ERM - Risk Management Summary PDF

**[Chapter 1: What is ERM]{.smallcaps}** ======================================== Context is very important when applying the material. Need to have an understanding of the organisation both from a risk & commercial side before applying the material. Risk management needs to compliment an organisation's commercial competitive advantage. Introduction to ERM ------------------- No single definition for ERM general agreement on overall concept. **[Risk Management vs ERM]** They are not the same. **Risk Management** - Ordinary/tradition RM - Process of: - Identifying risks faced - Assessing likelihood & impact - Deciding how to deal with each: - Retain & monitor. - Remove - Reduce - Transfer - **Objective** is to optimise risk-adjusted returns **ERM** Key elements that mark ERM apart from ordinary RM: - Holistic approach - Apply RM techniques consistently across whole bus - Led by board, co-ordinated through a RM function led by a CRO & incorporated into day-to-day operations of **all** personnel - Recognise that risks interact and are dynamic - Value creation - Integrating RM and measurement into business processes & strat decision making - Considering downside & upside risk - Applies principles of RM across whole of a company in a structured & consistent manner - Ensures all risks are considered (quantifiable as well as non-quantifiable) - Links between risks from different parts of bus will be taken into account when deciding how to deal with them - Consistent: - Common risk taxonomy - Classifications - Recording of risk **Silo approach:** different parts of business work independently. RM is applied within individual departments or units on a piecemeal basis. - Key problem misses interactions & interdependencies btw risks faced by diff bus units **[Key concepts in ERM (5)]** **The Holistic approach** - Consider risk as whole rather than isolation - Allows concentration of risk to be appreciated - And for diversifying effects to be allowed for - Fundamental to ERM **Downside & Upside Risk** - Risk only bad if outcomes are adverse downside - Should not be seen as only a way to deal with negative aspect of risk - It is a way to minimise effect of downside risk & maintain company's value - Outcome better than expected upside - Enable to exploit opportunities - Thus creating value by optimising risk-adjusted return - Important if range of outcomes is not symmetrical **Risk Measurement: Quantifiable risks** - Once identified, risk can often be quantified measurement of risk - Lots of different risk measures - Good risk measurement practices are essential to ERM - Interested in both: - Financial impact of risk - Likelihood of its occurrence over some given time horizon **Risk Measurement: Unquantifiable risks** - Some risks cannot be measured - Distribution of potential losses cannot be identified - Exact nature of risk difficult to assess - Many forms of operational risk are like this - Are assessed in qualitative way - Prob & severity fall into subjective categories - Low, medium, high **Risk Responses** - After identifying & quantifying, response needs to be taken. - Can be doing nothing or taking action - Retain - Remove - Reduce - Transfer ERM should be built around a companies risk appetite and their capital structure.o **[Chapter 2: Why ERM?]{.smallcaps}** ===================================== Why RM? ------- **[Key Reasons for Risk Management]** - Can Benefit Society - Society relies on smoothly operated banking & fin system - Can reduce **Contagion risk** - The risk that a problem at an individual institution has an impact on the entire financial system - Is part of the job of management - SH appointed the Board to optimise risk/ret decisions - Earnings volatility can be reduced - More predictable earnings can: - Increase MV of firm - Improve co credit ratings - Reduce variability in employee costs - Reduce capital req - SH value can be maximised - Ensures that Co undertakes activities that reduce likelihood of losses & protects against their effects - Reduces cost of capital & improves risk/ret trade-off to the benefit of SH - Job security & rewards can be enhanced - Company stocks & options are growing part of remuneration packages - Employees then become SH - Better Co performance leads to higher personal rewards **Risk Appetite vs Risk Profile:** - Risk appetite: amount of risk a company is willing to accept on an ongoing basis - Risk profile: types of risks the company faces & its current exposure to those risks Vital for sound business operation that the risks faced are understood & managed not exposed to more risk than wishes. Why ERM? -------- **Distinct benefits of ERM & how ERM achieves them:** Improved business performance Senior management is more informed when taking NB decisions - This enables them to: - Better understand **aggregate** risk exposure - Better comprehend links btw bus growth, corporate risk & return - Better understand impact of changing external factors interest rates - Assess more accurately the risk/ret trade-offs of a decision - Align strategy closer with risk appetite All risks are reported in a consistent & appropriate format to stakeholders increased risk transparency - Centralised ERM function improves orgs operational efficiency by: - Co-ord RM activities across all parts of the org - Encouraging & facilitating sharing of risk info - Identifying & assessing links btw risk managed by various teams - Improving efficiency - ERM may enhance orgs business performance by: - Using allocated capital more efficiently - Min losses & unpleasant surprises - Pricing, managing and/or transferring risk better - Optimising risk mitigation strats - Reacting more quickly detecting risk early, seizing opps - Deriving value from time, effort & money spent on RM **What pressures cause an Org to initiate ERM programme:** - Previous management failures - "Near miss" within own org - High profile disaster in similar org - Criticism or demands from regulatory body - Concerns form stakeholders **Key points that support the assertion of ERM adding value: (Lam, Chp 21)** - Investors generally avoid co with poor governance standards - Investors willing to pay premium for well-governed co - Co with strong governance structures outperform those with weaker - Effect amplified by larger co - Insurance co with ERM programmes have lower volatility of returns, improved SH value, fin stability & equity premium of 16%. **[Chapter 3: Risk Taxonomy]{.smallcaps}** ========================================== Intro to Risk Taxonomy ---------------------- **[Definition of Risk]** Most definitions encompass: - Uncertainty of possible future random events - Nature and degree of harm associated with each event **[Definition of Risk Taxonomy]** - Full list, description & categorisation - Of all risks that an org might face **[Risk Categorisation]** Financial & Insurance context has five basic risk types (Basel or Solvency II frameworks): - Market Risk - Liquidity risk - Credit risk - Operational risk - Underwriting/ insurance risk Recall: Tow other risks described by Lam: - Strategic risk - Regulatory risk Categorisation of Risk ---------------------- This is not a complete list but is intended to cover most major risks. **[Market Risk]** - Risk related to change in investment market values or other features correlated with investment markets. (interest and inflation) - Risk divided into: - Consequences of change in **asset values** - Value of equity and property changing - Changes in interest rates and inflation - Fixed interest and index linked securities are affected - Consequences of investment market value changes on **liabilities** - Promises to stakeholders may be directly related to market values/ int rates - Changes in *i* or inflation may affect level of bens - Causes of liab change are changes to: - Liability **amt** i.e. infl-linked or unit-linked - Liability **value** as interest rate changes - Consequences of a provider not **matching** A + L CFs - Nature, term and currency - Perfect match not possible: - Not wide enough range of assets, particularly duration - Liabilities uncertain in amount and timing - Liabs may include options uncertain CF - Liabs may have discretionary bens - Cost of maintaining such profile may be prohibitive - Higher liquidity risk - Reinvestment risk - Greater exposure to market risk, since A + L will not move in line with each other - Market risk may also refer to the **risk of lower sales or profit margins** resulting from changes in market conditions. - Market conditions are a function of: - Market construction - Market participant action - Market participant interaction - **Distinct elements of Market risk described by Lam: (See Acted pg 10)** - Risk from movements in own stock price - Investment risk - Uncertainty of input & output prices - Market risk may include: - Equity risk - Commodity risk - Foreign investment risk - Interest rate risk - Basis risk **[Economic Risk]** - Risk arising from the impact of macroeconomic factors on an org and/or its customers - Inflation & changes in demand - Factors include: - Aggregate S & D - Own & foreign gov policy - (un)employment levels - Inflation, interest & exchange rates - Accommodation costs **[Interest Rate Risk]** - Risk arising from changes in *i*, which could include impact on customer behaviour as well as fin impact. - Subset of market risk **[Foreign exchange Risk]** - Arises due to exposure to movement in FX rates - Subset of market risk & component of economic risk - Lam mentions effect of FX movements upon: - Foreign rev & cost expressed in home currency (transaction exposure) - Prices of exported goods affecting foreign sales (economic exposure) - Consolidated accounts (translation exposure) **[Basis Risk]** - Arises from diff in movements of two comparable indices, so that offsetting investments in a hedging strat will not experience exactly offsetting movements. **[Credit & Counterparty Risk]** - Credit risk counterparty to agreement unable or unwilling to make payments required - Counterparty risk one side of the deal fails to fulfil their part, including in a timely manner - Common to group the two and have general definition: - Risk of loss due to - Failure third parties to meet their obligations - Defaulting on interest or capital repayments on bonds - Credit risk has two components: - Prob of default - Loss on default - Change in credit quality (credit ratings) - Political changes play a role - Credit Spread diff in yield btw Corp bond and Gov bond - Retail credit risk risk of loss due to a customer's failing to repay on a consumer credit product **[Liquidity Risk]** - Risk that indiv/company, although solvent, does not have sufficient available financial resources to enable it to meet its obligations as they fall due. - Risk of MM not being able to supply funding to business when required (funding liquidity risk) - Failure of the Management of short-term CF requirements - They can only secure the resources at a much higher cost - Liquidity: how easy it is to convert asset to cash at a predictable price. - Quickly