Enterprise Risk Management in Financial Institutions- Revelations of the Recent Credit Crisis and Financial Turmoil

[Type text] [Type text] [Type text]
   
 
Enterprise Risk Management
in Financial Institutions
Revelations of the Recent Credit Crisis and Financial Turmoil
“ A smart man always learns from his mistakes,
A wise man learns from mistakes of others,
A foolish man never learns “ K.Hayes
 
A n d r e a s Z a r i f i s

Enterprise Risk Management – Evaluating the Systems in place throughout 2007-2008
2 Page Andreas Zarifis
Cass Business School MSc Insurance and Risk Management, July 2008
Enterprise Risk Management
In Financial Institutions
Revelations of the Recent Credit Crisis and Financial Turmoil
Submitted By:
Andreas Zarifis
July 2008
Supervisor
DrSotirisStaikouras
ThisdissertationissubmittedaspartoftherequirementsfortheawardofMSc
InsuranceandRiskManagement

MSc PROGRAMMES
MSc in:____________________________
08Fall 
CRITERIA COMMENTS (Supervisor only)
Literature Review
Examination and analysis of
information/data
Understanding and coverage of topic
Originality and difficulty
Overall structure of the work
Conclusions
Literacy, style and presentation
GENERAL COMMENTS (Second Internal Assessor)
GENERAL COMMENTS (External Examiner)
70% + 60-69% 50-59% 49% or less Signature
Supervisor (name)
2nd Internal Supervisor (name)
External Examiner
Student(s) Name(s):_________________________________Date:____
Title of Project: ______________________________________________________
FINAL AGREED MARK
Please enter percentage mark in appropriate Box
(Title of Degree)

Abstract
This  study  investigates  the  application  of  Enterprise  Risk  Management1  within 
Financial Institutions with focus on the recent credit crisis and financial turmoil. 
For the past years, both academics and practitioners have praised Enterprisewide 
risk management policies and procedures in Financial Institutions exhibiting how 
Enterprise Risk Management implemented as a strategic tool and as part of the 
decision making process, may reap out various benefits. It may allow value creation 
over the long term and mitigate unforeseen scenarios that prevent a corporation 
from reaching its objectives. Even so, implementation is paradoxical, from a long
term profithouse centre, to a shortterm marketing compliance tool.   
 
The  recent  financial  turbulence  tested  the  risk  management  systems  of  FI2s  and 
exposed  weaknesses  of  institutions  risk  management  practices,  bringing  to 
question the viability of ERM. In contrast several firms weathered the storm quite 
comfortably without severe deficiencies. The differentiating factor is found to lie on 
how ERM was applied and executed across the organization, with specific areas of 
concern and lessons to be learned. 
 
 An outperformance by firms successfully applying ERM throughout the period is 
documented.  These  firms  have  overcome  the  recent  turmoil  without  significant 
losses while other organizations financial performance has deteriorated to various 
levels, even bankruptcy. Furthermore it is found that in those firms that avoided 
significant  losses  senior  management  played  an  active  role  and  closely 
communicated with risk departments at all times. Flexible risk models were utilized 
incorporating new market conditions and decisions involving new products where 
challenged  by  various  views  and  perspectives.  Lastly,  based  on  results  attained, 
recommendations will be made on ways to progress in terms of implementing ERM 
in search for a foolproof risk management system in financial institutions. 
1 In the context of this report is synonymous to “holistic risk management”, “strategic risk management” and 
“strategic risk management” in terms of assessing risk and risk management via a comprehensive view 
and as pronounced by the (CAS) Casualty Actuarial Society 
2
In the context of this report will refer to Financial Institutions (Banks, Insurance companies, Asset 
management firms, hedge funds)
M S c I n s u r a n c e a n d R i s k M a n a g e m e n t

Acknowledgements
First and foremost, I would like to express my gratitude to my supervisor, Dr Sotiris
Staikouras. He has been a true mentor; providing me with invaluable guidance, help
and support throughout the course of this MSc. His professionalism and enthusiasm
have proven inspirational for researching and writing up this paper. Furthermore I’d
like to thank my course leader, Dr Christopher Parsons, his wisdom and manner of
conveying information have been encouraging throughout the year. I would also like to
thank my friends for their encouragement and patience. I am grateful to my father for
his support and understanding and as well as for the sacrifices he has made, giving me
the opportunity to do this MSc. Last but not least, I would like to dedicate this piece of
work to my mother who despite not physically being present throughout the majority of
my life has always been my key motivator in search for knowledge, self-fulfillment and
happiness.

Table of Contents 
Contents.................................................................................................................................................6 
List of Figures .......................................................................................................................................7 
List of Tables .........................................................................................................................................8 
Data and Methodology......................................................................................................................9 
Chapter 1 Introduction  ............................................................................................................ .11 
    1.2 Purpose of the Study........................................................................................................... 15 
    1.2 Main Findings......................................................................................................................... 15 
    1.3 Limitations .............................................................................................................................. 16 
Chapter 2 Risk Management in Financial Institutions  ........................................... 18 
    2.3 Upsurge of Regulatory Scrutiny and Capital Requirements.............................. 18 
    2.3 Risk Management in Silos................................................................................................. 21 
Chapter 3 Literature Review .................................................................................................. 23 
    3.1 ERM Development and Foundations ........................................................................... 23 
    3.2 Defining and Implementing the Framework............................................................ 24 
    3.3 ERM in Practice and Industry Observations............................................................. 29 
Chapter 4 Findings from the Credit Crisis ...................................................................... 33 
    4.1 Drivers and Implications from the Financial Turmoil.......................................... 33 
    4.2 Case Studies............................................................................................................................ 35 
    4.3 Fundamental Weaknesses in ERM Implementation ............................................. 37 
    4.3 Questioning the Viability of ERM................................................................................... 49 
Chapter 4 Conclusions ............................................................................................................... 41 
References ........................................................................................................................................ 54

List of Figures  
 
    Figure 1: The Prospect Theory............................................................................................... 11 
    Figure 2: Main Categories of Risks Facing Financial Institutions........................... 12 
    Figure 3: Goal of Risk Management in a Strategic Perspective................................ 13 
    Figure 4: Total Eligible Capital as Provided by Basel II............................................... 19 
    Figure 5: Economic Capital for Credit Risk....................................................................... 20 
    Figure 6: Risk Management in Silos..................................................................................... 21 
    Figure 7: COSO ERM Framework.......................................................................................... 25 
    Figure 8: The Risk Management Process .......................................................................... 26 
    Figure 9: ERM Impacts Four Board Functions................................................................ 28 
    Figure 10: Phases of The Crisis.............................................................................................. 33 
    Figure 11: Lawsuits related to the Credit Crisis so Far............................................... 42

List of Tables 
 
    Table 1: Most significant losses so far ................................................................................ 35 
    Table 2: S&P Defining ERM in respect to Credit Rating Requirements................ 43

Data and Methodology 
 
The research report was primarily based on desk research.  The majority of the 
material  was  gathered  from  books,  journals  and  the  Internet.  The  topic  in 
research  has  been  in  discussion  for  more  than  a  decade  but  is  still  at  its 
embryonic  stages  of  development  in  practice.    As  such  there  are  various 
limitations in terms of collecting adequate primary data. Despite this, the topic 
has  attracted  abundant  literature  from  academics  and  research  by  various 
practitioners  as  (GARP)  Global  Association  of  Risk  Professionals;  (RMA)  Risk 
Management  Association,  (PRMIA)  Professional  Risks  Managers  Association, 
(CAS)  Casualty  Actuarial  Society,  (ERMII)  Enterprise  Risk  Management 
International  Institute,  (IRM)  Institute  of  Risk  Management,  all  of  which 
investigate  the  benefits  of  ERM.    At  the  same  time  regulators  have  been 
promoting such frameworks in search of investor protection and in association 
with  specialist  practitioners  have  published  various  guidance’s  relevant  to 
effective  incorporation.  (Basel  II,  2003);(COSO,  2004);  (Solvency  II  proposal, 
2007); (Combined Code, 2003);(Sarbanes Oxley Act, 2002). 
 
