This file contains info related to my presentation on ERM implementation in the context of financial & regulatory convergence - requirements from SOX, Basel 2, COSO, and IAS/IFRS
AnyConv.com__FSS Advance Retail & Distribution - 15.06.17.ppt
Dubai Nov08 Erm Gs Khoo
1. Structuring ERM for Your Organization in an Era of
Regulatory Convergence (Basel II, SOX, COSO, IAS):
ERM from a Risk-Return Perspective
Guan Seng Khoo, PhD
Head, Group Risk (Models Validation)
Standard Chartered Bank
Khoo.Guan-Seng@standardchartered.com
gskhoo@gmail.com
2. Agenda
• Introductory Remarks
ERM from a Risk-Return Perspective
• Identifying the top risks of your organization
• How to develop an appropriate ERM framework:
Speaking the Same Language
Integration-centric approach
Implementing a common risk language that’s “aggregatable” &
flexible
• The Structure to Governing Risk (Proposed)
• Developing the KPIs to measure the result of your ERM framework
• How to achieve balance on cost of compliance
• Concluding remarks
4. Liquidity & Enterprise Risk Management
Organization
4. Identify options 1. Identify principal
for mitigation business risks
Division 1 Division 2
Insurance Facility 1 Facility 2
Envisioning meeting
Loss control / mitigation
Risk financing alternatives Unit 1
Criteria for Risk
Unit Operations
Response Plan
Frequency of Loss
Response Loss Event Actions
Priority Major Mod. Minor
Criteria
Management
Assets People
Systems
Expected Loss
Facility 1
Annualized
Frequencies for
Facility 2
Risk
Division 2
Facility 3
2. Develop
3. Prioritize Risk Major Mod. Minor
Facility 4
Enterprise-wide
Loss Loss Loss
Management Plans Risk Contribution for
Risk Profiles
Division 2
High Risk Loss Exposure for Division 2
Who decides acceptability Data from past losses
Priority Division Facility Unit Loss Event Risk Certainty
of risks? Data from prior studies
How quickly to resolve? Risk mapping
Who implements solutions?
5. 1. Introductory Remarks:
Always Bear in Mind to be Never
Complacent
• Even during good times, unexpected negative events
can occur – stressed environments!
Recall:
• space shuttle Columbia
• Tsunami Tidal Wave & Impact in SE & South Asia
• London 7/7, New York 11/9, etc.
• Mumbai flood July 2005 – no BCP
• Hurricane Katrina – impact on oil and lifestyle in Asia
• Sustained high oil prices
• Toxic mortgages/subprime contagion
6. Reminder
• Any EWRM framework must consider potential impact of
crises.
• Preparation & implementation should be based on the
old military saying, “the more you sweat in peace the
less you bleed in war”.
• That is, EWRM implementation should have a
comprehensive program to test portfolios, staff
readiness, systems, processes, etc. so as to be better
prepared when a unexpected negative event occurs.
• Initial assessment/test of the attributes of an institution’s
portfolio of infrastructure, human resource, systems and
processes, to withstand scenarios that are likely to occur
and calculating the losses should a crisis come to pass –
Test first to unearth the inefficiencies & loopholes
7. What You Hope to Achieve
• Every organization is different and has its own priorities with respect to the
risks and challenges it faces and the impact they will have
• However, the greatest challenge has always been the internal environment
and the “silo” mindset of the organization, with different groups having their
own agenda and priorities
• This presentation also proposes some strategies to help overcome the
challenges posed by this type of organizational culture, namely:
To obtain “buy-in” from senior mgt & BOD
Illustrate a possible outcome, which is aligned with regulatory reporting
requirement and also value-adds to the information management process of
the enterprise
In order to implement, must be aware of the demanding and constraining
environment of diverse regulatory and supervisory expectations, e.g. Basel
II, IAS and SOX
Implementation must take into account overlapping issues and aggregating
the risk measures in order to have a bird’s eye-view of the enterprise
Implementation should be straight-forward and simple in terms of outcome
and reporting
Strong guidance & leadership critical to a (reasonably) successful
implementation
8. ERM from a Risk-Return
Perspective: Value-for-Money
• Risk-Return considerations: 3-D
⇒ Pro-active risk mgt
Opportunity,
instead of being reactive
e.g., cut down on fraud,
enhance reputation and
market growth, etc.
Uncertainty,
e.g. impact of regulatory
changes, fraudulent activity
occurrence, etc.
Threat,
e.g., high oil prices,
terrorism, etc.
