Title: Developments in Risk Management people, process and systems considerations David Millar, COO, PRMIA
1Developments in Risk Management people,
process and systems considerationsDavid Millar,
COO, PRMIAHyderabad, 9th, October, 2007
2Why do we manage risks?
3Developments in Risk Management people,
process and systems considerations History,
Dimensions and Drivers of Risk Management
4Risk in history
5Drivers of risk management
- Regulatory drivers
- Local
- Regional
- Global
- Business drivers
- Increased profitability
- Reduced losses
- Improved reputation (customers, public and
analysts) - Credit agency ratings
Stick and
Carrot
- With the objective of managing risk, not
eliminating it
6Business drivers
7What the rating agencies say
- Moody's believes that the assessment of risk is
becoming increasingly central to the fundamental
analysis of a rated bank. Put simply, risk
management improves the quality and stability of
earnings, thereby enhancing the competitive
position of the bank and facilitating its
long-term survival. - The ongoing integration of its subsidiary banks
into a single network poses challenges in terms
of operational, personnel, and systems
integration. Moreover, the banks purchased by XXX
may have hidden operational risks. A Standard
Poors Report - Fitch (Ratings) expects financial institutions,
in their response to both regulatory and
management requirements, to adopt a balanced
approach to risk. This includes an emphasis on
tools and techniques designed to assist the
management of a financial institution in the
prioritization of its risk budgets and in where
to focus its efforts.
8Regulatory drivers
9Cross-border implications
- There is no international jurisdiction.
Regulations (global or local) implemented by
local courts or regulators. - International implications are enforced by
- Agreement by local bodies that they will
implement international regulations (i.e. Basel
II but also such as transport regulations),
sometimes with local variations - A local regulator imposing regulations on the
local branch of an overseas company so that the
implications extend to the home country and other
branches, i.e. money laundering regulations,
Australias Foreign Trade Practices Act, etc - An overseas company taking advantage of national
facilities (i.e. listing on their stock exchange)
which then convey obligations across the whole
company, i.e. Sarbanes-Oxley
10Developments in Risk Management people,
process and systems considerations Types of
Risk
11Can we categorise risks?
Enterprise Risk
Risk assessments, indicators, controls and loss
event data
Strategic Risks
Financial Risks
Procedural Risks
Other Risks
- Credit
- Market Pricing
- Interest Rate
- Liquidity
- Asset Liability
- Systemic
- Operational
- Disaster
- Fraud
- Terrorism
- Project
- Contractual
- Regulatory
- Reputational
- Pandemic
- Legal
- Environment
- Government
- Business decisions
- Poor direction
- Competition
- New technology
12Basel II Risk Coverage
Enterprise Risk
Risk assessments, indicators, controls and loss
event data
Strategic Risks
Financial Risks
Operational Risk
Other Risks
- Credit Risk
- Market Risk Pricing, Interest Rate, Liquidity
- Asset Liability
- Systemic
- Disaster
- Fraud
- Terrorism
- Project
- Contractual / Legal
- Regulatory
- Reputational
- Pandemic
- Environment
- Government
- Business decisions
- Poor direction
- Competition
- New technology
13Basel II Risk Coverage
- Credit Risk
- The risk of a bank not receiving payment for its
assets. - Market Risk
- The risk that a banks assets lose value due to
market fluctuations. - Operational Risk
- The risk of loss resulting from inadequate or
failed internal processes, people and systems or
from external events, including legal risk, but
excluding strategic and reputational risk.
14Risk needs to be Categorised
- Credit Risk
- Counterparty categorisation, loan description,
probability of default, expected loss, loss given
default. - Market Risk
- Trade details, market variables, probability
calculations. - Operational Risk
- Risk categories, event categories, probabilities,
controls (descriptions, costs, effectiveness,
etc), expected losses, unexpected losses, actual
losses, indicators, responsibilities and
authourisations, etc.
15Operational risk categorisation frameworks can be
complex
Risk Indicators (KRIs)
16Financial risk management environment
Internal ratings, etc
High-tech, fast throughput, transaction processing
5 years transaction data
Daily trans-action data
Capital calculations,risk metrics, ALM, etc
Core processing systems
17Operational risk management environment
Getting risk data from the
bottom (the point of incident)
to the top (for analysis) is key.
