rM Policy ClientMS Engines Expert Judgment gt . In Technology & Simulation Engines Structured Scenarios vo Know-How lve Surveillance Engines Decision-Making Process me Scoring/Rating Engines Foundation nt RISK DECISION ics Scenario Analyzer Warehouse SUPPORT SYSTEM lyt a Search Engines An DataMart Portfolio Mgmt Engines DataScrub&Cleanse DataSorter INFRASTRUCTURE MINDWARE DataArchival DataFeedManager DataStream Internal Controls
  32. 32. Balanced ERM Implementation Approach Strategy Mind Innovation Reporting Training Flexibility Managing Data Expectations Soft Hard Model Calculator Human IT Resources Physical “SOFT”WARE, “MIND”WARE, “HARD”WARE “HEART”WARE
  33. 33. 4. The Structure to Governing Risk EWRM Infrastructure Fundamentals Corporate Culture 3 in 1 Basic Pillars Process Technology People
  34. 34. The 4 Pillars & EWRM Success Greatest challenge is not having the human resource expertise in terms of depth & breadth *e.g. BI implementation in ERM People Hence, advisory services & training should be part & parcel Pillar 1 of good ERM project management Managing governance expectations *e.g., Transfer of expertise, Mindset change management
  35. 35. HR/People Responsibility Governance Framework in EWRM • HR Implementation Program • Board responsibilities – Providing support for networks, – Strategic oversight; alignment systems (ref. ISO17799) • CEO responsibilities – Periodic assessment of risk – Assign resp./accountability/ – Policies/procedures to address authority; oversee compliance security risks and implementation obstacles; full lifecycle • Executives responsibilities – Operational awareness training – Project implementation – Periodic testing; remedial action commensurate with risk; processes integrate with operations – Incident response procedures • Senior Managers responsibilities – Business continuity plans – Risk assessment, implement • Reporting policies, oversee implementation – Adequacy, effectiveness, operations acceptable residual risk reported to executives • All employees responsibilities – Independent evaluation reported – Awareness; compliance; to the board reporting
  36. 36. Business Process Governance Workflow checklist of critical business processes in project implementation Design a process Process data-warehouse** ERM managers/supervisors check that parameters and conditions used to Pillar 2 evaluate key risk measures are sound and rigorous – How? Business Process Management: Assessment of Process Workflow, Scenario Analysis complemented by documentation & policy manuals
  37. 37. Process Performance = Indicators + Processes Enterprise Performance “WHAT“ “HOW“ “WHY“ Results History Causes Performance Indicators + Process Chain Business Performance Order is for SETS Business Process Intelligence Finance & balance + Large Caps selected MidCaps Business Intelligence static indicators Enter Customer SETS order Trading can be done automatically Order entered Time Match SETS order Liquidity / Cashflow Data transfered to OMAR Cost Return on Investment Check Customer OMAR order Trading completely filled RAROC Quality Order checked Complete Customer OMAR ROA order Trading Price Risk Order completed Business Process
  38. 38. Technology Infrastructure Readiness The third pillar seeks to leverage the ability of technology to provide discipline and consistency to help the ERM personnel and staff to optimize the business processes via the appropriate enabling tools & systems Technology Hence, ERM team performs stress tests to ensure ERM implementation adequacy in times of shocks or unforeseen obstacles Pillar 3 Enhance transparency & reputation of project management delivery
  39. 39. Scenario Analysis Causes Scenario Evaluation (Potential Event) Severity of potential loss Range of severity Failure of relevant key risk Typical severity factors Frequency of potential loss Range of frequency KPIs/KRFs Typical frequency
  40. 40. ERM Project Management Governance • Project Governance • Financial Management To evaluate the adequacy of the control in place To evaluate the adequacy of the control in place for for the following risks: the following risks: 1. Lack of procedures leads to inconsistencies of 1. Costs associated with the project are unknown or approach, and potentially project failures or inconsistent. inefficiencies. 2. Costs are not being recorded properly leading to 2. Not sponsored by the business or out of scope. inaccurate financial reporting. 3. etc. 3. etc. • Quality Management • Monitoring & Reporting To evaluate the adequacy of the control in place To evaluate the adequacy of the control in place for for the following risks: the following risks: 1. Quality is not an integral part of the project. 1. Progress against plan and budget is not monitored 2. Poor quality procedures may lead to poor deliverables and customer dissatisfaction leading to possible loss of management control. 3. etc. • Project Close-Down • Project Planning To evaluate the adequacy of the control in place for To evaluate the adequacy of the control in place the following risks: for the following risks: 1. The project has delivered acceptable products 1. Plans are unreadable and difficult to manage. within time and cost. 2. Poor plans lead to increased costs and delays. 2. Poor security or controls can lead to loss of 3. etc. confidentiality, integrity or availability of information • Risk & Issue Management services. To evaluate the adequacy of the control in place 3. etc. for the following risks: 1. Risks and issues are identified and managed 2. etc.