9. Risk in 3 Dimensions
• Every risk event can potentially lead to an
“upside” return, status quo or “downside” loss
• Hence, ERM isn’t just about negative risk
containment or avoidance,
• But, also about strategizing to leverage on the risk
awareness and activities to enhance returns,
• To ensure the corporation’s growth and business
continuity and to outperform the average
10. 2. Identifying the Top Risks of
Your Organization
• In order to identify and prioritize the top risks,
need to first measure or quantify them
• Use an ERM matrix based on global best
practices and accepted principles
• Look for guidance from experts (internal or
external)
• Categorize all possible risks & stakeholders
• Localize the risk concentrations and further
analyze these risks based on probability and
impact at different levels and hierarchy of the
organization
12. Next Steps: Understand your
risk, your goals, and your
priorities
• Based on the risk appetite & ERM matrix, concentrate on the core
risks that the organization must either accept, prevent from
occurring, must lessen the impact if they occur, or mitigate by
transferring the risk away from the key tasks.
• Each risk is then analyzed by assigning it weighting factors such as
those shown in the following matrix.
• This matrix weighs the probability of a risky event: The risk that it will
occur only once (Low, Medium, High) as well as the risk that it will
occur multiple times (Low Medium, High).
• The matrix also weighs the impact, should the event occur: The
impact on a single department or product (Noticeable, Moderate,
High) as well as the impact on the entire company or division
(Noticeable, Moderate, High).
• The total risk of an event is the product of the probability and impact.
This step gives us an objective approach to prioritizing risk and how
the risk can be managed.
13. Prioritizing in terms of e.g.:
- Exposure loss
- Cost of recovery
- Reputation
- etc.
14. 3. How to Develop an
Appropriate ERM framework:
The ABC of ERM Implementation
• Internal Environment Challenges
• Getting the buy-in
• Mindset change management:
- From Silo-based to Enterprise-wide Holistic View
- From Rules-based to Performance-based Environment
• How to overcome (some suggestions):
- SAP: show a possible outcome
- KISS, e.g., speak the same, simple language
- CLICK: provide creative leadership & strong guidance
with conviction & know-how
15. SAP – Show a Preview
• No matter how global or sophisticated your organization is, when you are
embarking on an ERM implementation, engagement is the key to gaining
the buy-in from all levels of the organizational hierarchy – easier said than
done though!
• One approach is to illustrate to the key personnel at all levels a prototype
model of what they are going to get and how they can benefit from it (the
preview). The prototype can first be developed in-house by a project team
that will eventually lead and drive the implementation program. Alternatively,
it could be based on an existing solution or system being used by other
organizations ahead of the implementation curve, which the project team
has access to. This initial effort in prototyping an interim system or model
that can be shown to senior management or directors in the form of an ERM
cockpit or dashboard (ala movie poster) brings a lot of benefits to the
subsequent deployment and implementation of the ERM system.
• Firstly, much of the effort to produce the prototype will help the project team
in establishing a foundation to support the creation of an ERM manual that
will serve as the reference point for the establishment of management
policies, procedures, and practices governing the initiation, definition,
design, development, deployment, operation, maintenance, enhancement,
and retirement of the ERM system.
16. SAP – Show a Preview 2
• Secondly, the preview of the ultimate ERM system provides
visibility and transparency to the whole exercise, enhancing the
confidence of the directors and senior management as it also
provides an opportunity for them to have a first “taste” (encounter) of
the final solution. More importantly, it also provides an avenue for
them to be a critic, so that they can provide constructive feedback
regarding the strengths and weaknesses of the interim system,
which ultimately will be used by them – indirectly, they also become
the stakeholders of the ERM implementation project based on their
feedback and inputs.
• Thirdly, the preview allows for the identification and validation of
an opportunity to improve business accomplishments of the
organization or a deficiency related to the ERM project specification,
identification of significant assumptions and constraints on solutions
to that need, and recommendation for the exploration of alternative
concepts and methods to satisfy the need.
17. Corporate Performance
Cockpit
The actual value of “Asset Turnover Ratio” is
39 and pointed out by black needle. The
The value 10 and 20 are two
actual value is calculated on average of all
threshold value of Interest
subsidiary in year 2004.
expense ratio.
18. Example: ABC Bank
KRIs & KPIs
Risk Risk
Near Misses Losses
Performing
Indicators Assessment
Indicators
Op Expense Debt to Asset - Lack of products - Internal Fraud - Focus on
- Lack of expertise - Market Share business process
- Slow response - Share price of improvements
time parent - Enhance internal
- No targeted - etc.
NPL & controls (checks &
Rate of ROE market
LLP balances)
- Lack of risk- - etc.
based pricing
Asset RAROC
turnover
19. KISS – Keep It Simple, Stupid
• Another key consideration is simplicity. The final ERM system should be easy to use
and:
• emphasize user friendliness over ease of technical design and application software
development
• stick to prescribed terminologies understood by all, e.g., establishing ERM Risk
Categories that have already been defined by the Regulatory Agencies, in order to
reduce ambiguity among the stakeholders and users of the ERM
• provide easier, secure, reliable access to data
• tailor management information reports to customer needs
• provide automated tools to facilitate end user access to and use of data
• provide readily available help within the application software and provide for computer
based training modules
• reduce the reliance on paper
• provide easier, secure access and management to electronic records, e.g., digital
access rights mgt.