In consideration of the current practices of ERM a secondary type investigation 
was applied analysing the implementation of ERM throughout the recent turmoil 
and  the  weaknesses  that  have  been  discovered  in  Financial  Institutions’  Risk 
Management processes. The primary basis of this was derived through surveys, 
reports  and  speeches  published  post‐onset  of  the  turmoil  from  various 
practitioners;  as  Deloitte,  (PWC)  PriceWaterhouseCoopers,  KPMG,    (AIRMIC) 
Association of Insurance and Risk Managers, ERM symposium, (IOA) Institute of 
Actuaries,  research  companies  within  the  field;  Edhec,  Navigant  Consulting, 
(CEPR) Centre of Economic Policy research, Chartis as well as Central Banks and 
regulators; Federal Reserve, Bank of England, (IMF) International Monetary fund 
and (SEC) the Senior Supervisors Group . These provided invaluable information 
in relation to the research findings of this report.

This  report  should  be  seen  as  an  effort  to  tackle  the  loopholes  that  deprive 
banks, insurers and other financial institutions from adequately and effectively 
applying ERM. This is provided by the market players that managed to weather 
the storm and without severe consequences due to efficacious implementation of 
the  framework.  Most  Financial  Institutions,  especially  banks  have  already 
adopted  such  firm‐wide  risk  management  but  there  is  no  empirical  evidence 
backing the supremacy of such an approach to the traditional risk management 
in silos. Regardless of, the research stipulates those qualitative factors that incite 
Financial  Institutions  to  adopt  such  an  approach  and  riposte  to  why  ERM  is 
superior to the traditional departmental risk management approach. Based on 
the success factors implied by the financial turmoil there will be integration with 
literature  findings  ensuing  the  way  to  adequate  risk  management  systems  in 
financial institutions.

Chapter 1: Introduction 
 
Pertinent to finance, risk management emerged in 1959 and referred to portfolio 
theory  (Markowitz,  1952),  it  was  initially  utilised  in  managing  the  insurance 
portfolios of organisations. The risk management process can be traced back to 
1974  when  Gustav  Hamilton  pioneered  in  illustrating  the  interaction  and 
integration of all elements of the risk management process in “risk management 
circle”.  Five  years  on  ‘prospect  theory’  (Daniel  Kahneman  and  Amos  Tversky, 
1979) demonstrated the perverse irrationality of human nature when faced with 
risk, with fear of losing often‐outshining gain expectations, as exhibited in 
Figure 1.  
Figure 1         The Prospect Theory 
 
 
(Padula et al, 2005) 
 
Risk may be divided into 2 categories (Schroek, 2002): 
 
Specific: These are risks specific to the firm or the industry it operates and that 
may be diversified through a balanced portfolio of stocks. 
 
Systemic: Such risks affect the market fundamentally, cannot be diversified and 
express the degree of covariance of the deviations with the changes in the broad 
market  environment.  This  risk  may  be  rewarded  in  the  expected  returns  as 
derived by the CAPM.3 
3 Capital Asset Pricing model

 
Figure 2 illustrates the main categories of risk faced by Financial Institutions4. 
 
 
 
 
An actual example and more absolute proposal of a Financial Institution’s risk is 
illustrated in Figure 3 
 
4 These categories can be further broken down into a large number of further risk categories. See Saunders 
(2008). 
5 External fraud (e.g. 3rd party theft of information), physical damage (e.g. earthquake, fire) 
6 It should be noted that there is no agreed universal definition.
Figure 2              Main Categories of Risks Facing Financial Institutions 
 
  Operational Risk 
The risk of loss arising from inadequate or 
unsuccessful  internal  controls,  people  and 
systems  or  from  external  hazardous5 
events6(BIS, 2004). 
 
Credit Risk 
The risk that 
arises when a 
counterparty of a 
loan reschedules 
or fails to make a 
payment or its 
credit grade is 
migraded 
(e.g.downgrading 
of credit rating) 
leading to 
economic los s of 
the FI. 
(Ong, 1999)   
Market Risk 
The risk arising 
from assets and 
liabilities of an 
FI due to 
changes to 
market factors 
as interest 
rates, currency  
values and/or 
commodiy or 
equity prices 
(Saunders,  
2008) 
  Business Risk 
The risk that arises  (other than credit  or 
market  risk)  driven  by  Fundamental 
changes  within  the  FIs  environment  that 
may  impact  its  future  revenues(e.g.  price 
wars,  threat  of  entry)  (Lam  and 
Cameron,1999) 
 
(ERisk.com, 2004)

 
 
 
 
 
 
As  the  Economic  landscape  evolved7  FI’s  interest  in  risk  management  grew 
considerably. Reacting to such increasing volatilities led to the introduction of 
innovative  products  as  forwards,  swaps,  options  and  futures.  Furthermore  as 
financial institutions sought to incorporate risk management into their day‐to‐
day activities bankers advocated on new measures as Value at Risk, (J. P Morgan8 
1994)  this  was  mainly  utilised  to  strengthen  internal  controls  within  their 
lending and trading activities. At present day financial institutions conduct risk 
management extensively and consider it as a vital corporate objective and core 
competence (Raposo, 1999). This is characteristic of financial institutions as they 
continuously endeavour in enhancing the efficiency of their processes as well as 
the wealth of their stakeholders, thereby developing technological and financial 
innovations.  Peters  goes  further  arguing  that  innovation  is  a  prerequisite  of 
7 A) Increases in volatility from interest rates, exchange rates and commodity prices; B) Regulatory changes 
and modern requirements; C) technological advances: D) Globalisation. 
8 RiskMetrics. 
Figure 3               Goal of Risk Management in a Strategic Perspective 
 
 
(TD Bank Financial Report, 2004)

survival9  in  the  financial  sector  (1997).  New  products  develop  and  markets 
integrate  aiming  to  deliver  corporate  objectives  bringing  along  a  number  of 
complexities and risks previously unheard of. One of the first academics to note 
this was Ulrich Beck (1992), Director at the University of Munich who argues, the 
dynamic  aspect  of  risk  is  linked  to  the  increasing  organisational  and 
technological  complexity  within  modern  societies.  Furthermore,  Shimko  and 
Humphreys (1998) point out that banks with superior risk‐management skills 
and systems surpass their competitors because in the long run a company’s stock 
will outperform as losses are avoided.  
 
This report provides a novel literature examining Enterprise Risk Management 
Drivers  and  the  stage  the  Financial  Sector  has  reached  in  effectively 
implementing  such  framework.  Surveys  convey  industry  participants’ 
confirmation  of  the  dominance  of  ERM  in  their  organizations;  findings  from 
actual  market  practice  are  discovered  in  search  for  such  confirmation, 
emphasizing how well these frameworks were established and operated pre and 
post financial crisis. 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
9  Axel Lehmann, CRO at Zurich Financial Services (2008) argues “Financial innovation has been a key factor 
in economic growth over the last 10 to 20 years. So if we want to have continued economic growth on a 
worldwide basis, that absolutely depends on innovation in the financial sector, including insurance.”

1.1 Purpose of the Study 
 
This study has a binary purpose 
 
1. To  determine  the  main  motivations  behind  ERM  development  and  the 
level of understanding exhibited by market participants corresponding to 
the  framework.  Academia  literature  and  industry  reports  prior  to  the 
turmoil were used for this purpose. 
2. To  investigate  how  financial  institutions  applied  risk  management 
practices throughout  the financial distress and how effective  enterprise 
risk  management  contributed  to  several  organisations’  safeguarding  in 
light of stressful conditions. 
 