become cash - Amount is almost certain - **Market liquidity risk:** market doesn't have capacity to handle the vol of an asset to be bought or sold at the time when the deal is required. **[Insurance Risk]** - Arises from fluctuations in timing, frequency & severity of insured events - Relative to the expectations of the firm at the time of underwriting or pricing. - Includes mortality, morbidity, property, casualty risk, persistency & expense risks - Sometimes called underwriting risk - Others classify inappropriate selection processes as operational risk (GI) - Insurance risk: - Timing, frequency & severity - Underwriting risk: - Selection, approval or pricing - Also called actuarial risk - Insurance risk further broken into: - Demographic risks mortality, morbidity, married - Non-life insurance risks property risk, casualty risk - Other insurance risks persistency & expense - Similarly, demographic and non-life risks can be sub-divided: - Level risks underlying incidence rates not as expected - Reserving risks - Volatility risk - Catastrophe risk - Trend or cyclical risk **[Operational Risk]** - Risk of loss resulting from inadequate or failed internal processes, people or systems from external events. - Basel accords includes legal risk but excludes strategic & reputational risk - Components: (read pg 14) - Process risk - People risk - Systems/tech risk - Event risk - Strategic risk - Crime risk - **Operational risks can also include:** - **Deficient products resulting in liab claim** - **Sub-optimal prod development** - **Human error leading to catastrophic event** - **Inappropriate corporate strat** - **Ineffective internal feedback mech** - **Corporate culture that limits innovation** - **Reputational damage & loss of brand value** **Outsourcing also falls into operational risk.** **[Environmental Risk]** - Risks relating to the natural environment & human interactions with it - **Natural disasters, climate change, pollution** - **Risks relate to:** - **Resources** - **Pollution** - **May be classified as operation risk** **[Legal Risk]** - Arises from understanding of & adherence to legislation, including changes in accepted interpretation - Arise due to: - Breach the law - Lack of awareness - Lack of understanding - Changes to interpret by courts - Deliberate - Inability to show compliance - Legal risks may be threefold: - New legislation in response to political or social pressure - Additional compliance costs, prohibit activities - Provision in important contracts - Could give rise to significant problems - Court judgments against an org - Read about collapse of Equitable Life in UK **[Regulatory Risk]** - **Risk of loss arising from changes in leg or reg.** - **Also cover compliance risk** - **Generally classified as operational** **[Political Risk]** - **Risks relating to political decisions or indecision, change in gov, events related to political instability including terrorism and wars** - **Rises at various levels:** - **Micro** - **Macro (national)** - **Macro (international)** **[Agency Risk]** - **Results from misalignment of interests btw diff stakeholders** - **Risk that management will not act in best interest of other stakeholders** **[Reputational Risk]** - **Risk that events or circumstances could have adverse impact on orgs reputation or brand value** - **Specifically excluded from Basel II def of operational risk** **[Project Risk]** - **Risk of failure relating to specific project undertaken by org** - **Generally classified as operational** **[Strategic Risk]** - **Relates to achievement of an org overall strategic business plans & objectives** **[Demographic Risk]** - **Arises from demographic changes impacting both customers & employment** - **Component of insurance risk** - **Also be operational or market risk** **[Moral Hazard Risk]** - **Risk that the** action of a party who behaves differently from the way they would if they were fully exposed to the consequences of the action, leaving org to bear consequences - Related to info asymmetry with party causing harm having more info **[Conduct Risk]** - **Encompasses risk relating directly to relationship btw company & customers.** - **Includes:** - **Operational failures** - **Info asymmetries** - **Keeping pace with reg req & customer needs** - **Market conditions** - **Product devel** - **Strategic objectives** **[Social Risk]** - **Arises due to uncertainty over future characteristics of the pop:** - **Age profile** - **Educational & health standards** - **Economic wealth** - **Attitudes & lifestyles** **[Pension Risk]** - **Risk of loss to sponsoring company resulting from unexpected deficit in the funding level** - **Poor returns, improved mortality** - **Often categorised as Market risk** Consistency of Categorisation ----------------------------- Not all risks will be categorised or defined in the same way by different commentators. Example: Market risk has lots of subcategories and definitions. Insurance and underwriting may be used synonymously or distinctly defined. Need to take into account the context. Systematic & Non-Systematic Risk -------------------------------- **[Systematic vs Diversifiable Risk]** Systematic Risk: affects entire market or system, cannot be avoided or fully diversified. E.g. decline in market as a whole Specific/Diversifiable/Non-Systematic Risk: risk factors that are uncorrelated with or possibly independent from other sources of risk. Can be largely avoided through diversification. E.g. decline in specific stock only - Arises from an individual component of a fin market or system - Should never take on any diversifiable risk no reward for this risk - Can diversify across or within asset classes Risks can be systematic in one context, but diversifiable in another. Think world market vs local market. All depends on the context. **[Situation-dependent risk]** - Risk can be uncorrelated in normal market conditions - Correlation might however arise in conditions of extreme stress - A non-systematic risk (indiv co return) can become systematic (all co share prices falling at same time) **[Concentration of Risk]** - Result of not being able to diversify - Might be a deliberate decision - May be due to: - Constraints - Choice - Poor risk management Contagion --------- **Financial Contagion:** financial losses in one company or sector or country lead to losses in another. Systemic risk can be used to mean the same. Important to note: - Risks faced by institutions are often intertwined - Institutions, markets & countries' economies are often interdependent The efficiency by which info can be disseminated (through internet & social media) and the way in which tis info is presented can significantly increase speed of the contagion effect. Contagion can also arise in area of credit risk modelling: - Default of one - Cause creditors & suppliers to experience difficulties - Generating further default **Credit contagion:** failure of one bank leads to losses at others. **[Chapter 4: How to do ERM -- Internal Risk Frameworks]{.smallcaps}** ====================================================================== We discuss good practices i.t.o framework, governance & culture. The focus is mainly on SH-owned co. but should be able to discuss other organisations in exam. Components of an Internal Risk Framework ---------------------------------------- Seven Major components of successful ERM Framework: - **Corporate governance** - Establish org processes & control - **Line management** - Integrate RM into bus processes - **Portfolio management** - Aggregate risk exposures & identify diversification effects & concentration of risk - **Risk transfer** - Mitigate excessive risk exposure cost-effectively - **Risk analytics** - Measure, analyse & report on risk - **Data & tech resources** - Support the analytics & reporting - **Stakeholder management** - Communicate & report on risk Corporate Governance -------------------- **Corporate governance** the system whereby BoD or gov bodies are responsible for the governance of their orgs upon appointment by SH. Concerned with: improving performance & conformance of companies for benefit of SH, PH & stakeholders. **[ERM & the Board]** Board is responsible for overall success of company responsible for ensuring that full range of risks faced by co are managed effectively. - Held responsible for any RM failures Successful ERM programme can help the Board discharge its responsibility by setting company's risk appetite & establishing suitable ERM framework to manage risk. The Board has unique opp to consider risk faced by company as a whole should avoid involvement in day-to-day operations. Able to influence success of ERM through other activities: - it sets direction, structure & culture of the co. - guides the allocation of fin & human resources to new initiatives. Good CG needs vigorous leadership from Board. The orgs should have: - codes of honesty & fair dealing - senior managers that lead by example ensuring these principles are met - all employees that have responsibility in identification of risks & communicate to central point - line managers that are held responsible for identification & management of risks in own areas Good practice for board to carry out annual self-assessment check to assess its progress towards full ERM. **Specific responsibilities of the Board:** - setting risk appetite - approving risk strat and/or policy - monitoring key risks - ensuring compliance with supervisory req - supporting establishment & maintenance of good risk culture To discharge these responsibilities the Boards activities may include: - establishing organisational structure for ERM - reviewing outcomes of RM process on ongoing basis - ensuring alignment of interest of management with investors through remuneration packages **[Development of CG Codes of Conduct]** Refer specifically to RM and to the system of internal controls used to ensure co. operates in a sound & secure way. Internal controls designed to provide reasonable assurance as to achievement of Co objectives. Main aims of IC (Internal Controls): - ensuring accurate & adequate record keeping - preventing fraud & safeguarding Co assets - guaranteeing the accuracy of Fin statements - responding appropriately to risk - ensuring compliance with Law & supervisory guidance Examples: - Cadbury Code of Best Practice (UK, pg 9) - Outside UK (pg 11) **[Best Practice in CG]** Five key principles for excellence in CG: - **Communication with Stakeholders** - Greater transparency - Facilitates more informed decision making - **Independence of the Board** - Majority not involved in actively managing the Co on daily basis - CEO & Chair to be diff individuals avoid concentration of power - Audit, remuneration & appointments subcoms to be composed of non-executive directors - NED's to meet independently of executive director at least annually - **Board Performance** - Engage in regular, formal self-assessments to rate its performance against best practice - Using external consultants will achieve unbiased result - **Board Remuneration** - Should be enough to attract, retain and motivate as well as reflecting responsibility & risk involved - Reasonable portion should be in form of Co stock - To align director's interest - **Board Appointments** - Should have combo of skills, experience & knowledge - Based on formal, rigorous & transparent procedure - Need an effective succession plan - Needs to promote diversity **[RM Subcommittee]** Role: - Strat oversight - Setting risk policy - Gathering relevant info on key risks Responsibility: - Ensuring suitable ERM framework established & implemented - Assessing RM objectives are achieved - Ensuring compliance - Reporting on risk - Keeping abreast of developments in RM RM established by drawing up risk subcommittee charter which covers: - Membership - Freq of meetings - Performance assessment - Resources available **[Audit Subcommittee]** Roles: - Monitoring integrity of Fin statements - Monitoring & reviewing internal assurance functions - Recommending, monitoring & reviewing the external auditor **[CG in Financial Institutions]** Based on **The Walker Review.