• While the ERM system could be quite granular in terms of the depth of information to
be retrieved and displayed, the project team should always bear in mind that at the
senior management and directors’ level, the big picture is more critical. Hence, the
ERM should allow for customization and access along the different levels of usage
across the organizational hierarchy so that line managers, auditors and directors can
access the same repository of information but view the information differently
according to their needs and functional roles – different access rights can be put in
place.
20. ERM Implementation in the
Context of a
Diverse Regulatory
Environment
(Basel II, IAS, SOX, etc.)
“Speaking the Same Language”
Principle: SSL
21. Why Comply?
“...Simply complying with the rules is not
enough. … if companies view the new laws as
opportunities - opportunities to improve
internal controls, improve the performance of
the board, and improve their public reporting—
they will ultimately be better run, more
transparent, and therefore more attractive to
investors.”
William Donaldson, SEC Chairman, 4 November, 2004
22. Integration of Risk & Finance
Synergy Examples
Basel II IAS
• Advanced IRB Approach • Fair Value Accounting
for Credit Risk
• Impairment value
Loan
• AMA for Operational Impairment
• Hedge effectiveness
Risk
• Income recognition
• Pillar 2 & 3
Risk
Integration-Centric Approach
Mitigation
IPSB
Organizational
SOX
• High level standards Structure
• Internal controls
• Liquidity risk
effectiveness testing
• PRMR
• Internal controls
• PRCR Controls disclosure
Testing
• PROR
• Whether it is SOX, Basel II, International Accounting Standards (IAS), etc., integrating information in
support of compliance is not a one-off proposition.
• Compliance requires ongoing and constant enforcement.
• It’s never a matter of simply checking a box and then moving to another project.
• Compliance-driven requirements are usually phased in, evolve constantly, and invariably become more
complex and stringent over time.
• An integration-centric approach enhances the flexibility, and thus the value, of such an architecture
because you can design the data integration capabilities necessary to meet whatever happens
regulation wise.
• You have a supple, adaptable and (over time) familiar framework for integrating new data and types of
data in new ways.
• In contrast, a non-integration-centric approach means having to recollect data for each new
compliance mandate that comes along.
• An integration-centric approach allows institutions to standardize their risk language in terms of the
underlying Basel II risk-compliance categories or items and the overlapping risk parameters in the
context of associated regulations (SOX, IAS, etc.)
24. Basel II-compliant Integrated Approach to Risk Management
- Risk Models & Measurements
Key:
Calculation engines act on Ratings,
Basel 2 Calculators Reporting Reports
Basel 2
Loss Distribution to yield the PD Data
IAS
IAS
(PE), LGD (LE), EAD, VaR as well
Shared
as EC (CaR) Regulatory
Shared Regulatory
Basel II
Severity Basel II
Severity Calculation
Calculation
Regulatory Reporting Data Mart
Regulatory Reporting Data Mart
Disclosure
Disclosure
Engines
Engines
Monte-Carlo
economic capital (EC) by Internal
Internal
simulation
scenario type
Frequency Market &
Market &
External
External
De-pegging of USD/RMB CaR1
Asian Financial crisis/Pandemic flu CaR2
Terrorist threat & rise in NPL CaR3
Succession & general election CaR4
IAS Calculation
IAS Calculation
Sectoral distress, e.g., dotcom bust CaR5
Engines
Engines Financial and
Financial and
Fall in FDI (threat from China/India) CaR6 Management
Management
GL
GL
Bank merger & loss of market share CaR7 Accounting
Accounting
_____
Average Economic Capital
Adjust severity & frequency
distribution
25. Risk Event Type Event level 2
Category Level 1
Illustration: Implementing a Common Risk
Language that is Flexible & “Aggregatable”
People Internal Acts Unauthorized
Risk Activity,
Theft & Fraud Internal Audit Risk
Etc.
SOX Risk Firm enters into a
Employment Etc. business relationship
Misstatement
IAS Risk
Practices & with inappropriate parties
of Client Fees
Workplace
or does not accurately
Overstatement
Safety
profile the client
of Hedge
Effectiveness,
Process Execution, Transaction
Fair Value
Delivery & Capture,
Measurement
Process Mgt Execution,
Monitoring & Common Risk
Reporting
Basel II – Clients,
Etc.
Products & Business
Practices
Client, Disclosure,
Products & Fiduciary,
Business Improper
Practices Business
Compliance Risk
Practices
Operational Risk
Etc.