  41. 41. In +1 Pillar Corporate Culture • Strengthening Corporate Governance from Viewpoints of: Boards of Directors Management Internal Control Functions Overcoming Silos
  42. 42. Achieving a usable & relevant ERM system? • No One Answer (depends on scale of implementation, location, global or localized, etc.) • Ability to standardize & measure project implementation risk-based indicators based on some key criteria: - risk-return considerations, e.g., risk appetite, growth vs. pricing (adaptability) - cost-effectiveness, e.g., shared services, integrated data-warehouse, manual vs. automation, via ABC (Activity-based costing), etc. - adaptability and transferability, e.g., tackle issues of obsolescence, cross-geographic applications, etc. - Alignment with corporate governance objectives - Based on identification of the top risks (known & unknown problems) faced by your organization - Prioritizing Risk based on Impact & Probability - Seek benefits beyond “downside” risk management & cost issues to transform overall corporate performance, competitiveness, and shareholder value from ordinary to exceptional - Aim to minimize operational surprises and losses: What’s the likelihood of risks “falling through” silo gaps?
  43. 43. Enterprise Risk Management (ERM) Framework An Overview At a practical level the Group risk framework needs to meet the expectations of different parties Shareholders r rs he wi tio de ot • Effective allocation and efficient use of capital ol nd • A risk adjusted basis to performance measurement in ent eh a lo pita reg risk eti rols k id ak rs • A cost effective risk management framework st lato th n • Risk management aligned to value creation a u lin ific eg R e Financial Institution pp nt is ct e c rin ide a co e r l ro pe at ito pw isk st tiv nt ex qu on ou e r bu ec co ss l im a te Business Line Group un Ade m Gr th Ro Eff es to e nd • • Applicability of policy • Ensure compliance with policy r ve • Transparency of capital co • Capital measurement/ • calculation allocation ed a g • Meet performance measures • Enhance shareholder value set • • Reduce earnings volatility • Avoid losses as far as • Lessons learnt form outside practical the firm • Lessons learnt within the firm • • Aggregated reporting • Business line reporting • Loss transfer mechanisms • Central and efficiency • Methodology implementation • Methodology design … effective risk management combines providing protection and enabling business opportunities
  44. 44. 5. Developing the KPIs to measure the result of your ERM framework Developing Key Risk and Control Indicators and establishing an early warning system All About KRIs, KCIs, KPIs & KTIs
  45. 45. Fundamentals of Enterprise Risk Management ERM is a process, effected by an entity’s board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. - Proposed by COSO (2003)
  46. 46. WHY ERM Are we taking the Are we taking the right Do we have the right processes right risks? amount of risk? to manage the risk? • How are the risks we take • Are we getting a return that • Are our risk management processes related to our strategies & is consistent with our overall aligned with our strategic decision-making objectives? level of risk? process & existing performance • Do we know the • Does our organizational measures? significant risks we are culture promote or • Are our risk management processes taking? discourage the right level of coordinated & consistent across the entire • Do the risks we take give risk taking activities? enterprise? us a competitive • Do we have a well-defined • Does everyone use the same definition of advantage? organizational risk appetite? risk? • How are the risks we take • Has our risk appetite been • Do we have gaps and/or overlaps in our related to activities that risk coverage? quantified in aggregate and create value? • Is our risk management process cost- per occurrence? • Do we recognize that effective? • Is our actual risk level business is about taking consistent with our risk risks & do we make appetite? KRIs conscious choices Inherently linked to concerning these risks? KPIs organization’s risk appetite & tolerance KCIs
  47. 47. Enterprise Risk Management Framework Comprehensive Foundation for Sustainable Delivery Identifying Analyzing Causes Risk Risk Control Capital Qualitative Events of Events Mapping Management Management Layer Analyzing Causes Comparative Prevention Capital Identifying of Occurring Analysis by Measures for Allocation etc. Past Events Events Benchmarking Occurring Events Quantitative Identifying Analyzing Causes of Detection Risk Management Potential Occurring or Measures for Mitigation or Layer Events Expanding Losses Occurring Losses Transfer Risk Measurement Market Data – (Group, Business Line & Risk Types) IR, FX, Liquidity, etc. Risk Management VaR Engine Scenario Analysis & Potential Risk Stress-Test Engine Scenario Audit and Inspection Review of Audit & Inspection Layer