EVENTS
RISKS
MITIGATION
ASSESSMENT
FEEDBACK
through layers of management
18Technical implications
- Non-financial (operational) risk
- Once a day for input, once a month for reporting
- Low performance requirements
- Manual input, many users
- Relatively small amounts of fairly complex data
- Kept for a very long time (at least five years)
- New data collection systems need to be developed
- Financial (credit, market, liquidity, etc) risk
- Real-time
- High availability
- High performance requirements
- Automated input, few users
- Very large amounts of relatively simple data
- Kept for a long time (5 years)
- Data comes from existing core systems
19Developments in Risk Management people,
process and systems considerations Risk and
Capital
20What is capital?
The net worth of a business i.e. the amount by
which its assets exceed its liabilities
Gearing Leverage
Equity
Assets Investments
Capital
Gearing Leverage
Debt
Liabilities
Earnings
Balance Sheet
21Capital covers risk
Non Financial Firms Risk Cover
Risks
Expected Losses
Unexpected Losses
Catastrophic Losses
Frequency of Loss
Pricing
Debt/Bond Holders
Equity Capital
Reserve Financing
Severity of Loss
Source after Marshall, Operational Risks, 2001
22Banks are very different
Bank assets are risk assets
Bank capital most exposed to asset value changes
Gearing Leverage
Equity
Assets Investments
Capital
Gearing Leverage
Debt
Liabilities
Earnings
Bank liabilities are deposits
Balance Sheet
23A different level of risk cover
Financial Firms Risk Cover
Risks
Expected Losses
Unexpected Losses
Catastrophic Losses
Frequency of Loss
Pricing
Public
Economic Capital
Debt/Bond Holders
Severity of Loss
24The Public is at the End of the Road
- Greenspan nor should we require individual
banks to hold capital in amounts sufficient to
fully protect against those rare systemic events
which, in any event, may render standard
probability evaluation moot. The management of
systemic risk is properly the job of central
banks. Individual banks should not be required
to hold capital against the possibility of
overall financial breakdown. Indeed central
banks, by their existence, appropriately offer a
form of catastrophe insurance to banks against
such events
Source Alan Greenspan, FRBNY, 1996
25Bank Capital
- differs from a non financial firms capital it
protects against future, unidentified risks and
losses while enabling the bank to operate at the
same level. - strengthens the stability and soundness of the
(international) banking system and, if applied
universally, the competitive inequality among
banks is diminished. - So banks simply need to cover themselves against
the risk of insolvency due to losses exceeding
allocated capital. - Banks manage risks regulators decided on an
arbitrary capital to risk asset ratio there is
no correct answer. - Capital adequacy for banks was conceived in
1988 (the Cooke Committee, to become the Basel
Committee on Banking Regulations and Supervisory
Practices).
26The BIS created standards on capital
- Basel Capital Accord (Basel I),
- In 1988 the Basel Committee on Banking
Supervision recommended a risk-weighted capital
ratio for internationally active banks, - This set minimum standards of capital adequacy,
- A New Capital Accord (Basel II) proposed in
1999, - Extended to cover regulatory (Pillar 2) and
disclosure (Pillar 3) requirements, (Pillar 1
approaches as how to calculate regulatory
capital) - Final (reviewed) version released November 2005
(over 100 countries to implement still some
questions regarding the US implementation - Complete Accord will take effect from 2007
(earliest participants) onwards to 2012
27 and decided that
- Risk-weighted assets would be basis for capital
requirements
Risk-weighted Assets
Minimum Capital Requirements
8 of
Credit Risk-weighting
Market Risk-weighting
Operational Risk-weighting
Introduced 1997, small changes in B2
Now variable more complex in B2 (3 approaches)
New in B2 and variable (also 3 approaches)
288 is the minimum
29Citigroups Capital ratios (2003)
M
- Tier 1 Capital Ratio 8.91
- Total Capital Ratio 12.04
- Minimum Regulatory Capital 60,023
30But Basel Capital Adequacy is not all
- Commercial banks, which comply with Basel II, can
decide (or their regulator can decide) which
approaches to calculating regulatory capital they
adopt, but - regardless of capital approaches all Basel II
compliant organisations must develop - an appropriate risk management environment,
- risk identification, assessment, monitoring and
mitigation/control, - regular independent evaluation of policies,
procedures and practices, - and make sufficient public disclosure to allow
the market to assess their approach to
operational risk management.
31Regardless of Pillar 1 approach
- Even if the bank goes for the simplest approach
to Risk-weighted Capital- - A risk assessment culture must be created,
- Credit and operational risks must be monitored,
- Risk must be tracked,
- A risk trend history must be created,
- Risk actions must be disclosed.
additional capital would not be the only
answer as capital is not a substitute for
appropriate risk assessment practices or adequate
internal control processes. Nicholas Le Pan,
Chairman of the Basel Committees Accord
Implementation Group, March 2004.