1.2 Findings 
 
Enterprise  Risk  Management  implementation  was  the  key  factor  affecting  the 
effectiveness of risk management practices throughout the turmoil. This proved 
to be the differential between Financial Institutions avoiding significant losses 
throughout  the  subprime  crisis  and  those  that  sustained  considerable  losses. 
Specifically,  those  firms  that  championed  ERM  throughout  the  turmoil 
successfully implemented a number of critical success factors: 
 
1. Senior management implemented vigorous oversight of risk. 
2. A  wide  array  risks  measures  were  used  that  were  flexible  in  terms  of 
refining underlying assumptions. 
3. Data  fed  in  stress  testing  and  Value  at  Risk  models  were  constantly 
updated and challenged. 
4. Effective Communication amongst senior management, risk management 
functions and business lines was emphasised, breaking down hierarchical 
structures and silos. 
5. Due  diligence  and  judgement  pioneered  when  assessing  valuations, 
without  excessive  reliance  on  external  rating  agencies,  constantly 
developing models to value complex or less liquid securities. 
6. Robust  controls  on  balance  sheet  growth,  including  incentives  for

business lines adhering to limits and extensive monitoring of off‐balance 
sheet entities. 
 
 
1.3 Limitations of the Study 
 
1. A primary research on the topic would have derived more complete and 
explicit results. Due to the undeveloped nature of the topic in practice and 
the  lack  of  appropriate  transparency  in  risk  management  disclosures 
secondary research could provide utmost unprejudiced results. 
2. Despite deriving results from a wide array of sources and organisations 
these may be biased to a degree, reason being, firms analysed within this 
report  may  have  shareholdings  in  research  companies  that  have 
conducted  surveys  throughout  the  turmoil.  Thus  there  may  be  a 
distortion  related  to  publicised  findings.  In  an  attempt  to  mitigate  this 
manipulation,  regulatory  and  central  bank  reports  have  been  used  to 
confirm findings.  
3. The  Financial  turmoil  is  still  proceeding  and  affecting  firms  in  various 
ways, thus by the end of the crisis a number of new findings may come to 
the surface without being mentioned in the following context. 
4. Financial  Institutions  analysed  within  this  study  have  a  capital  base  of  
$5bn at the minimum.

This  report  should  be  seen  as  an  effort  to  tackle  the  loopholes  that  deprive 
banks, insurers and other financial institutions from adequately and effectively 
applying ERM. This is provided by the market players that managed to weather 
the storm and without severe consequences due to efficacious implementation of 
the  framework.  Most  Financial  Institutions,  especially  banks  have  already 
adopted  such  firm‐wide  risk  management  but  there  is  no  empirical  evidence 
backing the supremacy of such an approach to the traditional risk management 
in silos. Regardless of, the research stipulates those qualitative factors that incite 
Financial  Institutions  to  adopt  such  an  approach  and  riposte  to  why  ERM  is 
superior to the traditional departmental risk management approach. Based on 
the  critical  success  factors  implied  by  the  financial  turmoil  there  will  be 
integration  with  literature  findings  ensuing  the  way  for  the  application  of 
adequate risk management systems in financial institutions.

Chapter 2: Risk Management in Financial Institutions 
 
 
2.1 Upsurge in Regulatory Scrutiny and Capital Requirements  
 
Towards  the  late  1990’s,  Risk  Management  caught  the  attention  of  the  Anglo‐
Saxon  Corporate  Governance  policy  makers  who  endeavoured  in  finding  a 
solution  to  the  lack  of  basic  management  integrity/competence  and  weak 
internal  risk  controls.  This  was  brought  by  a  number  of  internal  control 
inadequacies (B. Barings bank, 199210), accounting scandals (Enron, 200211) and 
irresponsible  senior  management  actions  (Equitable  Life  Assurance  Society12).  
The  rise  of  high  company  profile  failures  and  scandals  had  led  to  corporate 
governance and regulatory scrutiny widening its scope, to deal with risks that 
companies face.  Corporations are now required to increase the transparency of 
their  disclosures  and  internal  control  systems  which  they  have  embedded  to 
retain, finance or transfer risk. This can be through a rule base system issued 
through  legislation  as  the  US  Sarbanes  Oxley  Act  2002  or  a  principal  based 
system as the Combined Code 2003 in the UK.   
 
European  institutions  are  directed  to  comply  with  guidance  concerning  their 
capital  requirements  and  valuations.    Solvency  II,  a  principle‐based  guidance 
aimed  at  improving  risk  management  across  a  Single  European  Insurance 
market.  It  directs  insurers  to  identify  and  report  risk  correlations  and 
interdependencies that suggest the use of Enterprise Risk management models.  
10
Nick Leeson a 27-year-old futures trader at the Singapore offices of the bank who managed to los over $1billion
of the bank’s money. He concealed his losses as a result of allowing him to get involved in settling his accounts
that he exploited by creating an error trading account. He sustained this until he left the bank in 1995. This resulted
in the bank’s bankruptcy and was subsequently sold to the ING group (Gapper et al, 1995).
11
Despite not related to financial institutions it is worth mentioning due to the impact it made on corporate
governance regulations. The Enron scandal led to 5000 job losses and $1bn in employee in retirement fund losses.
This was disguised in Special Purpose Vehicles as no reporting requiremenst are required that were used to book
loans as trading revenues (Batson, 2008). They executive management not only fooled investors but also analysts
who continued recommending it as a “strong buy” when it was making consecutive losses (Bloomberg, 2008)
12
The oldest mutual life insurer (246 years of age) promising its policyholders more money (in the form of
guaranteed annuities) than it actually had for almost more than a decade, (this gap reach $4.4bn by 2001) due to
faulty Asset and Liability Management and using dubious actuarial techniques to obscure this. Equitable
distributed maximum payouts in the good years (characterized by low interest rates) and inadequately reserved for
rainy days (BBC News, 2004). This resulted in more than a million’s retirement funds being slashed. Seven years
on, investors are seeking $4.5 from ministers in the UK as the investigation discovered “Serious regulatory failure”
when overseeing their operations. (Guardian, 2008).

Furthermore Basel II identifies the long‐term uncertainties that exist respective 
to financial institutions operations. Within this setting, the Basel accords were 
formulated  to  develop  and  the  risk  management  functions  of  Financial 
Institutions;  “From  a  commercial  bank  wholesale  perspective,  from  allocating 
capital  based  on  generic  categories  (Banks,  Corporate,  Sovereigns)  to  specific 
borrowers  or  institutional  debt  (Citi  Microfinance  &  Clifford  Chance  LLP  April 
2008).”It  provides  international  directives  regarding  minimum  capital 
requirements  that  ought  to  be  held  against  risks.  The  following  three  tiers 
(Figure  4)  provide  eligible  provisions  on  Regulatory  capital,  as  defined  by  the 
Basel Accord.  
Figure 4             Eligible Provisions of Regulatory Capital as Provided by Basel II 
Tier 1: (Core Capital) includes   capital and disclosed reserves (e.g. Qualified stock, surplus, 
retained earnings) 
Tier 2: (Supplementary –Secondary Capital) includes undisclosed reserves, subordinated 
debt, perpetual debt and other debt and equity instruments 
Tier 3: (Tertiary Capital) – Includes a wide array of debt and equity products in place to 
cover part of a FIs market risks that have not been externally verified.13 
 
(BIS, 2004) 
Furthermore  Basel  II  recapitulates  on  the  use  of  Economic  Capital,  this  is  the 
amount  of  risk  capital  from  a  bank’s  perspective  that  would  be  required  to 
13 Investopedia.com provides easy to read comprehendible guidelines of these.

remain solvent at a given confidence level and time horizon. The framework is 
incorporated  by  Value  at  Risk  models,  deriving  measures  for  market  (VaR), 
credit (cVaR) and other risks. An example of a VaR calculation of (EC) Economic 
capital for credit risk is depicted in Figure 5. 
 
Figure 5                     Economic Capital for Credit Risk 
The  illustration  provides  the  organisation  with  expected  and  unexpected  losses 
produced  by  a  VaR  calculation.  The  former  encapsulates  losses  arising  from  daily 
operations while the latter  (tail past 3% in this case) represents standard deviations 
from the expected losses. This example illustrates a confidence interval of 99.95%. This 
corresponds to a “AA” rating. Depending on the firms risk appetite and target credit 
rating, economic capital can be calculated likewise. 
 