** (Not really examinable, read pg 14) Risk Culture ------------ Culture is defined by approach taken to its activities & describes the Co shared values, beliefs & behaviours. **Risk Culture** subset of culture, which relates specifically to approach taken to RM. Good risk culture people know and do the right thing, even if there is no specific rule or policy telling them what to do, rather than acting in own interest. Board's responsibility to ensure good risk culture: - Consultative leadership - Participation in decision making on risks - Openness - Accountability rather than blame - Org learning - Knowledge sharing - Good internal communication RM should be approached as helping achieve success, rather than as protecting senior executives from criticism. Need to have easy reporting mechanism for risk on matters such as: - Perception of new threats or opps - Suggestions for mitigation of threats - Ideas for increasing opp - Existence of defective procedures - Failure to operate established procedures properly Co culture can only be changed effectively: - From top of the org - On incremental basis - As profile of new recruits changes the views of staff (read pg 18) **[Chapter 5: Risk Frameworks - Mandatory]{.smallcaps}** ======================================================== Three kinds of frameworks that will be discussed in next three chapters: - Mandatory - Advisory - Proprietary External Supervision -------------------- **[Supervisory Processes]** Prudential supervision involves: - Oversight - Licensing - Req to maintain min standards - Procedures for monitoring compliance with standards - Processes to take action against those who fail to comply **[Supervising & Controlling Parties]** Diff parts of org are subject to diff capital adequacy standards Arises from: - International bus regulated by diff territories - Subs that operate in diff industry sectors - Subs that operate in diff areas within same sector - Subs which are new ventures or acquisitions and at diff lifecycle stages Gov, supervision & control may be exercised by: - Professional bodies - Ensure members adeq trained - Members maintain competence through CPD - Prof regulators - Maintain public confidence - Set standards - Monitor adherence - Discipline breaches - Industry bodies - Promote interest of members through lobbying & other activities - Industry regulators - Act on behalf of gov to protect public Forms of regulation in Fin Services industry: - Functional reg diff authorities oversee diff activities (in UK) - Unified reg single regulator covers a broad range of activities (in AUS) **[Supervision of Insurers]** Supervisors seek to understand: - Nature of bus - Governance arrangements - Bus plans - Fin reports - RM strategies & processes Insurer-regulator relationship should be key component of ERM framework. This helps reduce level of risk a supervisor places on a particular insurer reducing supervisory burden. Regulators are also well placed to advise on best practice they see wide range of RM practices. Proactive engagement gives opportunity to benefit from such advice. **[Supervision of UK Fin Services]** Regulators of interest are FCA, PRA and LSE. Financial Conduct Authority (FCA): - Aim to protect consumers - Ensure industry remains stable - Promote healthy competition Prudential Regulation Authority (PRA): - Part of Bank of England - Responsible for prudential regulation & supervision of banks, building soc, credit unions, insurers & major investment firms - Sets standards - Supervises fin ins at level of the individual firm London Stock Exchange (LSE): - Two main traded markets: - Main market - Alternative investments market (AIM) Senior Insurance Managers Regime (SIMR): - Ensure that individuals that run insurance Co have clearly defined responsibilities & behave with integrity, honesty & skill. - Two main parts of SIMR: - Development of a governance map giving details of - Co & CG structures - Identified "Key Functions", "Key Function holders" and "Key Function Performers" - All individuals incl in the SIMR regime, their responsibilities & reporting lines - Rationale applied in identifying those indiv & allocating responsibilities to them - Req to carry out assessment of fitness & propriety of senior insurance managers & directors Basel Accords ------------- We focus on structure of accords and key principles for now. For supervision of the world's banking industry. Bank for International Settlements (BIS) guides Basel Committee on Banking Supervision (BCBS) to publish Basel regulations. Basel I set min capital req Basel II intended to supersede Basel I Basel II response to 2008 crisis, works alongside Basel I and II and focuses primarily on liquidity risk, systematic & counterparty risk. (Yet to come into effect) **Three Pillars of Basel Accords:** (Sweeting pg 492 to 503) - Minimum regulatory capital requirement (especially for Market, credit and operational risk) - Supervisory review of internal systems, processes & risk limits - Adequate disclosure Criticism: - Too much emphasis on single number to aggregate wide risks - Some risks diff to quantify - Some risks only given cursory consideration - More complex calcs don't imply reliable calcs - Regime costs a lot to implement - Banks all measure risk in same way try protect in same way at same time in crisis called risk herding - Market values may undervalue certain assets - Implied level of confidence could be spurious - Pro-cyclicality - Banks could become overconfident in their risk control Basel III addresses these shortfalls: - Strengthens capital requirements - Introduces conservation buffer - Changes minimum ratios of Tier 1 and Tier 2 capital - Allows some flexibility in capital req in times of fin crisis (limit pro-cyclicality) - Focuses on liquidity, counterparty and systemic risk after the credit crunch. Solvency II ----------- We focus on structure of the regime and key principles for now. Applies to insurers operating in EU member states. Solvency II aims to introduce: - Economic risk-based solvency req - More comprehensive req taking account of asset risk & liab risk - Req to hold capital against market, credit, operational & underwriting risk - Emphasis that capital is not only way to influence against failures - More prospective focus - Streamlined approach **Three Pillars of Solvency II:** (Sweeting pg 503 to 507) - Quantitative req - Solvency cap req (SCR) below which regulatory action is taken - Minimum cap req (MCR) below which authorisation is gone - Qualitative req - Insurers must carry out Own Risk & Solvency Assessment (ORSA) - Supervisory reporting & Disclosure **[ORSA]** Purpose is to provide Board & senior management with an assessment of: - Adequacy of RM - Current, & likely future solvency position ORSA requires each insurer to: - Identify risk to which it is exposed - Identify RM processes & controls - Quantify ongoing ability to continue to meet SCR & MCR - Analyse quant & qual elements of its bus strat - Identify relationship btw RM & level and quality of fin resources needed & available **[Basel II v Solvency II]** Similarities: - Both have three pillars of req with similar aspects - Largely risk based frameworks - Designed to be suitable for multi-national firms Differences: - Basel based on concept that market participants are dependent Significant contagion risk - Solvency II not designed with systemic risk in mind demise of one insurer will not lead to another - Basel has more prescriptive approach Sarbanes-Oxley -------------- SOX resulted from collapse of Enron & WorldCom. Aim is to improve reliability of corporate disclosures so that SH are protected. Primary Legislation in US, voluntary codes in UK. Key features: - Formation of Public Co Accounting Oversight Board (PCAOB) to inspect accounts and prosecute those in breach - Increased accountability of CEO and CFO - Audit com staffed by independent directors & least one fin expert - Each published report must contain internal control report - Req for external auditors to be independent - Strengthen separation of analyst & investment bankers - Illegal for directors to interfere with audit process (read pg 16 bottom) **[COSO ERM Framework]** Committee of Sponsoring Organisations of the Treadway Commission (COSO) have set out generic RM process. Principles embedded in COSO framework: - ERM should be integrated in orgs strat - Risk represents opportunity as well as loss - ERM is multi-dimensional & iterative - Should be integrated into everyday process - Everyone has role in ERM - RM process is imperfect - Implementing RM must balance cost with benefit Three dimensions of COSO cube: - Activities req to demonstrate internal controls - Internal environment - Objective setting - Event identification - Risk assessment - Risk response - Control activities - Communication & info - monitoring - Each bus area covered - Operational - Reporting - Compliance - Strategic - Each level of application - Subsidiary - BU - Division - Entity-level Swiss Solvency Test ------------------- Risk-based regulatory capital regime in force in Switzerland. Takes market consistent approach & similar to Solvency II pillar 1. SCR is calibrated to TailVar measure at 99% confidence rather than VAR at 99.5%. **[Chapter 6: Risk Frameworks - Advisory]{.smallcaps}** ======================================================= Advisory Risk Frameworks ------------------------ **[UK Gov RM Model]** UK publication called Management of Risk -- Principles & Concepts (The Orange Book) Higher level guide than other RM frameworks designed to provide broad-based general guidance on principles of RM in public & private sectors. Includes advanced guidance, such as horizon scanning - A systematic activity designed to identify indicators of change in risk (Downloaded Orange Book) Key principles embedded in the Framework: - Importance of linking risks to objectives - Distinction btw risk & its impact - Need to distinguish inherent & residual risks - Prioritisation of risk is more important than quantification - Risk appetite