Firm opens accts with
Failure to follow firm’s
persons intending to
Systems Business Hacking, policies & procedures
Disruptions & Phishing launder money and does
system not detect, report or record
Etc.
Failures
suspicious activities by its
customers
External External Etc.
Events Fraud
26. ERM matrix provides:
- single enterprise-wide
view & encompasses
regulatory definition of risk
categories
- ratings across whole
hierarchy of organization
- comparative analysis
- segmented information for
IA as well
- simplicity & ease of use
27. CLICK – Creative Leadership with
Insight, Commitment & Know-how
• No matter how good the planning, budgeting and resource provisioning are, if the ERM implementation is
performed by the “blind leading the blind”, e.g., buying off-the-shelf system and models, and with a lack of
conviction and commitment, the final outcome would yield a white elephant.
• Risk management must be applied to all phases throughout the life cycle of the implementation. Risk, as used in
project management, is associated with a lack of resources, information, and/or control. Risk management is
distinguished from quot;problem managementquot; in that risk management is concerned with situations that may or may
not occur, whereas problem management is concerned with known difficulties that are a result of a risk having
occurred. An analysis of risk and any strategy adopted to control risk should at least consider the effect of one or
more of three factors: lack of resources (such as personnel or funding); lack of information (for example,
completeness and confidence); or lack of control over the decision-making process (such as external project
decisions affecting the project plans and assumptions).
• Applying risk management to the ERM production or infrastructure system stage includes considering backup and
recovery in service level agreements and plans. Management responsibility for a risk must be assigned to
individuals and units that can affect the risk's root causes. The Project Manager shall be responsible for managing
project risks over which the Project Manager can exert direct control.
• Risks that affect the project, but are not under project control, shall be explicitly assigned to either the Program
Sponsor or the CRO, as appropriate. Situations external to the project that could be sources of risk to the project
shall be coordinated through the Project Manager. Risk shall be a consideration in a Review Board and
management decisions. Project risk situations, plans, and progress against risks must be considered at all project
reviews.
• Strong guidance must come from the Program Sponsor, Project Manager and Team so that the ERM
implementation is carried out with a clear view of the objective and an insightful understanding of what it hopes to
achieve. Coupled with the commitment of the team and management with the backing of the whole enterprise,
and the strong political will of the stewards and stakeholders of the ERM project, the likelihood of a successful
implementation will be enhanced.
28. Establishing ERM: The 7 Elements of the Risk Management Process
Aka “The 7 Habits of Highly Effective Risk Managers”
An active board of directors reviews strategic alternatives and develops
Board Involvement corporate objectives and then formally approves policies. Also, evaluates
whether business is being properly managed
Provides broad guidance within which senior management operates and
Risk Management Policies
executes the firm’s objectives
Senior management then develops strategies consistent with corporate
Senior Mgt. Involvement
objectives and policies, and ensures that their execution is supported by
an effective decision process
Decision-Making Process The decision process is backed by adequate analytical support and
information management infrastructure
The analytical support utilizes efficient models which analyze both qualitative and
Analytics
quantitative data.
Reporting / Monitoring The analytical process in turn generates ongoing reports for performance
monitoring, benchmarking and further consequent actions
All of the above take place within a strong and practical internal control regime
Internal Controls
29. Incorporating the 6 Principles
of Shareholder Value
aka “6 Sigma”
Planning
Paying for
Measuring
Performance
Performance
Enhanced
Shareholder
Value
Pricing Prioritising
Products resources
Providing
for risk
30. WHAT (do you have)
In terms of “Hard” & “Soft” Infrastructure:
• Corporate Culture
• People
• Process
• Technology: Systems & IT
31. ERM Infrastructure
Enterprise
Component View
Methodologies
Quantitative
Reporting Consolidation &
Linear/Non-Linear (AI)
Document Management
Board Involvement
Extreme Value Theory
Reporting / Monitoring
etc.
Se
n io
MarketIntelligence Engines
Risk Management Policies
Qualitative
rM
Policy ClientMS Engines
Expert Judgment
gt .