32Developments in Risk Management people,
process and systems considerations Current
Implementation considerations
33Banks are not homogeneous with respect to risk
management implementation
but a bank needs a view of risk which combines
different departmental profiles
34Implementation
Risk theories and regulations
Processes, tools and capital allocation
Rollout considerations
Ongoing maintenance and improvement
A risk culture
35From financials to processes
- Credit/market risk relatively mature (liquidity
risk still causing concerns!) - But still needs data and model validation,
corrections, backdating of parameters, etc - Operational risk still immature
- Specifying it
- What is it? How to recognise and classify it?
- Setting it up
- Involving the users, gaining commitment,
regulatory approval, etc - Rolling it out and maintaining it
- Collecting accurate data - feedback validation
- correcting errors changing classifications
renewing systems, etc
36The Pillar II Maze
Risk theories and regulations
Updating the system
User acceptance
Create the risk framework
Processes, tools, capital allocation and
disclosure
Regulatory approval
How much data to collect
Feedback
Cleaning old data
Risk Culture
Ensuring clean data
User involvement
A risk culture
37Some implementation issues
- Processes, systems and capital allocations are
easy - the problems are the people issues
- Build the governance processes
- Creating the framework consensus on risk
categorisation - Getting user involvement from the right people
- Achieving user acceptance why am I doing this?
I have better things to do! - Deciding on how much data to collect too little
poor statistics, too much inaccurate data - Ensuring clean data cleaning old data, ensuring
new data is completing correctly - Gaining regulatory approval different
interpretations/numerics in different
jurisdictions - Building a risk culture everyone knows what
risk is - Integrating feedback and statistics to improve
the system - How to update the systems validating and
changing processes, risk categories (framework)
and systems upgrades
381. Why a governance process?
- Basel II (and Sarbanes-Oxley and others) requires
that the Board takes overall responsibility for
risk management and is aware of risk
developments - It requires that all senior management takes
responsibility for the risk processing and
management within their areas, and - It mandates a risk culture with in the
organisation.
39Commitment
- Commitment on risk management is needed from
- Owners/shareholders
- The Board
- Senior management
- Departmental managers
- Audit, asset and liability management and
compliance - Human resources
- Staff
- Geographies
408. Building a risk culture
- An internal risk culture is the sum of the
individual and corporate values, attitudes,
competencies and behaviour that determine
commitment to and style of risk management. - It includes both an enterprise-wide risk and an
internal control culture - It requires clear lines of responsibility,
segregation of duties and effective internal
reporting - It requires high standards of ethical behaviour
at all levels - Although a framework of formal, written policies
and procedures is critical, it needs to be
reinforced through a strong control culture - It is the responsibility of both the board and
senior management
41Examples of staff risk culture
- All staff know
- What a risk control or risk event is
- Why they exist
- What their risk responsibilities are
- Prime and alternative reporting routes
- What happens to their reports
- What was the result of their events mitigation
- What the institutions risk status is (overall
and their part) - How it is improving (or getting worse)
- What their risk training plan is
42Examples of management risk culture
- All Board and senior management know
- What the institutions risk policy is
- What their risk appetite is
- What their own risk responsibilities are
- What major risk controls have been infringed or
what risk events have taken place - What cumulative risk situation have accumulated
- What the institutions risk status is
- How it is improving (or getting worse)
- What the business impacts are
43Why are Risk Cultures important?
- Risks are managed by people
- People can apply standards with greater or lesser
degrees of efficiency or they can make mistakes - People must apply the appropriate risk management
standards to the best of their ability - Regulators appreciate that the best standards and
guidelines are only effective if implemented
correctly and with diligence and enthusiasm. - Regulators will therefore test an organisations
risk culture along with its risk standards, best
practices, capital robustness and disclosure
procedures.
44Attributes of a risk management culture
- Attention is paid to quantifiable and
unquantifiable risks. - All risks are identified, reported and
quantified. - Awareness of risk through performance
measurement, risk-adjusted pricing, pay
structures and forecasting. - Risk management is accepted as everyones
responsibility. - Risk managers have teeth.
- The enterprise avoids what it doesnt understand.
- Uncertainty is accepted.
- Risk managers are monitored.