(Investopedia.com, 2008) 
 
Lastly  Basel  II  defines  operational  risk14,  integrates  it  with  credit  risk  and 
provides three mechanisms by which operational risk of increased complexity 
may be computed. Thus credit rating agencies and lenders may be adequately 
informed.  It  aligns  regulatory  requirements  on  capital  closer  to  risk  but  also 
introduces a more sophisticated approach to risk management. This aspires in 
developing a risk culture amongst lenders, whereby the corporation understands 
and remains focused on risk as a core element of the desired strategy.  
 
14  This  definition  includes  legal  risk,  but  excludes  strategic  and  reputational  risk.  (BIS,  2004)  and  is 
portrayed in figure 2

2.3 Risk Management in Silos 
Gaining wide acceptance for the past years and influencing the reforms proposed 
by  Basel  II  is  management  of  risks  via  silos,  a  method  emphasising  the 
quantification of risks, making use of the latest risk measurement advances in 
the  field  (Garside  et  al,  1999).  This  method  (Figure  6)  sets  limits  across  risk 
types and monitors and reports developments in the risk silos (Marrison, 2002).  
 
Figure 6                                  Risk Management in Silos 
The Case of an Insurer 
 
(KPMG, 2007) 
 
There  are  weaknesses  attached  to  this  approach,  for  example  performance 
indicators for one business line may be driven by premium growth without the 
consideration on how this may affect the overall risk and capital needs in the 
long term.  Likewise a firm’s division may underwrite an amount of business to 
increase its market share without evaluating, understanding or communicating

the risk to the overall enterprise. A firm may alter its risk profile and appetite 
without  full  consideration  of  the  implications  from  various  hazards  (e.g. 
policyholder  behaviour,  variations  in  location);  Despite  aiming  to  reduce  the 
overall  risk  profile  it  may  actually  result  in  increasing  the  risk  for  the 
corporation, overall (KPMG, 2007). A reference to an idiom by Alfred Einstein is 
appropriate15 at this stage: 
 
"Not everything that counts can be measured. Not everything that can be measured 
counts." 
 
 
 
 
 
 
 
 
 
 
 
 
 
15  This suitable is suitable for risk management in silos as the emphasis of the approach is on rendering as 
many possible risks susceptible to quantification (Mikes, 2008)

Chapter 3: Literature Review  
3.1 Enterprise Risk Management Development and Foundations 
Risk  managers  are  required  to  broaden  their  scope  of  responsibilities  and 
develop complex processes in relation to the past. Due to the complexity of the 
task  associated  with  the  risk  management  process  across  the  enterprise, 
specialist  expertise  is  required.  Thus  a  new  management  role  has  recently 
emerged, that of the Chief Risk Officer. This has been growing in use and scope of 
responsibilities and is usually a senior executive taking an integral coordinating 
role  within  the  strategic  planning  process.  Since  the  Chief  Financial  Officer  is 
responsible  for  the  overall  financial  policy  of  an  organisation,  the  CRO  is 
required to maintain close links with him.  
 
Companies  have  started  considering  the  importance  of  such  roles  and  the 
implementation of a firm‐wide risk management approach to the risks they face.   
Joint decisions are be made concerning hedging and insurance and finding the 
right balance between ‘retaining’ and transferring risks, indicating the degree of 
correlation  between  risks.    Corporations  strive  to  satisfy  key  stakeholders  in 
reaching their objectives, indicating interdependencies and minimising systemic 
effects. A services study conducted by Deloitte on firms that sustained significant 
drop in shareholder value found discovered that 80% of companies affected had 
experienced numerous, interdependent risk events (KPMG, 2007) This implies, 
that  firms  able  to  manage  risk  cohesively  will  result  in  superior  an  stable 
performance. 
Many  dominant  firms  are  abandoning  their  traditional  risk  silo  approach 
adopting  firm‐wide  enterprise  risk  approach  (Lienenberg  et  al,  2003), 
transforming their risk management to Enterprise risk management as it enables 
firms  to  manage  risks  in  an  integrated  fashion.  Academics  and  practitioners 
argue  that  ERM  may  benefit  corporations  via  decreasing  stock‐price  and

earnings volatility, increasing capital efficiency, reducing external capital costs16 
and  creating  synergies  between  the  risk  management  activities  (Lam  2001; 
Beasly  et  al  2006).    They  argue  that  generally  it  increases  risk  awareness 
enhancing  both  operational  and  strategic  decision‐making.    Despite  the 
increased awareness and amplitude of survey results regarding the popularity 
and  attributes  of  ERM  frameworks        (Hoyt  et  al,  2003;  Beasley  et  al,  2005) 
empirical  evidence  exhibiting  the  impact  of  such  program  is  unavailable 
(Schroeck, 2002) or scarce (Hoyt, 2008).
 
3.2 Defining and Implementing the Framework 
 
In September 2004 the COSO released its second and long awaited updated ERM‐
integrated  framework.  This  model  describes  key  components  and  risk 
management  principles  for  organisations  of  any  size.  Compared  to  the 
fragmented silo structured risk assessment, Enterprise Risk Management takes a 
broad portfolio approach to risk and focuses on those effects that not only hedge 
or  mitigate  risk  but  also  enhances  shareholder  value  (Moelbroek,  2002).  The 
new  framework  is  complex  and  the  definition17  is  not  easy  to  grasp  as  it  was 
developed as an all‐inclusive definition to be used by any company, profit or non‐
profit, private or public ventures. This undoubtedly creates work for consultants, 
without  guidance  it  would  be  hard  to  implement  the  model  and  realise  the 
benefits  due  to  the  complexity  in  understanding  the  various  components  and 
their  interrelationships.  It  has  to  be  comprehended  that  integrating  ERM  with 
the  overall  strategy  is  not  a  quick  and  sudden  fix  but  a  dynamic  process 
(Dickinson, 2001). Compared to the previous internal control model (1992) the 
recent model consists of one new objective; the strategy setting, which grasping 
is vitally important. (Bowling et al, 2005) 
 
16 In 2006 Standard & Poors upgraded Munich Re from “A‐“ to “AA‐” partly due to robust ERM practices 
(Hoyt, 2008) 
17 “Enterprise risk management is a process, effected by an entity’s board of directors, management and other 
personnel, applied in strategy setting and across the enterprise, designed to identify potential events that 
may  affect  the  entity,  and  manage  risk  to  be  within  its  risk  appetite,  to  provide  reasonable  assurance 
regarding the achievement of entity objectives.” (COSO, 2004, p2)

ERM requires first a broad recognition of the stakeholders within the objective 
setting, allowing interested parties to consider and act daily on the mission of 
contributing to the achievement of goals. The eight horizontal layers identify the 
chronological approach required to achieve each of the four objectives. This is 
founded  on  the  latest  risk  management  process  produced  by  a  myriad  of 
international standards. Starting with the top layer the company first needs to 
understand  its  appetite  for  risk  as  part  of  its  internal  environment  before 
beginning its Risk Management process and the three bottom layers exhibit the 
internal controls, need be required to manage and monitor risks daily.  The 3rd 
dimensional  aspect  of  the  framework  exhibits  the  different  levels  of  the 
organisation, starting from left to right, from enterprise level narrowing down to 
end at the subsidiary level.18This is illustrated in Figure 7. 
 
Figure 7              COSO ERM Framework 
An Integrated Approach Across the Strategic Setting 
 
(COSO, 2004) 
 
 
As  previously  mentioned,  ERM  requires  a  disciplined  top‐down  process  (as 
provided by Figure 8); robust parameters for policies and internal control are 
18 This depends on the FIs size and structure.

necessitated at executive levels (Walker et al, 2002). Once Business units are fed 
the  information  and  implement  the  strategy,  managers  closest  to  risks  are 
required  to  feed  back  information  centrally  so  as  to  formulate,  amend  and 
monitor the overall risk policy (Dickinson, 2001). Business unit delegates must 
have a certain degree of responsibility to combat business line’ exposures before 
these become severe.   
 