In
Technology & Simulation Engines
Structured Scenarios
vo
Know-How
lve
Surveillance Engines
Decision-Making Process
me
Scoring/Rating Engines
Foundation
nt
RISK DECISION
ics
Scenario Analyzer
Warehouse SUPPORT SYSTEM
lyt
a
Search Engines
An
DataMart
Portfolio Mgmt Engines
DataScrub&Cleanse
DataSorter
INFRASTRUCTURE MINDWARE
DataArchival
DataFeedManager
DataStream
Internal Controls
32. Balanced ERM Implementation
Approach
Strategy Mind Innovation
Reporting
Training
Flexibility
Managing
Data
Expectations
Soft Hard
Model Calculator
Human
IT
Resources
Physical
“SOFT”WARE, “MIND”WARE, “HARD”WARE
“HEART”WARE
33. 4. The Structure to Governing Risk
EWRM Infrastructure Fundamentals
Corporate
Culture
3 in 1 Basic Pillars
Process Technology
People
34. The 4 Pillars & EWRM Success
Greatest challenge is not having the
human resource expertise in terms of
depth & breadth
*e.g. BI implementation in ERM
People
Hence, advisory
services & training
should be part & parcel
Pillar 1 of good ERM project
management
Managing governance
expectations
*e.g., Transfer of expertise,
Mindset change management
35. HR/People Responsibility
Governance Framework in EWRM
• HR Implementation Program
• Board responsibilities
– Providing support for networks,
– Strategic oversight; alignment
systems (ref. ISO17799)
• CEO responsibilities – Periodic assessment of risk
– Assign resp./accountability/ – Policies/procedures to address
authority; oversee compliance security risks and implementation
obstacles; full lifecycle
• Executives responsibilities
– Operational awareness training
– Project implementation
– Periodic testing; remedial action
commensurate with risk; processes
integrate with operations
– Incident response procedures
• Senior Managers responsibilities – Business continuity plans
– Risk assessment, implement • Reporting
policies, oversee implementation – Adequacy, effectiveness,
operations acceptable residual risk reported
to executives
• All employees responsibilities
– Independent evaluation reported
– Awareness; compliance;
to the board
reporting
36. Business Process
Governance
Workflow checklist of critical business
processes in project implementation
Design a process
Process
data-warehouse**
ERM managers/supervisors check that
parameters and conditions used to
Pillar 2 evaluate key risk measures are sound and
rigorous – How?
Business Process Management:
Assessment of Process Workflow,
Scenario Analysis complemented by
documentation & policy manuals
37. Process Performance = Indicators + Processes
Enterprise Performance
“WHAT“ “HOW“ “WHY“
Results History Causes
Performance Indicators + Process Chain
Business Performance
Order is
for SETS
Business Process Intelligence
Finance & balance + Large Caps
selected MidCaps
Business Intelligence
static indicators Enter Customer
SETS
order Trading
can be done
automatically
Order
entered
Time Match
SETS
order
Liquidity / Cashflow Data transfered
to OMAR
Cost
Return on Investment Check Customer
OMAR
order Trading
completely filled
RAROC Quality Order
checked
Complete Customer
OMAR
ROA order Trading
Price
Risk Order
completed
Business Process
38. Technology Infrastructure
Readiness
The third pillar seeks to leverage the
ability of technology to provide discipline
and consistency to help the ERM
personnel and staff to optimize the
business processes via the appropriate
enabling tools & systems
Technology
Hence, ERM team performs stress tests
to ensure ERM implementation adequacy
in times of shocks or unforeseen
obstacles
Pillar 3
Enhance transparency & reputation
of project management delivery
39. Scenario Analysis
Causes Scenario Evaluation
(Potential Event)
Severity of potential loss
Range of severity
Failure of
relevant key risk Typical severity
factors
Frequency of potential loss
Range of frequency
KPIs/KRFs
Typical frequency
40. ERM Project Management Governance
• Project Governance • Financial Management
To evaluate the adequacy of the control in place To evaluate the adequacy of the control in place for
for the following risks: the following risks:
1. Lack of procedures leads to inconsistencies of 1. Costs associated with the project are unknown or
approach, and potentially project failures or
inconsistent.
inefficiencies.
2. Costs are not being recorded properly leading to
2. Not sponsored by the business or out of scope.
inaccurate financial reporting.
3. etc.
3. etc.
• Quality Management
• Monitoring & Reporting
To evaluate the adequacy of the control in place
To evaluate the adequacy of the control in place for
for the following risks:
the following risks:
1. Quality is not an integral part of the project.
1. Progress against plan and budget is not monitored
2. Poor quality procedures may lead to poor
deliverables and customer dissatisfaction leading to possible loss of management control.
3. etc. • Project Close-Down
• Project Planning To evaluate the adequacy of the control in place for
To evaluate the adequacy of the control in place the following risks:
for the following risks: 1. The project has delivered acceptable products
1. Plans are unreadable and difficult to manage. within time and cost.
2. Poor plans lead to increased costs and delays. 2. Poor security or controls can lead to loss of
3. etc. confidentiality, integrity or availability of information
• Risk & Issue Management services.
To evaluate the adequacy of the control in place 3. etc.
for the following risks:
1. Risks and issues are identified and managed
2. etc.
41. In +1 Pillar
Corporate Culture
• Strengthening Corporate
Governance from Viewpoints of:
Boards of Directors
Management
Internal Control Functions
Overcoming Silos
42. Achieving a usable & relevant
ERM system?