  48. 48. Linking the Business Values & ERM Strategies – Ultimate keys to portfolio “success” KEY -- Linking Compliance Business Value Information Life-Cycle & ERM Management Management ERM CAPITAL PLANNING HR & BP Best Practice Governance Operations Architecture & Standards CUSTOMER SERVICE
  49. 49. Other Considerations • Regulatory changes: Convergence & Overlap of Global Guidelines & Regulations, e.g., Basel 2, IAS39/FAS133, SOX, etc. • Infrastructure (Resource, Process, Technology) Readiness • Corporate Culture: Mindset Change Management
  50. 50. ERM Internal Control Framework e.g. Utilizing COSO’s model • Focus on the processes between each stage of ERM • Suggested 8 components: Internal Environment, Objective Setting, Event Identification, Project Risk Assessment, Risk Response, Control Activities, Information & Communication, Monitoring
  51. 51. The COSO Framework Can view in context of 4 categories Considers activities at all levels of enterprise 8 components to ERM
  52. 52. Applying The COSO Framework • Risk Response • Internal Environment – Evaluate threshold to mitigate – Code of conduct/ethics – Discontinuation, realignment of process – Ethics hotline – New policies & procedures – Hiring and promotion – Risk Response Options: – Audit committee oversight • Accept = Do nothing. Willing to take on – Investigative process risk – Remediation • Avoid = Back-out strategy. Disengage from process leading to risk • Objective Setting • Share = Shift some of risk to external parties (e.g., insurance, outsource, – Policy to reduce loss event incidences joint venture) – Incentivization • Mitigate = Design processes to reduce – Development of database of known loss risk exposures event activities • Control Activities • Event Identification – Linking controls to identified risk activities – Monitoring of parameters, KRIs, KPIs – Map type of loss events to business – Comparison and evaluation of certain process attributes and trends against previously – Specify how possible future loss events is measured patterns and known signs of risk to be minimized or contained events – Outlier and exception analysis • Information/Communication – Information systems & technology • Risk Assessment – Knowledge management – Systematic process – Training/Inculcating Talent – Level within organization – Likelihood and significance • Monitoring – Via Risk Probability & Impact Analysis – Ongoing monitoring by management – Separate “after the fact” evaluations by internal audit – Etc.
  53. 53. KPI & EWS Examples Benchmarking Governance: • Benchmarking for Financial Subsidiaries e.g. RAROC, EVA, CAR, etc. • Benchmarking for Non-finance subsidiaries e.g. Key Risk-based Performance Measures (KRPM), ROA, ROE, Liquidity, etc. KRPM can be evaluated quantitatively or qualitatively (using a rating matrix) Forward-Looking Strategic & Managerial Flexibility • e.g., Real Options-based Scenario Modeling
  54. 54. Example of Key Risk-based Performance Measure (KRPM) Criteria (can be applied to both finance* & non-finance subsidiaries) • *Till Aggregated Economic Capital (market, credit, operational) for banking institutions can be evaluated • Other Risk measures (Expected Loss, Economic Capital):? - Liquidity - Operational - Reputational - etc.
  55. 55. Low High Balance Sheet Stress Test Stress Stress 2 1 or less Liquidity – Current ratio Related Risk & 30% 60% or more Solvency Financial – Debt to Asset ratio Analysis Profitability Negative – Net Operating Income 5% 1% or less - Rate of return on assets 10% 5% or less Example - Rate of return on equity 135% 110% or less Repayment Capacity - Debt coverage ratio 60% 80% or more Efficiency - Operating expense ratio 10% 20% or more - Interest expense ratio 40% 20% or less - Asset turnover ratio
  56. 56. Using risk indicators - escalation limits and targets for monitoring liquidity & reconciliation at one ATM/branch location Escalation Limits and Targets 250 Historical Idle cash balance 200 ATM Cash Float Escalation Limit e 150 st warning –1 Base Limit /Goal 100 50 8 Ja 8 Ja 9 Ju 0 Ja 0 1 Ju 9 M8 M8 M9 M0 M1 M9 M0 M1 N8 N9 N0 Se 8 Se 9 Se 0 1 -9 -9 -9 -0 -0 -0 -9 9 -9 9 0 0 -9 -0 -0 9 9 0 l-9 l-9 l-0 l-0 n- n- n- n- p- p- p- ay ov ay ay ay ov ov ar ar ar ar Ju Ju Ja Date
  57. 57. Cash Management (Operational Risk Management) Strategy Branch Performance Bank Performance Reputation Liquidity Performance Strategy (marketing Enhanced Profitability campaign) Liquidity Management Cash Pooling Economic Capital
  58. 58. Risk-Based Performance Benchmarking (PIT Snapshot) ERM view (RAROC vs Hurdle) 18 16 14 12 RAROC (%) 10 8 6 4 2 0 0 2 4 6 8 10 12 Organization Hurdle Rate NOTE: Important to have supplementary trending indicator, e.g., ‘Trending RAROC’