 
 
 
 
 
 
 
 
 
 
 
Figure 8                                 The Risk Management Process  
A Corporate Framework Required for Effective Implementation 
 
(Chapman, 2006)

Since  corporate  governance  codes  make  top  executives  liable,  audit  functions 
have  to  be  made  independently  from  executive  functions;  (Combined  Code 
2003)(Sarbanes Oxley Act 2002) the board of directors sets a person responsible 
for  the  audit  committee  clearly  defining  the  risk  audit  function  including  an 
overview  of  their  top  management.  Subsequently  the  board  of  directors  is 
responsible for the ERM of the company accountable to shareholders and other 
stakeholders. The Chief Risk Officer ideally, should provide a link between the 
executive  committee  and  operations  of  the  corporation  in  addition  to  liaising 
with  the  non‐executive  committee,  subsequently  providing  an  independent 
assessment and guidance to shareholders (Lam, 2003). 
 
Enterprise  Risk  Management  ought  to  be  embedded  within  the  corporate 
strategy  of  an  organisation  as  the  activities  used  to  reach  objectives  largely 
depend on the resources and organisational structure it chooses to use, within 
the uncertain environment of the operation (Vijentra, 2006). 
 
It can only be measured as the difference between the initial setting of objectives 
and the actual outcomes of these, both in terms of variance from the expected 
distribution as well as the downside failure of meeting these entirely (Walker et 
al, 2007). For quoted companies, the more aligned are corporate objectives with 
shareholder  values  the  more  transparent  to  enterprise  risk  will  be  the  stock 
market  price  assessments  (Schroeck,  2002).  Figure  9  exhibits  the  effect  a 
comprehensive ERM framework may have on the board of directors.

Figure 9                   ERM Impacts Four Board Functions 
These impinge on Shareholder Value 
 
(Garratt, 2003) 
 
Insurance, hedging and other financial risk decisions demand coordination with 
the  corporate  treasury  and  capital  structure.  Both  risk  retention  decisions  on 
insurance  and  hedging  and  their  aversion  to  risk  (choice  of  deductibles  and 
strike prices) ought to be determined jointly as being under the Enterprise Risk 
management umbrella as they will be probably not be independent. (Dickinson, 
2001) 
 
Throughout a period where hedging instruments are expensive and insurance is 
going through a “Hard” market19 a strategic plan ought to have effective internal 
controls  in  place  and  minimise  operational  risks.  This  will  minimise  excessive 
insurance  costs  from  economically  unfair  rates.    Through  an  Enterprise  risk 
management approach whereby all risks of a strategic portfolio are taken into 
19 This is due to the theoretical phenomenon knows as the underwriting cycle whereby insurance markets 
swing between hard and soft markets. Throughout a hard market insurers try to cover for any previous 
losses increasing rates and reducing supply.

account  one  can  more  easily  monitor  and  alternate  the  risk  appetite  of  the 
organisation and counteract systemic effects.  
 
3.3 ERM in Practice and Industry Observations 
 
A survey conducted by the Conference Board and Mercer Oliver Wyman in 2004 
surveyed 271 executives. A proportion of 91% of those queried have understood 
the importance of accepting ERM or are actually implementing it in practice. The 
survey  also  derived  that  93%    of  those  responsible  for  assessing  risk  in  their 
organisation where risk or financial managers. Responding to the main driver of 
ERM 66% said due to corporate compliance whilst optimistically 60% ranked as 
important the understanding of operational and strategic risks.  Cynically though 
only  11%  have  formally  adopted  tan  actual  framework.  This  stems  from  the 
complexity  of  the  model  and  the  compliance  priorities  of  organisations  on 
review. (MIT Sloan Review, 2006) 
 
Another discovery was that only a fifth of those surveyed take inventory of the 
critical risks faced by their organisation; from this minor segment more than half 
respondents  found  ERM  helped  make  better  informed  decisions  as  well  as 
improved  communication  between  the  executives  and  the  board  of  directors. 
Furthermore  organisations  that  had  a  fully  integrated  approach  on  ERM 
reported  that  it  produced  better  management  consensus,  assessment  and 
understanding  of  key  risks  83%,  compared  to  the  36%  for  all  other 
organisations. The companies that fully integrate the framework also reported 
increased transparency and management accountability.  It can be derived that 
those with advanced integrated approaches who viewed risk management as a 
central  discipline  derived  the  full  extent  of  advantages,  in  contrast  to  the  rest 
that implement a compliance‐driven model. This is reaffirmed by another survey 
conducted  by  Deloitte  in  association  with  AESRM  in  2007  exhibiting  how  the 
majority of financial institutions continue to manage risk at the traditional silo 
level,  thus  concealing  potential  interdependencies  of  risks  and  financial 
indicators  and  with  the  potential  exposure  of  financial  institutions  to  acute

losses.  In  addition,  such  isolation  may  exacerbate  dangers  attached  to  new 
business  lines,  thus  stifling  competition  and  forgoing  growth  opportunities 
(Kopp. G, 2007). This exposes financial institutions to speculative threats in the 
future due to the changing economic landscape and evolution of 4 factors: 
 
“Era of Regulation”: The increasing sophistication of regulatory requirements; 
from  Sarbanes  Oxley  act  and  Combined  Turnbull  Guidance,  both  increasing 
responsibilities and the integrity of duties of the board; to Basel and Solvency; all 
now require organizations to capture information on a broad range of risks that 
may  affect  their  market  or  operations.  As  this  sophistication  increases,  so  too 
must  senior  management’s  and  the  board’s  understanding  and  related 
responsiveness. 
 
Complexity: Due to the increasing nature of new products and complexities that 
arise from business models and interrelationships between organizations, there 
needs to be a more holistic approach to managing risk. 
 
Connectedness: The increasing interdependency between operations, risks and 
controls has become evident. The traditional silo approach cannot capture this as 
it  leaves  too  many  gaps  and  does  not  provide  an  overall  evaluation  of  an 
organization’s risk position.  Some ERM advocates refer to it as common sense as 
risk by their inherent nature are dynamic (Lam the pioneer of the CRO function, 
2003). Once a systematic process reaches across the functions and departments 
and  promotes  the  sharing  of  risk  and  control  knowledge,  only  then  can  the 
correlations and interconnectedness amongst risk be truly captured. These are 
the fundamentals of ERM. 
 
Market Forces: Risk management has been enforced to senior management and 
board level due to various corporate scandals (e.g. Enron, WorldCom) that forced 
board members to dig deep into their pockets and settle shareholder lawsuits. 
Subsequently  Directors  have  rushed  to  educate  themselves  in  terms  of 
understanding a range of risks. At the same time executives are paid exorbitant

bonuses, even when failing to increase shareholder value20. 
 
Ernst and Young conducted a survey targeting Life insurance companies (2008). 
In contrast to its previous survey (2003) 68% respondents stated having ERM 
policies in place, 23% are in the process of development and 9% are planning to 
develop one. The survey exhibits that ERM is work still in progress and have not 
yet been fully integrated in companies’ systems and policies.  Most companies 
have  formally  developed  ERM  mission  statements,  principles,  procedures  and 
ownership structures but have yet to address the dynamic characteristic of the 
process as risk aggregation, tolerances and limits and how to identify emerging 
risks. A finding related to CROs, is that despite having a seat at the management 
table, 81% stated influencing; product design, pricing and investment strategy 
related decision but have no influence on strategic planning and feel somewhat 
that  their  contribution  is  rather  implicit  rather  than  a  consequence  of  some 
formal  explicit  oversight.  Moreover,  regardless  of  the  increasing  awareness  at 
board  level  of  risk  management  other  business  priorities21  may  draw  their 
attention.  
 