• No One Answer (depends on scale of implementation, location, global or localized,
etc.)
• Ability to standardize & measure project implementation risk-based indicators based
on some key criteria:
- risk-return considerations, e.g., risk appetite, growth vs. pricing (adaptability)
- cost-effectiveness, e.g., shared services, integrated data-warehouse, manual vs.
automation, via ABC (Activity-based costing), etc.
- adaptability and transferability, e.g., tackle issues of obsolescence, cross-geographic
applications, etc.
- Alignment with corporate governance objectives
- Based on identification of the top risks (known & unknown problems) faced by your
organization
- Prioritizing Risk based on Impact & Probability
- Seek benefits beyond “downside” risk management & cost issues to transform overall
corporate performance, competitiveness, and shareholder value from ordinary to
exceptional
- Aim to minimize operational surprises and losses: What’s the likelihood of risks
“falling through” silo gaps?
43. Enterprise Risk Management (ERM) Framework
An Overview
At a practical level the Group risk framework needs to meet the
expectations of different parties
Shareholders
r
rs he
wi tio de ot
• Effective allocation and efficient use of capital
ol nd
• A risk adjusted basis to performance measurement
in ent eh a
lo pita reg risk eti rols k id ak rs
• A cost effective risk management framework
st lato
th n
• Risk management aligned to value creation
a
u
lin ific
eg
R
e
Financial Institution
pp nt is
ct e c rin ide a co e r
l
ro
pe at ito pw isk st tiv
nt
ex qu on ou e r bu ec
co
ss l im a te
Business Line
Group
un Ade m Gr th Ro Eff
es to e nd
•
• Applicability of policy
• Ensure compliance with policy
r
ve
• Transparency of capital
co
• Capital measurement/
•
calculation
allocation
ed a g
• Meet performance measures
• Enhance shareholder value
set
•
• Reduce earnings volatility • Avoid losses as far as
• Lessons learnt form outside practical
the firm • Lessons learnt within the firm
•
• Aggregated reporting • Business line reporting
• Loss transfer mechanisms • Central and efficiency
• Methodology implementation
• Methodology design
… effective risk management combines providing protection
and enabling business opportunities
44. 5. Developing the KPIs to
measure the result of your ERM
framework
Developing Key Risk and Control
Indicators and establishing an
early warning system
All About KRIs, KCIs, KPIs & KTIs
45. Fundamentals of
Enterprise Risk Management
ERM is a process, effected by an entity’s
board of directors, management, and other
personnel, applied in strategy setting and
across the enterprise, designed to identify
potential events that may affect the entity,
manage risks to be within its risk appetite,
to provide reasonable assurance regarding
the achievement of entity objectives.
- Proposed by COSO (2003)
46. WHY ERM
Are we taking the Are we taking the right Do we have the right processes
right risks? amount of risk? to manage the risk?
• How are the risks we take • Are we getting a return that • Are our risk management processes
related to our strategies & is consistent with our overall aligned with our strategic decision-making
objectives? level of risk? process & existing performance
• Do we know the • Does our organizational measures?
significant risks we are culture promote or • Are our risk management processes
taking? discourage the right level of coordinated & consistent across the entire
• Do the risks we take give risk taking activities? enterprise?
us a competitive • Do we have a well-defined • Does everyone use the same definition of
advantage? organizational risk appetite? risk?
• How are the risks we take • Has our risk appetite been • Do we have gaps and/or overlaps in our
related to activities that risk coverage?
quantified in aggregate and
create value? • Is our risk management process cost-
per occurrence?
• Do we recognize that effective?
• Is our actual risk level
business is about taking consistent with our risk
risks & do we make appetite?
KRIs
conscious choices
Inherently linked to
concerning these risks?
KPIs
organization’s risk
appetite & tolerance
KCIs
47. Enterprise Risk Management Framework
Comprehensive Foundation for Sustainable Delivery
Identifying Analyzing Causes Risk Risk Control Capital
Qualitative Events of Events Mapping Management
Management
Layer
Analyzing Causes Comparative Prevention Capital
Identifying
of Occurring Analysis by Measures for Allocation etc.
Past Events
Events Benchmarking Occurring Events
Quantitative
Identifying Analyzing Causes of Detection Risk
Management
Potential Occurring or Measures for Mitigation or
Layer Events Expanding Losses Occurring Losses Transfer
Risk Measurement
Market Data –
(Group, Business Line & Risk Types)
IR, FX, Liquidity,
etc.