- Risk management is not to stop people from taking
risks but to create value, by enhancing the
chances of success. - The risk culture is defined, the risk appetite is
understood.
Source Operational Risk Management, PWC,
November 2003 (abbreviated)
45 and finally
- Talk to the supervisors
- Regulations are interpreted and implemented by
regulators, central banks and supervisors - They will have national interpretations and
local preferences and good practices - They are responsible for cross-border cooperation
and interpretation - They will set implementation practices rule and
regulation based or risk and principle based - Because commitment to the regulations is their
primary function, whereas, for the bank it is a
secondary activity
46Developments in Risk Management people,
process and systems considerations and
what of the future?
47What has the sub-prime crisis taught us?
- We have not solved liquidity risk
- How to model it?
- What is its impact on credit and market risk?
- How to put capital aside?
- Are Rating Agencies the right measurement?
- Are they trustworthy?
- They are paid by the sellers of instruments
- Rating agency arbitrage
- Is operational risk-derived capital enough?
- Is bad rating an op risk?
- Is bad loan manegment an op risk?
48Risk models have not yet been tested
- First banks move to advanced methods in 2008
- No one is comparing model performance
- Will the US com into line?
- Can Basel survive double standards?
- Does scenario testing work?
- How long before we have sufficient data?
- Will models be rated? Is so, by whom?
49A global operational risk standard?
- There is no common practice for
- Risk and event categorisation
- Risk assessment
- Global operational risk databases are limited
- ORX, what else?
- How to compare bank v bank?
- How do we merge operational risk data?
- Cross-border comparison
50Basel III
- Is risk-adjusted capital the only way to measure
and control risk? - Will operational risk-adjusted capital be a
glorious failure? - What will replace the rating agencies?
- Can we ever solve liquidity risk?
- Can we continue ignoring strategic and
reputational risk? - Why has it all become so complicated?
51Hyderabad Chapter, 9th October, 2007 A PRMIA
Members Update
52The Global Organisation
- The Professional Risk Managers International
Association (PRMIA) - the worlds leading risk
professionals association. - 44,500 risk professionals from all segments of
the financial services industry in 179 countries
(both free and paid membership) - Members from 4,000 organisations, 200 members
meetings annually in 60 chapters - A quarterly journal and a monthly newsletter
- The Professional Risk Managers Handbook
- The PRM exam the worlds most comprehensive
risk managers exam with 2,150 candidates in 96
countries - Member-led (400 volunteers), grass-roots
organisation with its own Code of Risk Ethics - A not for profit organisation governed by its
members - Standards accreditation meetings events
training networking website research
53PRMIA the past year
- New chapters - Tokyo, Bangalore, Hyderabad,
Vienna, Beijing, Amsterdam, Frankfurt, San
Francisco, Kolkata and S Africa. - First one day PRMIA conference given in NY in
February, second already held and two more
planned for 2007 - Toronto University and NUS running PRM courses in
China and Singapore. Regulators approve PRM in
Singapore and Bahrain - Indian chapters initiate research program
- Corporate membership services launched
- Website remodelled
- Publishers McGraw-Hill to reformat the Handbook,
also wider availability and translation of the
PRMIA Handbook - Henry Stewart Publications to issue a quarterly
Journal of Risk Management in Financial
Institutions free to PRMIA Full Sustaining
Members - PRMIA expand support team to take on marketing,
sales and conference/event support staff
54PRMIA the next 12 months
- New chapters - LA, Delhi, Brussels, Miami, West
Indies, Turkey, Bermuda, Romania, Trinidad and
re-open Dusseldorf, Madrid, Bangkok, KL, Taiwan
and Australian chapters amongst others. - 2008 Global Event Series Credit Risk in
February, ERM in April, Operational Risk in
September, Valuation in an Environment of High
Complexity and Liquidity Risk in November. Each
month to include 3-4 one day events in major
centres plus chapter events. - Handbook to be updated via Academic Committee,
reformatted to 10-12 books and released to public
sale through bookshops via McGraw-Hill starting
end 2007. - Opening up the PRM exam to offer a
non-quantitative, entry-level exam the
Foundation PRM to be released Q1 2008 - White papers sought for JRMFI editorial
committee of PRMIA and non-PRMIA. Also PRMIA
quarterly members news newsletter - David Koenig changes role.
- Objectives to increase PRM candidates more solid
financial status through exam and handbook
income, sponsorships, corporate memberships, and
Sustaining Memberships.
55- Thank you
- David Millar
- Chief Operating Officer
- david.millar_at_prmia.org