should be subdivided into corporate, delegate & project - Regular reviewing & reporting is NB - Dedicated risk committee is recommended **[Canadian Gov RM Model]** Published The Treasury Board of Canada Integrated Risk Management Framework. Decision making framework for public sector employees. Key principles embedded in the Framework: - Importance of establishing comprehensive understanding of orgs risk profile, appetite & tolerance - Focus on RMF & integration of RM activities - Value of continuous & supportive learning environment - Need to establish 'relationship btw org & operating environment, revealing interdependence of individual activities & horizonal linkages' Four Elements of the Framework: - Developing the corporate risk profile - Establishing an Integrated RMF - Practicing Integrated RM - Ensuring continuous RM learning **[AUS & NZ Standard]** AS/NZS 4360:2004 is a best practice RM standard. Key features & principles of the standard: - Detail on risk analysis for non-fin orgs - Recommendation that RM process is formulated into a RM plan - Stressing importance of senior management buy-in - Need for adequate resources being allocated to RM Sets out a seven-element process: - Establish internal & external context - Identify risk - Analyse risk - Evaluate risk - Treat risk - Monitor & review - Communicate and consult **[ISO 31000:2009]** Global RM Guidance Standard issued by International Organization for Standardisation. Provides generic guidelines for principles of best practice RM. Distinguishing characteristics include: - Emphasis on possibility of an effect, rather than possibility of event - Focus on how such effects could affect objectives - Viewing the risk framework as being dynamic **[RAMP]** Risk Assessment & Management for Projects. Mainly concerned with capital projects still relevant to day-to-day bus, especially a portfolio of projects. Eight steps in RAMP process: - Similar to those from AS/NZS - Includes project launch & closedown stage - Go/no-go decision step **[IRM/AIRMIC/Alarm Standard]** Institute of RM The Association of Insurance & Risk Managers Alarm National Forum for RM in the Public Sector. All share similarities with COSO framework. Key features & principles: - In-house approach to RM is preferable - Internal audit is NB control - Clarity over the roles of stakeholders is NB - Highly structured approach to risk reporting is beneficial. **[Chapter 7: Risk Frameworks - Proprietary]{.smallcaps}** ========================================================== A proprietary risk framework is one that is used by an org for a specific purpose obtaining a credit rating Proprietary Risk Frameworks of Credit Rating Agencies ----------------------------------------------------- **[Intro to Credit Ratings]** Credit rating issued by credit rating agency as an indication of creditworthiness Investors use to assess security of debt. Ratings can be assigned to: - Issuers - The issue itself Leading credit rating agencies: - Standard & Poor's - Moody's - Fitch Main objective of obtaining good credit rating is to borrow as cheaply as possible Shortcomings of credit ratings: - Rating agencies paid by debt issuer - Under pressure to assign good ratings - This conflict of interest offset by need for rating agencies to maintain credibility with users of the ratings **[The S&P approach to rating RM Practices]** Benefits for Co having robust ERM framework across entire enterprise: - Allows prospective view of Co capital needs - Highly tailored to suit each individual Co - Benefits of diversification Three risk elements in S&P rating framework: - Sovereign risk analysis tax, currency control - Business risk analysis industry prospects, lack of diversification - Financial risk analysis profit level, CF, capital structure **[Assessment of ERM capability]** This is key factor for credit rating agencies Capabilities range from weak, adequate, strong or excellent Two features of insurer's business that determine significance of categorisation: - How complex risks are that insurer accepts - Amount of available capital and ease of access to it capability to absorb risk **[S&P approach to measuring ERM capability]** Five main areas that S&P measure: **RM culture** - Degree to which risk & RM are important considerations of all aspects of corporate decision making - Dimensions that are considered: - Philosophy towards risk & risk appetite - Governance & org structure of the RMF - External & internal risk & RM disclosure - Degree to which there is understanding & participation in RM **Risk control** - Control mechanisms for each risk will be assessed considering: - How well Co risk identification procedures are carried out - How well risks are monitored on ongoing basis - Limits set for retained risk - Execution of RM process **Extreme event management** - Low frequency, high-impact events that are serious threat to Co financial health - S&P looks that Co considers various risk like terrorism, natural disaster, reputational incidences - Stress testing & scenario analysis are important here - Early warning indicator reporting & catastrophe insurance are potential risk mitigators. **Risk & Capital models** - Capital model determines how much capital is required to withstand certain level of shock - Risk model involves determining measure of risk - **Indicative risk measure** give broad indication of the trend in risk - **Predictive risk measure** measure risk directly or indirectly in relation to loss at a particular percentile distribution - **Sensitivity risk measure** return sensitivity of a value to change in an underlying factor - (Go over solution on pg 10) **Strategic RM** - Assess the focus that the org puts on risks to its key corporate goals - Six positive features S&P look for: - Clear decision making with regard to retained risk - Clear strategy for investing assets - Pricing of products that reflects return/risk payoff - Appropriate capital allocation btw diff business units based on capital model - Appropriate dividend policy, influence by risk-adj return on retained capital - Good risk-adj returns **[Strengths & Weaknesses of the S&P approach]** Strengths: - Overall emphasis on ERM - Focus on use of eco capital or risk capital measures - Considerations of operation performance - Useful breakdown into components of ERM analysis - Encourages greater transparency - Introduces classification system making it easier to communicate outcome - Same criteria applied to all insurance Co, but also tailored to each one Weaknesses: - Only view of S&P - Limited to insurance & reinsurance Co - Document is part of Co. marketing literature, overly optimistic - Limited description given to actual procedures - No explicit mention of agency risk - Complicated & powerful models are highly subjective & may be problematic - Reliance should not be solely placed on opinion of rating agencies **[S&P ERM capability assessment]** See table on pg 13. **[Chapter 8: ERM Processes & Structures]{.smallcaps}** ======================================================= Considering high-level processes & structures that support effective RM Corporate Strategy ------------------ Degree to which risks are embraced or mitigated is important part of overall corporate strat. Risk org, retention & transfer have transactional context also form part of overall bus strat though Strategy covers wide range of corporate decisions Strategic decisions relating to risk: - Degree to which risky projects/ products are undertaken - Degree & type of risk transfer & hedging used - Management of the Co borrowing & gearing ratio Recall higher risk retained = higher expected returns = more likely to find themselves in difficulties Prob of fin distress can directly affect value of the Co. Thus Co would benefit most from active management of corporate risks include those: - Offer products with high 'added value' (quality) - Offer products which have high costs of switching to another line - Offer products which value to customer depends on complementary services - Have high sales growth opportunities Systematic management of corporate uncertainty is becoming more prevalent, and includes: - Techniques to ensure potential problems are spotted early so mitigation actions - Embedding resilience & flexibility into corporate structures More attention is given to systematic 'horizon scanning' to try spot such pressures RM Control Cycles ----------------- **[Intro]** Control cycle should be capable of taking account of changes in risk. **[The ACC]** This is a fundamental RM tool. Involves the following processes: - Analysing - Quantifying fin consequences - Considering methods for risk management - Monitoring - Modifying or changing approaches Diagram of the ACC: - Specifying the problem - Risk & Risk management - Contract design - Capital req - Developing the solution - Modelling choosing the correct one - Data - Assumptions - Pricing - Provisioning - Asset management - Capital management - Surplus management - Accounting and reporting - Assessing alternatives - Formalising a proposal - Communicating the results to stakeholders - Monitoring the experience - Monitoring - Identifying departures from target outcome - Analysis of surplus - The general Commercial & economic environment - Providers - Regulation - External environment - Insurance products - Asset classes - Economic influences - Professionalism - Actuarial advice **[An ERM Process]** Described by Sweeting, it is a generic cycle: Diagram Description automatically generated Cyclical structure is directly applicable to ERM through: - Analysis (including identification) - Quantification - Management - Monitoring - Modification Organisational structures supporting ERM ---------------------------------------- **[Three Lines of Defence]** Common RM model in fin services & other industries. **First line -- Line Management staff in business units:** - Accountable for measuring & managing risk in indiv bus units on daily basis **Second line -- CRO, RM team (RMF) & compliance team:** - Accountable for est risk & compliance programmes & policies - Supporting & monitoring line management - Reporting to the Board **Third line -- Board & audit function:** - Accountable for effective governance of RM process - Setting RM strategy - Approving policies - Ensuring ERM is effective Key element in most successful models is a Central Risk Function (CRF), headed up by CRO. **[Chapter 9: Risk Policy]{.smallcaps}** ======================================== We will: - Describe how Board express & communicate expectations & req by means of risk policy - Consider how org may assess & describe risk appetite - Consider how org make use of risk appetite statement when managing risk Terminology ----------- **Risk profile:** complete description of risk exposures of an org, including risks that might emerge in the future & will affect current bus of the org. Changes with time. **Risk exposure**: maximum loss that can be suffered if risk event occurs **Risk appetite:** reflecting the setting of targets & limits across the org as a whole, plus breakdown of these high-level