  59. 59. Forward-Looking Scenario Modeling e.g. Capital-at-Risk/Economic Capital • Time-horizon usually 1 year • Confidence level consistent with rating target – Usually 99.95% or higher • Whole balance sheet In stressed environments, typically greater loss Value Probability of outcome Expected in value, hence leading to credit Current Value downgrade CaR Worst Case Level consistent with AA-rating 0 1 year
  60. 60. 6. How to Achieve Balance on Cost of Compliance • Back to how risk is perceived with regards to threat, uncertainty and opportunity • Compliance/Regulatory risk represents an uncertainty that can be managed via: • connectivity and integration of ERM’s main risk management components, • the coverage of the risk management process and the contexts under which it is considered • The critical incorporation of corporate governance into the risk universe, including the audit and compliance assurance to be provided, and the critical success factors of the appropriate risk-and- return balance in providing superior client service and innovative products and solutions are encapsulated in the EWRM framework • Benchmarking to Key Risk-based Performance Measures & Forward-looking Scenario Analysis
  61. 61. Post- Implementation: ERM Cycle Develop Ongoing Supervision RM Evaluation Risk-Focused Internal Supervision Examination That Includes: •Identify Functional Activities •Frequency of Audit •Identify/Assess Inherent Risk •Scope of Audit •Identify & Evaluate Controls •Meetings with BL, Risk •Determine Residual Risk Management •Establish Procedures and •Follow-Up on Conduct Evaluation Recommendations • Eval Report/Mgmt Letter •Financial Analysis Monitoring FI PROFILE Priority System Financial Analysis Priority System Based on Ratios and Analysis to Financial Analysis includes: Measure: •Risk Assessment Results •Capital Adequacy •Financial Analysis Handbook •Asset Quality Process •Reinsurance •Ratio Analysis (IRIS, FAST, Internal/External Changes Internal Ratios) •Reserves •Actuarial Analysis •Management Consider Changes to: •Earnings •Agency Ratings •Ownership/Management/ •Liquidity Corporate Structure •Sensitivity to Market •Business Strategy/Plan •CPA Report or Auditor •Legal or Regulatory Status
  62. 62. ERM Value Value Creation Framework Return Capital On Risk Costs Maximize value Value by using economic Management capital to relate a firm’s decisions on Portfolio of Portfolio of Capital Adequacy Enterprise Capital the risks it takes to Risks Resources the decisions on the Risk and Capital capital it uses to Management finance its business Risk Capital How much What type Structure Costs Capital do I of capital do need ? I need ? Economic Capital
  63. 63. 7. Concluding Remarks EWRM Defined While the final outcome is a working ERM system, ERM by itself is always a work in progress. In a dynamic and changing business environment, ERM should be viewed as an evolutionary development and provide for an incremental delivery of products, services and tools that can help an organization manage its risks going forward. It has to take into account the demands and needs of diverse regulatory drivers like Basel 2, IAS and SOX and yet, be able to aggregate and present the risk-based information in a uniform and simple language, understood by all and to be acted upon for the benefit of the organization.
  64. 64. Implications of a Good EWRM Implementation • Enhancing Business Continuity/Endurance • Enhancing Shareholder Value • Enhancing Profit & Performance • Ensuring Enforcement for Regulatory Compliance • Exploiting Opportunities via Managerial Flexibility with Strategic Planning
  65. 65. Liquidity & Enterprise Risk Management Organization 4. Identify options 1. Identify principal for mitigation business risks Division 1 Division 2 Insurance Facility 1 Facility 2 Envisioning meeting Loss control / mitigation Risk financing alternatives Unit 1 Criteria for Risk Unit Operations Response Plan Frequency of Loss Response Loss Event Actions Priority Major Mod. Minor Criteria Management Assets People Systems Expected Loss Facility 1 Annualized Frequencies for Facility 2 Risk Division 2 Facility 3 2. Develop 3. Prioritize Risk Major Mod. Minor Facility 4 Enterprise-wide Loss Loss Loss Management Plans Risk Contribution for Risk Profiles Division 2 High Risk Loss Exposure for Division 2 Who decides acceptability Data from past losses Priority Division Facility Unit Loss Event Risk Certainty of risks? Data from prior studies How quickly to resolve? Risk mapping Who implements solutions?
  66. 66. “CLICK” Thank You GS Khoo, PhD Head, Global Risk (Models Validation) Standard Chartered Bank Office: +65 6427 5283 S’pore cell: +65 9825 2148 Email: Or