Risk Management
VaR Engine
Scenario Analysis &
Potential Risk Stress-Test Engine
Scenario
Audit and
Inspection Review of Audit & Inspection
Layer
48. Linking the Business Values & ERM
Strategies – Ultimate keys to portfolio
“success”
KEY -- Linking
Compliance
Business
Value
Information
Life-Cycle & ERM
Management
Management
ERM
CAPITAL
PLANNING
HR & BP Best Practice
Governance Operations
Architecture
& Standards
CUSTOMER
SERVICE
49. Other Considerations
• Regulatory changes: Convergence &
Overlap of Global Guidelines &
Regulations, e.g., Basel 2, IAS39/FAS133,
SOX, etc.
• Infrastructure (Resource, Process,
Technology) Readiness
• Corporate Culture: Mindset Change
Management
50. ERM Internal Control Framework
e.g. Utilizing COSO’s model
• Focus on the processes between each
stage of ERM
• Suggested 8 components: Internal
Environment, Objective Setting, Event
Identification, Project Risk Assessment,
Risk Response, Control Activities,
Information & Communication, Monitoring
51. The COSO Framework
Can view in context of 4
categories
Considers
activities at all
levels of
enterprise
8 components
to ERM
52. Applying The COSO Framework
• Risk Response
• Internal Environment
– Evaluate threshold to mitigate
– Code of conduct/ethics
– Discontinuation, realignment of process
– Ethics hotline
– New policies & procedures
– Hiring and promotion
– Risk Response Options:
– Audit committee oversight
• Accept = Do nothing. Willing to take on
– Investigative process risk
– Remediation • Avoid = Back-out strategy. Disengage
from process leading to risk
• Objective Setting • Share = Shift some of risk to external
parties (e.g., insurance, outsource,
– Policy to reduce loss event incidences
joint venture)
– Incentivization
• Mitigate = Design processes to reduce
– Development of database of known loss risk exposures
event activities
• Control Activities
• Event Identification
– Linking controls to identified risk activities
– Monitoring of parameters, KRIs, KPIs
– Map type of loss events to business
– Comparison and evaluation of certain process
attributes and trends against previously
– Specify how possible future loss events is
measured patterns and known signs of risk
to be minimized or contained
events
– Outlier and exception analysis
• Information/Communication
– Information systems & technology
• Risk Assessment
– Knowledge management
– Systematic process
– Training/Inculcating Talent
– Level within organization
– Likelihood and significance
• Monitoring
– Via Risk Probability & Impact Analysis
– Ongoing monitoring by management
– Separate “after the fact” evaluations by
internal audit
– Etc.
53. KPI & EWS Examples
Benchmarking Governance:
• Benchmarking for Financial Subsidiaries
e.g. RAROC, EVA, CAR, etc.
• Benchmarking for Non-finance subsidiaries
e.g. Key Risk-based Performance Measures (KRPM), ROA,
ROE, Liquidity, etc.
KRPM can be evaluated quantitatively or qualitatively (using a
rating matrix)
Forward-Looking Strategic & Managerial Flexibility
• e.g., Real Options-based Scenario Modeling
54. Example of Key Risk-based
Performance Measure (KRPM)
Criteria
(can be applied to both finance* & non-finance
subsidiaries)
• *Till Aggregated Economic Capital (market, credit, operational)
for banking institutions can be evaluated
• Other Risk measures (Expected Loss, Economic Capital):?
- Liquidity
- Operational
- Reputational
- etc.
55. Low High
Balance Sheet Stress Test Stress Stress
2 1 or less
Liquidity
– Current ratio
Related Risk & 30% 60% or more
Solvency
Financial – Debt to Asset ratio
Analysis Profitability
Negative
– Net Operating Income
5% 1% or less
- Rate of return on assets
10% 5% or less
Example - Rate of return on equity
135% 110% or less
Repayment Capacity
- Debt coverage ratio
60% 80% or more
Efficiency
- Operating expense ratio
10% 20% or more
- Interest expense ratio
40% 20% or less
- Asset turnover ratio
56. Using risk indicators - escalation limits and
targets for monitoring liquidity & reconciliation
at one ATM/branch location
Escalation Limits and Targets
250
Historical
Idle cash
balance
200
ATM Cash Float
Escalation
Limit
e
150 st warning
–1
Base Limit
/Goal
100
50
8
Ja 8
Ja 9
Ju 0
Ja 0
1
Ju 9
M8
M8
M9
M0
M1
M9
M0
M1
N8
N9
N0
Se 8
Se 9
Se 0
1
-9
-9
-9
-0
-0
-0
-9
9
-9
9
0
0
-9
-0
-0
9
9
0
l-9
l-9
l-0
l-0
n-
n-
n-
n-
p-
p-
p-
ay
ov
ay
ay
ay
ov
ov
ar
ar
ar
ar
Ju
Ju
Ja
Date
59. Forward-Looking Scenario Modeling
e.g. Capital-at-Risk/Economic Capital
• Time-horizon usually 1 year
• Confidence level consistent with rating target
– Usually 99.95% or higher