statements into more detailed risk tolerances. **Risk tolerance:** more detailed statements, many quantitative or statistical in nature. Can apply to specific categories of risk and/or units of bus. (**Amount of risk the organisation needs to take on)** **Risk limits:** group of guidelines that sets limits on acceptable actions that might be taken today. If all are adhered to then each individual unit will be working within permitted risk tolerances. Can be regarded as component of risk capacity. **Risk capacity:** volume of risk that an org can take as measured by some consistent measure such as economic capital. Determined by regulations. Key to est RM strat with clear statements as to: - Upper bound of risk exposures - Current risk exposures - Desired risk exposures - Breakdown of the upper bound & risk targets into more detailed statements - Detailed operational guidelines for managers so they can ensure boundaries are not breached. Failure to not be clear about terminology is operational risk. Utility Functions ----------------- Useful tool for expressing orgs risk appetite diff degrees of risk aversion. Based on maximising the expected value of utility function. **Utility function** U(w), is a measure of happiness or satisfaction expressed as a function of wealth, w. Realistic UF are: - Monotonically increasing - U'(w) \>0, non-satiation - Concave - U"(w) \< 0, diminishing marginal utility **[Expected Utility Theorem]** Stated: - A function U(w) can be constructed as representing an investors utility of wealth, w, at some future date. - Decisions are made to maximise the expected value of utility given the investors beliefs about prob of diff outcomes. **[Absolute & Relative Risk Aversion]** Arrow-Pratt measures used to express degree of risk aversion. Absolute risk aversion: A(w) = [\$\\ \\frac{- U\"(w)}{U'(w)}\$]{.math.inline} Relative risk aversion: R(w) = A(w) x w Both defined i.t.o second derivative of UF & relate to the curvature of the UF. If curvature increases as we move from left to right, the org is becoming more risk averse as wealth increases. Increasing ARA means investor becomes more risk averse as wealth increases. Increasing RRA means investor would invest smaller proportion of wealth in risky assets as wealth increases. **[Examples of UF]** See page 9 **[Prospect Theory]** Under prospect theory: - Investors derive utility from gains & losses measured relative to some reference point, rather than absolute level of wealth - Tend to be risk averse in gains, risk seeking when pondering losses. - UF is concave in region of gains - Convex in region of losses - Loss aversion: investors more sensitive to losses than to gains of same magnitude - Gradient in loss region is steeper than in gains region - See graph page 10 RM Policy --------- RM policy sets out how org will manage each category of risk to which it is exposed. The Board approved RM policy should include: - Objectives & definitions - RM organisational structure - RM processes & benchmarks (read pg 11) Policy should cover similar time period to business plans and should be reviewed at least annually Expressing Risk Appetite ------------------------ Risk appetite broadly defined as degree of risk that an org is willing to accept in order to achieve objectives. Risk appetite will reflect capacity to absorb risk and is affected by factors such as: - Objectives, strat & culture - Current overall bus environment - How successful the Co is currently This includes: - Consideration of level & types of risk that are desired in order to meet objectives - Risk tolerance Risk appetite will be based on similar time horizon to Co. business plans Clearly articulated risk appetite can be translated into desired risk profile for the org. Key role of RMF is to est at Board level the Co appetite for risk & translate this guidance into set of risk tolerances for the whole org. The risk appetite does not need to be complex can be short and clear set of statements related to one or more measures of risk. Board may wish to express appetite with reference to: - Solvency level - Credit rating - Earnings & ability to pay dividends - Economic value Boards may express risk appetites using combo of statements linked to several metrics. Statements are usually translated into more probabilistic statements. (See pg 13) Different stakeholders have diff risk tolerances important to express risk appetite with each different stakeholder in mind. Translating Risk Appetite into Action ------------------------------------- **[Establishing Risk Tolerances & Risk Limits]** Risk tolerance statements describe levels of risk a Co is willing to bear. Risk appetite statements generally apply to whole org, individual risk tolerances can apply at much lower level. Senior RM have task of translating higher level statements of risk appetite into detailed risk tolerances & risk limits across the enterprise. Needs to be carried out holistically to take advantage of synergies & avoid concentration of risk. Statements need to be both: - Quantifiable: expressed in probabilistic ways - Nonquantifiable: clear statement of what is acceptable and what is not. **[Risk Limits]** Statements of risk tolerance needs to be expressed in ways that are easily understood and implemented by staff. Risk tolerance limits translate risk tolerance levels into operational limits for each major category of risk. They give guidance to managers about max level of risk their units may take. **[Using Risk Appetite, Tolerances & Limits]** Can be used when assessing viability of proposed projects. **[Chapter 10: Monitoring & Communication of Risk]{.smallcaps}** ================================================================ The info directors & managers require in order to meet their accountabilities & responsibilities is obtained from monitoring & communication process. Monitoring Requirements ----------------------- **Data & Resources** - Need to gather suitable data - Both internal & external - To base risk analysis - Quality of outcome depends on quality of data used - Orgs need to invest in appropriate systems & tech with adequate HR to support this process - Need to have clear objectives & reporting lines **Documentation** - RM process should be supported with thorough documentation - Use common templates across bus - Key processes & systems that need to be documented: - RM decisions made & reason - Systems - Fin models, incl assumptions & data employed - RM failures, incl nature & loss of such failure **Information** - Need substantial info to manage risk effectively - Such info needs to be: - Delivered to users in timely manner - Reliable **Communication** - Is the way info is collected & disseminated - Five types of communication: - Internal - External (inwards) - External (outwards) - Informal - Formal - RM process & results need to be communicated effectively to all stakeholders - Helps them to monitor RM strats - & complete feedback loops - This incorporates: - Internal comms to the Board so they are fully aware of risk being faced & how it's being dealt with - External comms Risk Metrics ------------ Will be included in regular risk reporting. Important part of feedback loops the Board can monitor amount of risk being taken & whether policies are effective. Risk metrics support the implementation of risk appetite framework: - Less difficult or time consuming to measure compared to probabilistic statements of risk appetite or tolerance statements Consist of quantitative & qualitative indicators of level of risk in specific part of org. At each level off risk appetite statement the org may utilise a number of risk metrics. Thresholds in these metrics may act as triggers to identify potential problem areas appropriate action can be taken timeously. Key Risk Indicators (KRIs) -------------------------- Unlikely that any single risk metric is fully reflective of risk in reality need to develop range of risk metrics to have broad view. Where risk metrics form key part of RM framework typically referred to as KRIs Managers make use of KRIs to identify when risk limits are close to being exceeded - They prompt actions - To keep org within risk tolerances What to consider when deciding on KRIs to use: - Policies & regulations - Strats & objectives - Past losses & incidences - Stakeholder req - Risk assessments Good KRIs are: - Quantifiable - Based on consistent method & standards - Incorporate key risk drivers - Tracked over time - Tied to objectives - Linked to accountable indiv - Useful in decision making - Benchmarked externally - Timely - Cost effective to measure - Simple Risk Reporting -------------- **[Feedback Loops]** - Can inform of any significant issues or changes in bus or environment. - Org can ensure its ERM framework is able to identify & respond appropriately to changes using feedback loops. **[Reporting Processes]** - Important for effective reporting process to be developed - Ensures all stakeholders have risk info they req - Allows risk to be reflected in management decisions - And for effective monitoring of risk levels - Should be clear & relevant - Closely linked to managements risk appetite & tolerances - Should be included in risk reports to provide sufficient info to allow clear & timely decision Using mixture of Summary stats & Other indicators, a risk reporting system will help answer: - Are bus objectives at risk? - Are we in compliance? - What risk incidents have been escalated? - What KPI or KRIs need attention? - What risk assessments need to be reviewed? **Key components of Risk report to a Board:** - Internal & external, qual & quant info - Summary of - Losses - Incidents - Summary of key bus risks & links to discussions & decisions req by Board - Narrative from management on important data & trends - KPIs linked to Co objectives & strat - KRIs, relative to risk limits - Important events/milestones Risk reporting typically structured according to risk types & operating units - Include summaries of key risk areas - Tabular or graphical form - With indication of likelihood & severity - Traffic light system is common way (read solution on pg 11) **[Balanced Scorecard/ Dashboard Reporting]** Balanced scorecard integrates bus & fin reporting. Usually has four main areas: - Finance - Stakeholder - Growth & learning - Internal bus processes ERM scorecard could consider: - Cost of risk minimise - Regulatory/ policy violations - Performance-based feedback-loops - ERM development milestones **[Chapter 11: Stakeholders]{.smallcaps}** ========================================== Stakeholder is someone who supports & participates in survival & success of a Co. ![A picture containing table Description automatically generated](media/image2.png) Stakeholders ------------ **[Shareholders]** - Seek good return on their investment - Taking into account inherent risk - Strong interest in protection against events that could cause collapse in share price - Seek value creation through risk-taking - Rely on auditors & directors to safeguard investment - Have limited power - Can use shareholder service providers to overcome