It is yet to be realized how important risk management is not in building long‐
term  value  creation  nor  have  companies  clearly  understood  the  depth  of 
operational  and  cultural  change  required  to  implement  the  framework 
effectively. Significant gaps remain present, and certain areas have yet to mature 
in  order  to  promote  a  disciplined  and  rigorous  approach.  Work  is  needed  to 
integrate firms ERM practices to influence strategic decision‐making. There is a 
variability of tasks addressed to CROs but there is a long way to go before their 
formal  risk  oversight,  aggregation  and  risk  taking  evolve  and  strengthen  to  a 
required  degree.  Risk  measurement  should  be  invested  in  heavily,  so  that 
sophistication increases incorporating all critical data needed for risk reporting 
and decision‐making. The increasing engagement by the C‐level22 has been found 
20  Three former executives of UBS who under their management led the bank to $38bn losses last year, 
shared a $87mil bonus from Switzerland's biggest bank (timelesonline.com, 2008) 
21 As increasing market share or seeking short‐term profit. 
22 C‐level postulates a Chief position (CEO, CFO and now CRO)

to be encouraging, however, risk leadership education especially at board level 
requires augmentation to assert the sustainable evolvement of risk management 
within  decision‐making  (IBM‐CFO  survey,  2008).  CROs  and  other  Risk 
management executives will have to improve the quality of their communication 
with executive and board leadership. Critical for moving risk leadership to the 
next level requires stronger functional links and better communication between 
all risk stakeholders within organizations. Nocco confirms this by arguing “While 
ERM  maybe  straight  forward  conceptually,  its  implementation  in  practice  is 
not”(2006).  The  industry  has  experienced  years  of  consolidation  and 
reorganization  of  departments,  incorporating  risk  silo  management.  Common 
credit or trading groups do exist but very few banks or FIs actually reorganize to 
take full advantage of an ERM culture (IBM‐CFO survey, 2008). 
 
Restructuring  in  financial  institutions  may  be  required  due  to  a  merger  or 
acquisition,  this  involves  integrating  processes,  methodologies  and 
Infrastructure,  these  need  to  be  realigned  (Atkins  et  al,  2008)  as  “legacy 
systems23”  may  be  developed.    The  most  daunting  task  is  to  consolidate  IT 
systems, as they must incorporate systems from various departments and levels 
and at the same time maintain a regulatory reporting standard. IT is a significant 
amount  of  investment  in  financial  institutions;  the  problem  arises  when  such 
systems meet both external and internal requirements, as these remain static. 
However,  the  market  environment  is  constantly  changing  with  an  upsurge  of 
both credit rating agency and regulatory requirements.  Firms cannot expect that 
historical success will speculatively prevail but must dynamically improve their 
systems enhancing their competitive advantage(s).   
 
This leads to the conclusion that organizations need to become more efficient as 
the  more  accurate  the  risk  measures  are  employed;  the  more  effectively  the 
financial  institution  may  compete  in  cutthroat  competitive  environment.  
 
23 Computer systems operating for a long time and due to the vitality of the function they serve cannot be 
easily updated or integrated with new systems of advanced technology.

Chapter 4: Findings From the Credit Crisis 
 
4.1 Drivers and Implications of the Financial Turmoil 
Recent  market  events  indicate  a  number  of  risk  management  lessons  for 
financial  institutions.    Before  the  recent  turmoil  the  banking  system  was 
characterised by strong balance sheets, rapid growth, innovation and relatively 
few bank failures.  Such status within the market bred a sense of overconfidence 
among  bankers  and  investors  leading  to  underestimation  of  risks  and  lack  of 
understanding that such state may potentially come to an end. This greed was 
fed  into  the  housing  market  that  was  exhibiting  an  upward  trend  and  led  to 
blindness in considering what may result from a disruption to such trend and 
housing  prices  falling  (Kohn,  2008).    The  timeline  of  events  is  depicted  in  the 
following paragraph and summarised in the following page. 
Figure   10                                     Phases of the Crisis  
Anatomy of the Storm 
 
(Saunders, 2008)

 
Financial  institutions  made  hefty  losses  due  to  concentrated  exposure  to 
securitisation  of  U.S  mortgage  related  credit.  Despite  having  an  inadequate 
understanding of CDOs24 and relative instruments’ inherent risks they retained 
large  exposures  on  them.  This  resulted  in  major  losses  on  such  holdings  and 
substantially  affected  both  their  earnings  and  capital  positions.  Furthermore 
failing to understand balance sheet growth and liquidity needs led to inaccurate 
pricing  of  the  risk  inherent  to  possible  funding  of  pricing  off‐balance  sheet 
entities  internally  when  market  factors  prevented  external  subsidising. 
Leveraged loans where hard to syndicate as risk aversion increased and appetite 
for  assets  diminished.  This  impact  was  trivial  regarding  capital  ratios,  but 
regarding firms’ balance sheets, these exposures led to significant write‐downs 
and write‐offs.  Inability to aggregate an organization’s overall risk position was 
the main reason a credit failure in a relatively minor section of the US real estate 
market  to  enable  a  spill  over  into  a  global  liquidity  risk  for  financial  markets. 
Furthermore increased overreliance on model assumptions and the sustaining 
silo structure resulted in lack of transparency between functions resulting in a 
breakdown  of  confidence,  as  firm‐wide  exposure  was  unknown.  Such  state 
brought  into  question  the  advocacy  of  Enterprise  Risk  Management  as 
imperative for assessing risk management in financial institutions. 
 
Certain companies discharged their CROs including Ambac, Washington Mutual 
Inc and Citigroup. In other firms CROs quit in repulsion, as they were never given 
the opportunity to ever apply an  enterprise risk  management system or were 
ignored by traders who set their own fiefdoms.   Others were blamed for errors 
beyond their control and were treated as scapegoats.  “When the onion peeled 
back, it disclosed that one part of the bank wasn’t talking to the other—it was 
almost that simple,” (Mat Allen, enterprise risk services practice leader, Marsh, 
2008).  Table  1  provides  the  most  significant  losses  incurred  by  Financial 
Institutions, in so far. 
24 Collateral Debt Obligations: Different types of debt (bonds, loans, other assets) referred “tranches” that 
are syndicated in a pool together and traded as an investment grade security. Depending on the risk and 
maturity associated with the debt the payout is adjusted.

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
James  Lam,  the  father  of  the  position  of  CRO    (GE  Capital  and  Fidelity 
Investments) argues that if ERM failed it was due firms were not incorporating 
the right data to allow for effective decision‐making, this created a state of risk 
ignorance.  (e.g.  some  firms  relied  heavily  on  credit  models  that    utilized  only 
seven years of credit information , this would have revealed steady house rates 
and mild default rates, obviously, such models underestimated exposures). 
 
4.2 Case Studies 
 
Business Model Failures 
 
Northern  Rock  prompted  the  first  run  on  a  UK  bank  for  the  first  time  in  140 
years.  Despite  not  being  technically  insolvent  with  asset  values  exceeding 
liabilities it struck a liquidity drought.  Due to its business model it was reliant on 
Table 1             Most Notable Losses so far  
Financial Institution  Loss Value 
Citigroup     $40.7bn 
UBS  $38bn 
Merrill Lynch     $31.7bn 
HSBC     $15.6bn 
Bank of America     $14.9bn 
Morgan Stanley      $12.6bn 
Royal Bank of Scotland   $12bn 
JP Morgan Chase  $9.7bn 
Washington Mutual  $8.3bn 
Deutsche Bank  $7.5bn 
Wachovia  $7.3bn 
Credit Agricole  $6.6bn 
Credit Suisse  $6.3bn 
Mizuho Financial   $5.5bn 
Bear Stearns  $3.2bn 
Barclays  $3.2bn 
                                                                   (Bloomberg, 2008)

the  money  markets  in  fund  its  mortgage  liabilities  more  than  any  other 
commercial  bank.  When  investors  lost  their  appetite  in  investing  in  mortgage 
related  assets  the  bank  could  no  longer  meet  its  pending  obligations.    In 
September  2007  the  Bank  of  England  injected  £25  bill  in  loans  and  £30bill  in 
guarantees resulting in Nationalization of the distressed bank25.  
 