• Whole balance sheet
In stressed
environments,
typically greater loss
Value
Probability of outcome
Expected in value, hence
leading to credit
Current
Value
downgrade
CaR
Worst Case Level consistent with AA-rating
0 1 year
60. 6. How to Achieve Balance on
Cost of Compliance
• Back to how risk is perceived with regards to threat, uncertainty and
opportunity
• Compliance/Regulatory risk represents an uncertainty that can be
managed via:
• connectivity and integration of ERM’s main risk management
components,
• the coverage of the risk management process and the contexts
under which it is considered
• The critical incorporation of corporate governance into the risk
universe, including the audit and compliance assurance to be
provided, and the critical success factors of the appropriate risk-and-
return balance in providing superior client service and innovative
products and solutions are encapsulated in the EWRM framework
• Benchmarking to Key Risk-based Performance Measures &
Forward-looking Scenario Analysis
61. Post- Implementation: ERM Cycle
Develop Ongoing
Supervision RM Evaluation Risk-Focused
Internal Supervision Examination
That Includes: •Identify Functional Activities
•Frequency of Audit •Identify/Assess Inherent Risk
•Scope of Audit •Identify & Evaluate Controls
•Meetings with BL, Risk •Determine Residual Risk
Management •Establish Procedures and
•Follow-Up on Conduct Evaluation
Recommendations • Eval Report/Mgmt Letter
•Financial Analysis
Monitoring
FI PROFILE
Priority System Financial Analysis
Priority System Based on
Ratios and Analysis to
Financial Analysis includes:
Measure: •Risk Assessment Results
•Capital Adequacy •Financial Analysis Handbook
•Asset Quality Process
•Reinsurance •Ratio Analysis (IRIS, FAST,
Internal/External Changes Internal Ratios)
•Reserves
•Actuarial Analysis
•Management Consider Changes to:
•Earnings •Agency Ratings
•Ownership/Management/
•Liquidity
Corporate Structure
•Sensitivity to Market
•Business Strategy/Plan
•CPA Report or Auditor
•Legal or Regulatory Status
62. ERM Value Value
Creation
Framework
Return Capital
On Risk Costs
Maximize value
Value
by using economic
Management
capital to relate
a firm’s decisions on Portfolio of Portfolio of
Capital Adequacy
Enterprise Capital
the risks it takes to
Risks Resources
the decisions on the
Risk and Capital
capital it uses to
Management
finance its business Risk
Capital
How much What type
Structure
Costs
Capital do I of capital do
need ? I need ?
Economic
Capital
63. 7. Concluding Remarks
EWRM Defined
While the final outcome is a working ERM system, ERM by itself is
always a work in progress.
In a dynamic and changing business environment, ERM should be
viewed as an evolutionary development and provide for an
incremental delivery of products, services and tools that can help
an organization manage its risks going forward.
It has to take into account the demands and needs of diverse
regulatory drivers like Basel 2, IAS and SOX and yet, be able to
aggregate and present the risk-based information in a uniform and
simple language, understood by all and to be acted upon for the
benefit of the organization.
64. Implications of a Good EWRM
Implementation
• Enhancing Business Continuity/Endurance
• Enhancing Shareholder Value
• Enhancing Profit & Performance
• Ensuring Enforcement for Regulatory Compliance
• Exploiting Opportunities via Managerial Flexibility
with Strategic Planning
65. Liquidity & Enterprise Risk Management
Organization
4. Identify options 1. Identify principal
for mitigation business risks
Division 1 Division 2
Insurance Facility 1 Facility 2
Envisioning meeting
Loss control / mitigation
Risk financing alternatives Unit 1
Criteria for Risk
Unit Operations
Response Plan
Frequency of Loss
Response Loss Event Actions
Priority Major Mod. Minor
Criteria
Management
Assets People
Systems
Expected Loss
Facility 1
Annualized
Frequencies for
Facility 2
Risk
Division 2
Facility 3
2. Develop
3. Prioritize Risk Major Mod. Minor
Facility 4
Enterprise-wide
Loss Loss Loss
Management Plans Risk Contribution for
Risk Profiles
Division 2
High Risk Loss Exposure for Division 2
Who decides acceptability Data from past losses
Priority Division Facility Unit Loss Event Risk Certainty
of risks? Data from prior studies
How quickly to resolve? Risk mapping
Who implements solutions?
66. “CLICK”
Thank You
GS Khoo, PhD
Head, Global Risk (Models Validation)
Standard Chartered Bank
Office: +65 6427 5283
S’pore cell: +65 9825 2148
Email: Khoo.Guan-Seng@standardchartered.com
Or wtehistory@yahoo.com