this **[Customers & PH]** - Seek good value for money & security of the Co - Customers can have great power collectively - Customers & PH can have diff risk perspectives depending on type of org. - **Key Aspects of customer management:** - Acquiring new customers - Retaining customers is cheaper than recruiting new - Retaining customer loyalty - Knowing your customer - Effective crisis management - Can enhance reputation - Having contingency plans will help - Should never cover up crisis - Act swiftly to resolve - Keep stakeholders informed - Focus on long-term future rather than minimising short-term costs **[Directors]** - Need to balance needs of stakeholders with own personal interest - Influenced by remuneration - Need to fully understand business & able and willing to challenge management decisions - Ensure Co remains compliant - Executive directors have same risk perspectives as employees (coming up next) **[Employees]** - Key role in ERM - Continued profitability & security of CO is directly related to security of individual job & benefits - Further down organisation chart an employee sits, more likely to act in own interest - Agency risk - Members of unions present additional operational risks - Free agents are less likely to align interests with those of the Co - **Aspects of employee management:** - Recruitment - Identify then recruit right indiv - Cash compensation & other incentives & benefits important - Staff retention, promotion & training - Turnover is costly - Morale, retention & productivity can be enhanced by career development - Dismissal & Resignation - Large scale redundancies can affect morale & lead to voluntary resignations - Exit interviews are valuable to find out reason for leaving - Aligning interest **[Regulators]** - Ensure Co complies with relevant regulatory standards - Aim to protect stability of markets - Balance required sufficient controls to protects stakeholders but not to restrict activity and constrain markets - Need intervention process to allow opportunity for correction & improvement to avoid closing down **[Government]** - Sets regulation & legislation - May intervene if Co in trouble - Lender of last resort - Nationalisation - Key risks faced by Gov: - Insufficient tax revenue - Inappropriate insolvencies - Regulatory arbitrage - Electoral losses **[Professional advisors]** - External auditors have duty to report openly & honestly the state of Co - Effectiveness depends on degree of disclosure - Other professional advisors could bring independent technical expertise and industry benchmarking info - Key risks faced: - Reputational - Risk of litigation - Conflict of interest **[Credit rating agencies]** - Act as gatekeepers for Co wishing to raise capital - Strong influence on share price - Influence views of external observers - Key risks faced: - Reputational risk - Conflict of interest - People who pay their bills are those who they are rating **[Creditors]** - Require payment of monies owed to them - Interested in security of CO over repayment term - Key risks faced - Default/ credit risk - Lack of power to have their debts repaid **[Subcontractors & Suppliers]** - Affected directly by failure of a Co - Co is exposed to risk of failure of subcontractors & suppliers **[Trustees & Beneficiaries of Pensions Schemes]** - Demand security of pension scheme - Depends on fin security of sponsor - Balance scheme security with cost of benefit provision - Close weak scheme rather than increase contributions - Risk perspectives: - DC similar to investor & creditor - DB similar to debtholder or customer, sponsor similar to equity provider - Trustees similar to members but may have conflicts of interest **[General Public]** - Interest through being one of the stakeholders above - Expansion of internet enhances speed & spread of info & opinions **[Business partnerships]** - Has benefits & pitfalls - Benefits: - Faster prod development - Access to new markets - Sharing of fin risk - Economies of scale - Pitfalls: - Conflicts of interest - Waste of resources - Damage reputation - Loss of intellectual capital Conflicts between Stakeholders ------------------------------ Results from differing objectives of each stakeholder. - Co should develop clear understanding of each stakeholder's interest - Interests should be aligned where possible - Stakeholder interest & req should be reflected in corp bus plan **[Agency Risk]** - Risk resulting from misalignment of interest btw managers, employees & SH (and other stakeholders) is agency risk - Need to separate management & ownership - Those with expertise in running bus have decision making responsibilities - Indiv or instit want to invest without getting involved in day-to-day running - Continuity of management despite freq change of ownership - Management may not always act in interest of owners - Risk is coupled with risk arising from misalignment of interest btw other groups of stakeholders - Executive compensation is NB consideration - Cost from this risk is Agency costs & include cost of mitigating this risk - Conflicts or Agency risk arise in any situations: - Remuneration of key employees - Financing decisions - Situations involving dominant CEO - Management decisions **[Financing]** - Conflict btw provider of finance & providers of equity capital **[Dominant CEO Risk]** - Risk they surround themselves with 'yes' people - Try win favour with CEO irrespective of risks their decisions generate **[Low-Risk management decisions]** - Managers try ensure personal job security by taking low risk investment decisions - May penalise Co long term profitability & SH return - Managers may resist mergers or takeovers that threaten own prospects **[Regulators & Gov]** - Remuneration & career prospects of regulators may be misaligned with interest of general public **[Chapter 12: Governance Functions & the Role of the CRO]{.smallcaps}** ======================================================================== We consider governance & assurance functions in more detail: - Role, responsibility & skills of CRO - Issues to consider when est a RMF or CRF - Compliance - Audit The Chief Risk Officer ---------------------- **[Corporate Structure]** Good CRO improves effectiveness of org RMF by: - Filling in gaps in skills, knowledge & experience in management team - Provide resources for RMF - Prepared to escalate issues directly to Board May sit on Board or report to Board through CEO or CFO. Accountabilities, responsibilities & relationship btw Board, subcoms, CRO & line management should be clearly defined & distinct. **[Responsibilities of CRO]** Typically, CRO is accountable to the Board for developing, implementing & maintaining an ERM strat. Key Responsibilities: - Managing risk functions - Providing leadership & direction for ERM - Design, implement/integrate ERM framework - Ongoing risk policy development & monitoring adherence - Managing/optimising risk portfolio - Risk reporting - Allocation of capital to bus objectives - Development of data systems & risk models - Safeguarding expertise - Supporting appropriate risk culture **[Key Skills req of a RM Expert]** Five key skills of CRO: - Leadership - Communication / Evangelism - Stewardship - Technical competence - Consulting skills (Can read over pg 7, not part of core reading) **[Initial Priorities]** Soon after appointment as CRO, the CRO will need to establish whether: - Clear understanding of Co risk tolerance - Management compensation aligned with prudent RM - Good risk reporting channels - There are any gaps in skills, capability & experience of the team - Each part of bus increases overall value - RM linked to cap management, pricing & reserving process - Governance structures robust - The quality & extent of info provided to stakeholders to assess fin condition of org - RM operating model is appropriate The CRO will also need: - Establish close working relationship with CFO - Authority within org - Understand insurer's key stakeholders & drivers of performance The Risk Management Function ---------------------------- **[The Central Risk Function (CRF)]** For large orgs, a key element in most successful governance models is a CRF. This function reports to the Board through CEO or CRO. CRF might be: - Team of specialist risk managers - Just one person in small org CRF role should include: - Giving advice to the Board on risk - Assess overall risk being run by bus - Making comparisons of overall risks being run with risk appetite - Acting as central focus point for staff to report new & enhanced risk - Give guidance to line managers about identification & management of risks - Monitoring progress on RM - Pulling whole picture together **[Relationship btw Lines of Defence]** Recall the three lines of defence: - Line management staff in BU - CRO, RM team and compliance team - Board & audit function The relationship btw the first two may be characterised as one of the following three models: - **Offence vs Defence** - Two lines set up in opposition to each other - BU focus on max income - RM focuses on min loss - Relationship is potentially destructive & damaging since have opposing objectives - **Policy & Policing** - BU operates within rules - RMF sets rules, which are policed by RM, audit & compliance functions - Potential problems: - Policies become out of date - Audit & compliance reviews do not occur continuously may fail to identify problems - Friction btw line management & RM as each fail to understand each view - Line management has little incentive to report problems, violations & issues - **The Partnership Model** - RM staff integrated into BU and two functions share some measure of performance - BU and RM work together in client-consultant type way - BU must recognise benefit of long-term performance of RMF - RM staff must recognise importance of role as consultant - Independence may suffer in this structure An appropriate governance structure will depend on: - Structure of existing comms & decision-making bodies - Size & nature of bus - Risks faced - Autonomy & accountability of elements in current corporate structure **[Challenges in relationship management]** Four key challenges in managing relationship btw BU & RM staff: - Conflict & conflict resolution - Management of RM staff within BU - Aligning incentives - Measuring operational risk **[Skills req within Risk Function]** Risk function needs wide range of skills: - Project management - Change management - Relationship management - Technical expertise - Implementation skills Line Management --------------- ERM framework req appropriate structure for governance of RM activities supported by: - Process for engaging with BU - Common risk taxonomy - Standard RM process - Appropriate incentives for employees - Clear monitoring & risk reporting **Bus Strat** - RM should be considered when developing plans & strat for each BU - (Read six questions pg 13) **New Product/ Bus Development** - Decisions on launch of new product or bus rely on many assumptions - Risk assumptions not being borne out may be addressed by: - Setting trigger points for each assumption - Setting specific risk comm for new product & bus development **Pricing of Products** - Take account of all cost of risk: - Expected losses - Cost of capital - Cost of risk transfer **Measuring Bus Performance** - The assessment should take account of risk **Risk & Incentive Compensation** - Best practice for remuneration systems in fin org includes: - Link btw executive compensation & RM should be disclosed - Compensation should not encourage excessive or inappropriate risk-taking - Clawback provisions should be implemented Compliance ---------- **[Compliance Function]** Compliance often refers to separate function. Ensuring that Co complies with relevant laws, rules & regs is a significant responsibility for all Co & their employees. **[Compliance Process]** - Requires good knowledge of legislation & other rules - Good practice to ensure Line managers have identified the provisions with which they must comply - Also must document compliance with each provision - Risk of non-compliance must be identified - A plan should be drawn up for achieving compliance in suitable timescale Audit ----- **[Internal Audit Function]** Is a key governance function. Role in reviewing the RM process needs to ensure that org systems are secure as possible to prevent fraud. Other responsibilities include: - Monitoring compliance - Checking system errors - Looking for non-observance of internal governance codes - Examination of key spreadsheets - Examination of procedures for paying insurance premiums on time **[External Audit]** Validation of RM process by separate entity: - May be req by regulator - Potentially provides additional source of learning **[Chapter 13: Business Analysis, Risk Identification & Initial Assessment]{.smallcaps}** ========================================================================================= Risk identification helps first determine & understand what risks it faces. - Including consideration of why each risk arises - An initial assessment of impact it could have This module looks at first part of RM CC: - Business analysis - Risk identification - Initial assessment of risk The Risk Identification & Assessment Process -------------------------------------------- Co needs a well-defined process to identify & assess risk **Six step process** to produce & maintain a comprehensive identification & initial assessment of risks faced: 1. Business analysis - Ensure bus has clear objectives - Will involve the wider environment - Bus plan - Co structure & system & internal controls - Current & projected accounts - Market info - Resources available to co - Leg & reg constraints - General eco environment 2. Identify risks faced in structured way 3. Obtain agreement on risks faced, relationship btw them & identify indiv who are responsible for them 4. Evaluate risks i.t.o likelihood of occurrence & severity of impact 5. Produce a risk register to record results & process in one place 6. Review the risk register regularly **Benefits of Risk identification & Assessment** - Enhances awareness & transparency - Helps transfer knowledge & improve understanding - Firm base for subsequent risk analysis, quantification & prioritisation - Enhances quality of reporting to Board - Helps improve bus decision making **Requirements** - Need senior sponsorship of the RM programme - Consistency on standards used over time - Ensure quantitative & qualitative data is used to develop comprehensive risk profile - Integrate risk identification with RM process - Demonstrate added value **Risk Assessment Process** Four stage process (Lam): (read pg 7 & 8) 1. Foundation Setting - Gaining executive sponsorship - Organising and planning of resources - Defining a risk taxonomy - Building customized risk identification and assessment tools - Educating and training project teams and management 2. Risk identification, assessment & prioritisation - Understanding business objectives, risk appetite as well as regulatory and policy requirements - Undertaking risk assessments, both top down and bottom up. - Producing risk reports & risk maps - Prioritising risks 3. Deep dives, risk quantification & management - More detailed assessments of the top risks - Producing risk tolerance statements and tracking KRIs - Determining risk management strategies and the total cost of risk 4. Business & ERM integration - Linking risk assessment with both strategic planning and business review processes - Integrating risk assessment into everyday business operations - Conducting scenario analysis and stress testing - Reporting on risk - Creating and maintaining loss / event databases - Establishing appropriate risk-escalation policies. Risk Identification & Recording ------------------------------- **[Risk Identification Tools]** - SWOT analysis - Risk Checklist - List of risk identified on past projects or initiatives - Or from external source - Risk Prompt list - List of diff categories of risk to consider - May be produced on industry-wide level by supervisory authority - PESTELI - Political, economic, social, technological, environmental, legal & industry - Risk taxonomy - Structured way of classifying risks - Case studies - Process analysis - Flow charts that detail bus process & links btw them - Identify risk at each stage **[Risk Identification Techniques]** For this step to be successful, activities need to be well-planned & supported by positive risk culture. Factors to consider: - Who should be involved? - How should risk identification be achieved? **Techniques used in risk identification process:** - Brainstorming - Generating ideas in freeform way ( generate wide range, then go in depth, then remove duplicates or irrelevant, then group in themes) - Facilitated by external consultant (not necessarily an expert in relevant business - Independent group analysis - Each risk is presented by a member & then discussed - Agreed list is ranked independently by each member & then combined for overall ranking - Surveys - To achieve large range of response cheaply & without collusion - Gap analysis - Type of questionnaire - Identify Co current & desired risk exposure - We look at the current situation versus the desired situation. - Delphi technique - Participants answer questionnaires in two or more rounds - Each round a facilitator provides anonymous summary of output reason for judgment - Participants revise earlier answers in light of replies - The process will decrease the range of answers & group will converge - Interviews - Working groups - Small groups, normally specialists - Tasked with considering a specific risk **[Risk Recording -- The Risk Register]** After identifying risks, they need to be collated in a risk register. Key elements of a risk register: - Labelling or numbering system - Categorisation of each risk (upside & downside) - Description of each risk (clear & understandable) - Initial assessment of: - Likelihood of occurrence - Impact - Timeframe over which it is applicable - Relationship with other risks - Risk response action, cost & expected residual/secondary risks - Indiv involved in monitoring & managing the risk (risk owner) - Document control of info Risk Concepts & Initial Risk Assessment Techniques -------------------------------------------------- **[Risk Concepts]** Seven risk Concepts: - **Exposure** - Max loss - **Volatility** - Measure of variability within range of possible outcomes - **Probability** - Likelihood that event occurs - **Severity** - Loss that is likely to be incurred if event occurs - **Time horizon** - Length of time which org is exposed to a risk, or time to recover from an event - **Correlation** - Degree to which differing risks behave similarly in response to common events - **Capital** - To manage CF - Facilitate growth - Cover unexpected losses - Discussed in Module 30 (the larger the first six, the greater the risk all things being equal) **[Initial Risk Assessment Techniques]** Some simple techniques are covered here, later more advanced will be discussed. **Likelihood/Severity** - **Categorisation** - Simply decide whether prob with which risk event occurs falls within some pre-set categories - Number of categories depends on level of accuracy req - Severity can be similarly categorised - E.g. low/medium/high - **Probability distribution** - Specify prob distribution for certain event - We need lots of data **Risk Mapping** - Technique to illustrate effect that each risk might have on org - Plots each risk on a graph risk map - X-axis is likelihood, y-axis is impact - Need to bring all risks together on a consistent basis for comprehensive risk map Risk mapping can be useful: - Gets people together from across the org to talk about risks - Improves enterprises - understanding of risks faced - Effect of RM activities - Which risks req further action - Final risk map is great visual tool for reporting to Board **Control effectiveness -- heat map** - Plot risk severity against control effectiveness - Reveals where action is needed Risk controls can be ranked depending on: - Risk exposures being within tolerance levels - Controls are in place - Risks are linked to potential impact on return - Risk metrics/dashboards reporting is established Emerging Risk ------------- **[Definition]** Developing or already known risks which are subject to uncertainty & ambiguity and therefor difficult to quantify using traditional risk assessment techniques. - Either a change in nature of effectiveness of RM approach to - Existing or known risk - Development of new risk Emerging risks are NB: - Knowledge of them will influence corporate strat - May affect profitability of org - May yield opportunity for new product **[Examples]** Key inter-related trends giving rise to RM challenges: - Globalisation - Tech - Changing market structures - Restructuring Emerging risks could include the potential impact of: - Significant shifts in power btw world economies - Contagion in asset markets - Insurance claims from new or unexpected sources - Use of social media changing way info is stored & distributed - Rapid changes in nature & source of cyber risk - Unexpected behaviour of fin guarantees embedded in products - Non-linear dependencies btw current known risks **[Emerging IT Risks]** IT-related risks are a significant area of emerging risk: - Cyber security - Cloud computing - Social media **Cyber Risk** - Emerging since rapidly changing - Any risk of fin loss, disruption, or damage to reputation of an org from some sort of failure of its info tech systems - Risks include hacking, security breaches, espionage, data theft, extortion, privacy breaches & cyber terrorism - Implications include bus interruption, reputational damage & legal liability - Very difficult to monitor & manage - Can purchase cyber insurance to cover losses - Damage to digital assets - Bus interruption - Legal defence & damages costs - Req communication to customers - Reputational damage - Third party losses **[Identification & Analysis]** - More holistic view is initially req for emerging risk identification - Key tool is horizon scanning: - Systematic search for potential developments