Bear Sterns was an investment bank that flourished between 2001‐2007, an era 
characterized by low interest rates and a booming housing market. Its business 
model  was  highly  reliant  on  fixed  income  securities.  Its  troubles  came  when 
demand for subprime related securities faded and contemplating on reputational 
risk  it  financed  (SIVs)  structured  investment  vehicles  from  its  balance  sheets 
leading to excessive liability growth.  Within three days 13‐15 March its capital 
cushion of  $17bil evaporated, this led JP Morgan with the backing of the Federal 
Reserve to make an offer of $2 per share that was later finalized at $10. This is 
inconceivable looking back a year ago when Bear Sterns’ shares traded as high as 
$171.51 (Bilbull, 2008). 
 
Other examples can be found in monoline26 insurers as AMBAC, MBIA had to seek 
additionally funding when the assets they guaranteed were downgraded so as to 
avoid their own downgrading and continue attracting business.  
 
These  failures  exhibit  the  degree  of  vulnerability  internal  models  exhibit  in 
estimating  the  risk  inherent  in  organizations’  activities  throughout  the  crisis.  
The benign market conditions of a number of years prior to the turmoil where 
used to calibrate these models, this was flawed as the volatility that one would 
find  going  back  5  years  ago  would  not  reflect  the  extremity  of  events  in  the 
second half of 2007.  
 
25 A lot of questions are being asked about the Northern Rock downfall as why the deterioration of its 
portfolio was not acted upon time and why did they continue trading complex financial products knowing 
the risk and uncertainty concerning loans was rising? An investigation on the subject by tax expert 
Richard Murphy discovered that NR were disguising $50mil using an offshore trust “Granite” and a charity 
in England (Credit Magazine, 2008). 
26 In this pretext a monoline insurer is defined as a guarantor that assigns its credit rating to loans and 
offers assurance over counterparty default payments.

Operational Deficiency Failures 
 
Lehman Brothers London operations suffered losses from unauthorized activity 
worth $150 million on miss‐valued exotic option derivatives. Another financial 
titan  Credit  Suisse  suffered  $2.85billion  write‐downs  in  February  (adjusted 
March 20th to $2.65bil) due to the failure of its traders to update valuations of 
portfolios of subprime linked structured credit products whilst these had fallen. 
(Campbell A, April 2008, page 8).   
 
Late January 2008, a media frenzy was created when E. Societe Generale alleged 
that one of its Paris‐based junior traders, Jerome Kerviel accumulated more than 
$7bn in losses from the placement of directional bets on futures transactions and 
covered his tracks by creating forged hedges from the opposite direction. (FT, 
2008). As a result of these allegations, Societe Generale responded with a $5.5bn 
offer  to  increase  its  capital  base.(NYT,  2008).    Following  the  investigation, 
France’s  banking  regulator  fined  “SG”  a  record  €4m  for  breaching  banking 
regulations, it was found that fraud signals were present but ignored and that the 
bank failed to invest adequately in its control systems. (FT, 2008) 
 
 
4.3 Fundamental Weaknesses in ERM Implementation 
 
During  the  AIRMIC  conference  in  July  (2008)  Marsh  revealed  the  results  of 
research  it  had  undertaken  discovering  that  risk  management  has  not  yet 
reached the stage of full integration with the decision making process at board 
level. One of the main findings was that only 30% of Risk managers queried felt 
somewhat  confident  that  risk  management  was  taken  into  account  in  the 
strategic  decision  making  process,  more  worryingly  22%  felt  that  it  never  or 
seldom happened whatsoever.  When asked how they measure the value created 
by risk management 35% stated it was the impact on ‘cost of risk’ while 25% 
quantified  it  in  terms  of  the  reduction  of  incidents  or  losses.  Furthermore5% 
cited it as the reductions in insurance premium while 14% answered they didn’t

measure  value.  In  response  to  the  biggest  risk  management  challenge  facing 
their organization the majority replied that quantification of risk and measuring 
value  were  their  biggest  concern,  37%  found  incorporating  risk  management 
into  their  organization  was  a  challenge.  Concerning  the  findings  of  the  survey 
Eddie  McLaughlin  (leader  of  Marsh  Risk  Supervisory  Group)  noted  his 
understanding  that  risk  management  is  recognised  to  contribute  to  long‐term 
success and competitive advantage but has not yet been fully recognised in the 
boardroom.  He  argues  “The  challenge  remains  proving  the  shareholder  value 
added through effective risk management. Progress has been made by linking risk 
management quality to capital allocation, and over time to a firm’s credit rating, 
but as an industry we are not there yet.” 
Following the magnitude of losses in the industry Edhec sought to investigate the 
models used to support risk management decision‐making. They addressed 229 
financial Institutions based in Europe holding more than €10 trillion of assets 
under their management. This is quite representative of the Pan‐European asset 
management industry. One of the main findings of the research was that firms 
are  often  familiar  with  research  findings  but  rarely  actually  implements  such 
techniques.  In  consideration  to  previous  years  Edhec  found  usage  of  VaR  and 
cVaR(conditional VaR) had spread throughout the industry, methodologies that 
were previously used mainly by investment banks.  
 
Such  progress  has  its  limits  as  despite  making  use  of  the  models;  42% 
worryingly  assumed  normality  in  their  returns  and  only  10%  were 
implementing Extreme Value theory tools (Goltz, 2008). An even more worrying 
observation was that despite 50% use VaR to assess risk only 33% make use of 
the measure to estimate risk –adjusted performance. Furthermore it was found 
that 42% of institutional investors don’t explicitly incorporate liability risk when 
developing asset allocation strategies.

In  addition  there  has  been  plentiful  noise  in  terms  of  alpha27,  but  only  a  few 
actually measure it correctly. Despite the limitations of assessing Alpha (Myner, 
2001)  via  peer  performance  analysis;  62%‐  of  those  queried  make  use  of  it, 
whilst only 23% actually make use of multi‐factor methods; of which advantages 
have been proclaimed within financial research (Martellini et al, 2005). 
It seems that certain Financial Institutions have failed to ride the tide of research 
for the past 2 decades and make use of risk management as a marketing tool. 
Edhec finds this concerning; as knowledge is not transferred to the industry and 
tested within realistic environments but used merely as an aid to the systems 
already in place.  
 
 
4.4 Questioning the Viability of ERM 
 
For  the  past  years,  both  academics  and  practitioners  have  praised  Enterprise‐
wide  risk  management  policies  and  procedures  in  Financial  Institutions.  ERM 
has been touted, as the standardized FI risk management approach and now is 
being  re‐evaluated  subsequently  after  the  subprime  market  meltdown.    A 
disciplined framework guiding companies to apply the risk management process 
across  the  organization  including  any  interplay  that  may  exist  between  these 
across business units.  
 
 Financial Institutions first embraced ERM with insurance and energy companies 
following.  This  gave  rise  to  the  Chief  Risk  Officer  a  senior  level  position  to 
manage  and  supervise  the  effort.  (T&R,  2008).  Then  the  credit  crisis  and 
financial  turmoil  impacted  company  after  company,  especially  Financial 
Institutions, long thought to be the paradigms in ERM practices – hit a brick wall. 
27 A measure of performance on a riskadjusted basis, Alpha takes the volatility (price risk) of a mutual fund 
and compares its riskadjusted performance to a benchmark index. The excess return of the fund relative to the 
return of the benchmark index is a fund's alpha. Alpha is one of five technical risk ratios; the others are beta, 
standard deviation, Rsquared, and the Sharpe ratio. These are all statistical measurements used in modern 
portfolio theory (MPT). All of these indicators are intended to help investors determine the riskreward profile 
of a mutual fund. Simply stated, alpha is often considered to represent the value that a portfolio manager adds 
to or subtracts from a fund's return. A positive alpha of 1.0 means the fund has outperformed its benchmark 
index by 1%. Correspondingly, a similar negative alpha would indicate an underperformance of 1% 
(Investopedia, 2008)

Such  exposures  were  what  ERM  was  designed  to  ferret  out.  As  would  be 
expected, the reality is much more complicated. 
 