over the longer term - With emphasis on those changes that are at the edges of current thinking - Sources of info for identification & analysis of emerging risk includes academic journals & websites relevant to specific area - Analysis of trends may be important - Should be performed by relevant experts Bias ---- Risks might not be identified, assessed or reported in a true and honest way The problem of bias **[Sources of Bias]** Bias might arise: - Intentionally - Manager deliberately underestimates a risk to achieve specific personal goal - Unintentionally - Manager inaccurately assesses risk due to lack of experience or time If the culture is less than optimal, reporting of risk can be subject to bias. Often occurs in project appraisals project champions may tend to min risk in hope of getting project approved. Ways in which Bias is introduced: - Insufficient care in identification or risk analysis - Key risk accidentally or deliberately omitted - Incorrect assumptions that certain risks are independent - Likelihood of disaster underestimated due to inadequate past experience - CF been guessed or deliberately biased towards optimism - Insufficient account for future ups/downs in eco cycle - Risk associated with new tech not given adequate attention - Credit taken for benefits not directly attributable to the project - Arithmetic or spreadsheets may contain error **[Behavioural Finance]** Study of unintentional bias. Three key behavioural biases: - Overconfidence - Overestimate own ability - Anchoring - Base perception on past experience or expert opinion - Representative heuristics - More probable if easier to imagine **[Avoiding Bias]** - Build checks & balances into the system - Validate the appraisal work by competent & independent checking - Optimism bias introduced by British gov - Estimated capital cost is increases by percentage based on past experience of cost over-runs **[Chapter 14: Intro to Risk Measurement]{.smallcaps}** ======================================================= Evaluating Risk Measures ------------------------ **[The Axioms of Coherence]** Provide a list of properties a good risk measure should have. Assume a number of risk portfolios. Model the Losses on each portfolio coming from certain prob distribution L~i~ (i = 1,2,3....) Risk measure is real valued function F, is called coherent if it satisfies the following four axioms: - **Monotonicity** - If L~1~ ≤ L~2~ then F(L~1~) ≤ F(L~2~) - **Subadditivity** - F(L~1~ + L~2~) ≤ F(L~1~) + F(L~2~) - **Positive homogeneity** - F(k x L) = k x F(L) for any constant k ≥ 0 - **Translation invariances** - F(L + k) = F(L) + k for any constant k **[Convex Risk Measures]** For a risk measure to be convex, it must satisfy the following property: - F(λL~1~ + (1-λ)L~2~) ≤ λF(L~1~) + (1-λ)F(L~2~) where λ [∈]{.math.inline} \[0,1\] Shows that diversification can reduce risk & amount of capital needed. Follows from axioms of subadditivity & positive homogeneity. Deterministic Approaches to Measuring Risk ------------------------------------------ Simplistic & give broad indication of level of risk. Three approaches: - Notional - Factor Sensitivity - Scenario Sensitivity +-----------------+-----------------+-----------------+-----------------+ | **Approach** | **Description** | **Advantages** | **Disadvantages | | | | | ** | +=================+=================+=================+=================+ | | - Broad-brush | - Simple to | - Undesirable | | | risk | implement & | catch all | | | measure | interpret | weighting | | | | | | | | - Risk | | - Distortions | | | weighting | | caused by | | | applied to | | increased | | | MV of | | demand for | | | assets, the | | asset | | | result | | classes | | | summed & | | | | | compared to | | - Treating | | | value of | | short pos | | | liabs | | as exact | | | | | opposite of | | | | | equivalent | | | | | long pos | | | | | | | | | | - No | | | | | allowance | | | | | for | | | | | concentrati | | | | | on | | | | | of risk | | | | | | | | | | - Prob of | | | | | changes | | | | | considered | | | | | is not | | | | | quantified | +-----------------+-----------------+-----------------+-----------------+ | | - Determines | - Increased | - Not | | | degree to | understandi | assessing | | | which an | ng | wider range | | | org fin | of drivers | of risks | | | position is | of risk | | | | affected by | | - Difficult | | | impact of | | to | | | change in a | | aggregate | | | single | | over diff | | | underlying | | risk | | | risk factor | | factors | | | has on | | | | | value of | | - Prob of | | | assets & | | changes | | | liabs | | considered | | | | | is not | | | | | quantified | +-----------------+-----------------+-----------------+-----------------+ | | - Determines | - Can test | - Prob of | | | degree to | specific | changes | | | which an | economic | considered | | | org fin | condition | is not | | | position is | | quantified | | | affected by | | | | | impact of | | | | | change in a | | | | | set of | | | | | underlying | | | | | risk | | | | | factors has | | | | | on value of | | | | | assets & | | | | | liabs | | | +-----------------+-----------------+-----------------+-----------------+ Probabilistic Approaches to Measuring Risk ------------------------------------------ Five probabilistic approaches will be discussed. **[Deviation]** Deviation from a given reference. - Standard deviation from the mean - Tracking error measure relative to a benchmark other than mean - Commonly used for returns on a portfolio of assets The above can be performed: - Retrospectively past deviations based on actual historic asset allocations - Prospectively based on current asset allocations using - Observed historic covariances of returns - Estimated future covariances **Information ratio** is a risk adjusted return measure. Considers size of average excess return as proportion of risk exposure measure by tracking error. Advantages of deviation: - Simplicity - Applicability to wide range of fin risk - Can be aggregated if correlations known Disadvantages of deviation: - Difficulty in interpreting comparisons - Potentially misleading if distrib are skewed - Do not focus on tail risk - Aggregations of deviations can be misleading **[Value at Risk (VaR)]** Maximum potential loss, with a given probability, α, over a given time period. **Not Coherent!** Does not demonstrate subadditivity property, cannot be aggregated to give insight of aggregation of risk. Stated mathematically: - See formula pg 11 Time period chosen should comply with any contractual & leg constraints. Usually set quite short. A high prob is typically used for capital adequacy purposes e.g. 99% confidence over 10-day time horizon for Basel. Advantages of VaR: - Simplicity - Intelligibility of its units i.e. money - Applicability to all types of risk - Applicability over all sources of risk - Ease of translation into risk benchmark Disadvantages of VaR: - No indication of loss greater than VaR - Can under-est asymmetric & fat-tail risk - Very sensitive to chosen data, parameters & assumptions - Not coherent risk measure (not always sub-additive) - May encourage herding thereby increasing systemic risk if used in regulation Three general approaches to calculation of VaR: - **Empirical (historical)** - Gains are treated as negative losses - Losses observed over T periods are ranked from smallest to largest - If Tx α is an integer, then highest loss is the loss that is ranked at that number - If it is not an integer need to use linear interpolation - **Parametric (variance-covariance)** - Losses follow specified stat distribution - L is RV representing loss on portfolio - F is CDF then VaR~α~ = F^-1^(α) - If time period is short can assume expected return to be zero thus reducing parameters to be estimated - **Stochastic** - Similar to empirical approach - Data set is not full set of observed losses - Data set can be: - Simulated - Bootstrapped VaR may be defined in different ways in different readings need to be aware of this. **[Probability of Ruin]** Prob that net fin position of an org falls below zero over a defined time horizon. **[Tail Value at Risk (TVaR) or Conditional Value at Risk (CVaR)]** The expected loss given that a loss greater than the specified VaR has occurred. See formula pg 18 Can be calculated **using empirical, parametric or stochastic** approach like for VaR:\ 1. Empirical -- based on actual data. Average the data above the VaR point.\ 2. Parametric -- Use a distribution.\ 3. Stochastic -- same as Empirical, but is based upon data obtained by simulation or bootstrapping. - Empirical (historical) - If Tx α is an integer, then TVaR is Average of the losses that are greater than or equal to the VaR Advantages: - Considers losses beyond the VaR - Coherent risk measure (demonstrates subadditivity property, can be aggregated to give insight on aggregation of risk) Disadvantages: - Choice of distribution & parameter values is subjective - Highly sensitive to assumptions **[Expected Shortfall]** Expected loss over a given time period. - **Empirical approach** - formula pg 20 - **Parametric approach** - formula pg 20 - **Stochastic approach** - Based on data simulated or from bootstrapping Advantages: - Same as for TVaR Disadvantages: - Little intuitive meaning - Cannot be readily linked to current valuation **[Practical look at VaR & TVaR]** When quantifying market risk in trading portfolios we can base VaR on basic factors: - Exposure amount - Price volatility factor - Liquidity factor **TVaR to VaR Ratio** - Used for indication of skewness of distribution - Higher the ratio indicates that the loss dist is asymmetric with fatter tail **Two "rules of thumb"** - Read pg 22 - Essentially: number of days that a mark-to-market loss might exceed VaR can be estimated, and the n-day loss can be distributed. Risk Management Time Horizon ---------------------------- Longer duration of exposure the higher the level of risk. Two key factors influencing choice of time horizon: - Time to recover from loss event - Time to reinstate risk mitigation Risk Discount Rate ------------------ **[Project Appraisal]** Higher the discount rate the lower the PV of earnings arising in future & greater the negative impacts on project viability. Discount rate is determined by sponsor, and should take into account cost of capital, rate of inflation, interest rates & rates of return on investments throughout the economy. However: - Suitable reference investments may not exist - Difficult to determine the risk-free rate of interest - Setting discount rate allows for uncertainty of future asset values is problematic - Allowance for credit risk should be made A high RDR should not be seen as sub for detailed risk analysis this could lead to rejection of profitable low risk projects in favour of more profitable projects with unacceptable level of risk. **[Reminder -- CAPM]** Economic model that expresses expected return E, on a security *i* as a function of: - Risk-free rate of return - Expe

ERM - Risk Management Summary PDF

Document Details

Tags

Related

Summary

Full Transcript