 To  begin  with  not  all  companies  experienced  large  losses  as  they  did  in  fact 
manage  their  risks  appropriately.  Empirical  evidence  finds  that  certain 
companies applying ERM did quite well relative to their competitors and others 
didn’t  se  the  signals  coming  and  grabbed  the  headlines  within  the  past  year 
(Treasury and Risk, ERM survey 2008).  
 
“JPMorgan in the banking industry and Goldman Sachs in the securities industry—
both  well  known  for  their  ERM  capabilities—actually  did  quite  well  relative  to 
their competitors,” “Other firms, of course, didn’t see the signals.” Those firms are 
the  headline  grabbers  of  the  day—Bear  Stearns,  Countrywide  Financial,  Ambac, 
MBIA, UBS and Swiss Re, among others. (Lam, president of James Lam & Associates, 
2008). 
 
 Problems have been found to lie on how ERM is applied and executed effectively 
across  the  organization.  Moreover  specific  areas  of  concern  and  weaknesses 
have been found in how risk management is applied (Treasury and Risk, ERM 
survey 2008).

Chapter 5: Conclusions 
 
Organisations  now  are  updating  and  focusing  on  their  risk  profiles.    Global 
regulators  request  improved  corporate  governance  models  and  the  usage  of 
internal control frameworks, policies and procedures. Simultaneously, investors 
are losing confidence and becoming more prudent  
 
Navigant Consulting (2008) recorded a staggering increase in lawsuit activity in 
relation to subprime and credit issues, with 170 cases filed in the first quarter of 
2008  compared  with  a  total  of  278  cases  filed  in  2007.  448  cases  have  been 
found  to  relate  to  the  credit  crisis  over  a  period  of  15  months  up  to  the  first 
quarter of 2008. This level indicates that soon the 559 savings and loan cases of 
the early 1990’s will be surpassed. Of these, 42% where named a Fortune Global 
500 company as the defendant and from the 10% that were non‐US companies, 
half originated from the UK. As Figure 11 exhibits and as reported by a NERA 
consulting  report  49%  of  plaintiffs  where  shareholders,  this  implies  that 
shareholders  are  becoming  more  active,  reinforced  with  regulatory  measures 
that  have  been  developed  in  concern  of  adequate  safeguarding  of  their 
investments.  
 
This finding is reaffirmed by a survey conducted by RiskMetrics in April 2008 
and  in  response  to  shareholder  lawsuits  38%  indicated  lack  of  effective  risk 
management as the primary reason for the rise in activism and as key cause of 
the subprime meltdown.

 
 
 
Furthermore Credit rating agencies focus on Risk Management more than ever. 
For  example  Standard  and  Poor’s  latest  report  explains  the  development  and 
that  it  will  recognize  the  adoption  of  firms  of  accepted  risk  management 
standards but this will not be considered be sufficient evidence of effective risk 
management.  The recent turmoil has Financial Institutions rethinking their risk‐
management  functions;  this  translates  into  updates  and  revived  insights  for 
rating  agencies  risk  analysis.  Such  updates  will  revolve  around  probabilities, 
severities  and  various  losses  that  may  arise;  the  fundamental  structure  of  the 
rating will stay in tact. Furthermore recent events have highlighted the increased 
importance on focusing on risk management as part of the rating process, not 
just  as  an  internal  framework  but  how  this  is  applied  throughout  the 
organization and as defined by table 2. 
 
 
 
 
 
28 Defendants included amongst others Credit Suisse, HSBC, Lehman Brothers, Merrill Lynch, Citigroup, 
Washington Mutual, Bear Stearns, UBS, Morgan Stanley, and Bank of America. 
Figure 11                          Lawsuits related to the Sub‐prime Crisis        (through to 
21/04/08) 
Defendants28                            Plaintiffs 
   
(Nera Consulting, 2008)

 
 
 
 
In  today’s  environment  Financial  Institutions  face  investor  confidence  issues, 
increased  regulatory  requirements  and  rating  agency  oversight.  To  effectively 
meet  such  challenges  organizations  are  restructuring  their  PMI  processes 
(polices, methodologies, infrastructure). Considering Crouhy’s ‘essentials of risk 
management’  these  are  the  three  building  blocks  required  to  develop  an 
enterprise risk management environment (Crouhy, et al, 2005). 
 
Within the last decade academics and practitioners have published a number of 
different methods of measuring risk, some tailored for specific risk factors others 
Table 2    S&P Definition of ERM in respect to Credit Rating Requirements 
ERM  ERM is not… 
 An approach assuring the firms is 
attending all risks 
 A method to eliminate all risks 
 A set of expectations amongst 
management, shareholders, and the 
board about the firms risk appetite 
 A guarantee that the firm will avoid 
losses 
 A set of methods for avoiding 
situations that may result in losses 
that would be outside the firm’s risk 
tolerance 
 A crammed‐together collection of 
longstanding and disparate 
practices 
 A method to shift focus from 
“cost/benefit” to “risk/reward” 
 A rigid set of rules that must be 
followed under all circumstances 
 A way to help fulfill a fundamental 
responsibility of a company’s board 
and senior management 
 Limited to compliance and 
disclosure requirements 
 A toolkit for trimming excess risks 
and a system for intelligently 
selecting which risks need trimming  
 A replacement for internal controls 
for fraud and malfeasance 
 A language for communicating the 
firm’s efforts to maintain a 
manageable risk profile 
 Exactly the same for all firms in all 
sectors or the same from year to 
year 
   A passing fad 
(S&P, 2008)

for aggregating risk (e.g. Economic Capital). 
 
History  has  exhibited  a  number  of  financial  crisis  from  the  ‘Black  Monday’  of 
1987 when world stock markets collapsed, to the Asian Crisis of 1997 that led 
(IMF) International Monetary Fund in injecting $40bill to stabilize the economies 
mostly hit by the crisis; and to the recent US mortgage crisis of 2007 that has 
given  rise  to  a  global  systemic  shock  within  the  financial  community.  Each  of 
these crises calls out for the importance of establishing good risk measures and 
PMI processes. 
 
Financial institutions focus these three factors, which are influenced by internal 
management  as  well  as  external  factors,  such  as  investor  confidence  and 
regulatory  standards.  In  terms  of  infrastructure  it  would  be  safe  to  say  that 
technology is not a bank’s core competence and would benefit from outsourcing 
such  functions  to  third  parties  and  gain  specialist  processes,  personnel  and 
Information technology.  
 
Risk management can be applied via managing each risk on its own or through 
an integrated and holistic approach, this has been referred to as Enterprise Risk 
Management  (Nocco,  et  al,  2006).  Its  goal  is  to  set  policies  determining  risk 
across  the  firm  and  its  diverse  business  activities  and  require  methodologies 
aggregating the variable risk types (credit, operational, market). This is not an 
easy  task  as  their  distribution  patterns  vary  substantially  (Rosenberg,  et  al, 
2004). 
 
Enterprise risk can be calculated using economic capital and risk adjusted return 
on  capital  as  steered  by  the  capital  adequacy  guidelines  of  Basel  II.  Such 
measures integrate various risk components into a holistic measure utilized to 
calculate Enterprise Risk.  Commencing the analysis of the credit crisis, several 
factors discovered have to be prospectively addressed to implement a successful 
ERM framework.

Enterprise Risk Management in Financial Institutions- Revelations of the Recent Credit Crisis and Financial Turmoil

Enterprise Risk Management in Financial Institutions- Revelations of the Recent Credit Crisis and Financial Turmoil

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (16)

Similar to Enterprise Risk Management in Financial Institutions- Revelations of the Recent Credit Crisis and Financial Turmoil

Similar to Enterprise Risk Management in Financial Institutions- Revelations of the Recent Credit Crisis and Financial Turmoil (20)

Enterprise Risk Management in Financial Institutions- Revelations of the Recent Credit Crisis and Financial Turmoil