Developments in Risk Management people, process and systems considerations David Millar, COO, PRMIA - PowerPoint PPT Presentation

1 / 55
About This Presentation

Developments in Risk Management people, process and systems considerations David Millar, COO, PRMIA


History, Dimensions and Drivers of Risk Management. A Higher Standard for Risk Professionals ... Citigroup's Capital ratios (2003) $ 750,293. Risk-weighted ... – PowerPoint PPT presentation

Number of Views:204
Avg rating:3.0/5.0
Slides: 56
Provided by: piperjaffr


Transcript and Presenter's Notes

Title: Developments in Risk Management people, process and systems considerations David Millar, COO, PRMIA

Developments in Risk Management people,
process and systems considerationsDavid Millar,
COO, PRMIAHyderabad, 9th, October, 2007
Why do we manage risks?
Developments in Risk Management people,
process and systems considerations History,
Dimensions and Drivers of Risk Management
Risk in history
Drivers of risk management
  • Regulatory drivers
  • Local
  • Regional
  • Global
  • Business drivers
  • Increased profitability
  • Reduced losses
  • Improved reputation (customers, public and
  • Credit agency ratings

Stick and
  • With the objective of managing risk, not
    eliminating it

Business drivers
What the rating agencies say
  • Moody's believes that the assessment of risk is
    becoming increasingly central to the fundamental
    analysis of a rated bank. Put simply, risk
    management improves the quality and stability of
    earnings, thereby enhancing the competitive
    position of the bank and facilitating its
    long-term survival.
  • The ongoing integration of its subsidiary banks
    into a single network poses challenges in terms
    of operational, personnel, and systems
    integration. Moreover, the banks purchased by XXX
    may have hidden operational risks. A Standard
    Poors Report
  • Fitch (Ratings) expects financial institutions,
    in their response to both regulatory and
    management requirements, to adopt a balanced
    approach to risk. This includes an emphasis on
    tools and techniques designed to assist the
    management of a financial institution in the
    prioritization of its risk budgets and in where
    to focus its efforts.

Regulatory drivers
Cross-border implications
  • There is no international jurisdiction.
    Regulations (global or local) implemented by
    local courts or regulators.
  • International implications are enforced by
  • Agreement by local bodies that they will
    implement international regulations (i.e. Basel
    II but also such as transport regulations),
    sometimes with local variations
  • A local regulator imposing regulations on the
    local branch of an overseas company so that the
    implications extend to the home country and other
    branches, i.e. money laundering regulations,
    Australias Foreign Trade Practices Act, etc
  • An overseas company taking advantage of national
    facilities (i.e. listing on their stock exchange)
    which then convey obligations across the whole
    company, i.e. Sarbanes-Oxley

Developments in Risk Management people,
process and systems considerations Types of
Can we categorise risks?
Enterprise Risk
Risk assessments, indicators, controls and loss
event data
Strategic Risks
Financial Risks
Procedural Risks
Other Risks
  • Credit
  • Market Pricing
  • Interest Rate
  • Liquidity
  • Asset Liability
  • Systemic
  • Operational
  • Disaster
  • Fraud
  • Terrorism
  • Project
  • Contractual
  • Regulatory
  • Reputational
  • Pandemic
  • Legal
  • Environment
  • Government
  • Business decisions
  • Poor direction
  • Competition
  • New technology

Basel II Risk Coverage
Enterprise Risk
Risk assessments, indicators, controls and loss
event data
Strategic Risks
Financial Risks
Operational Risk
Other Risks
  • Credit Risk
  • Market Risk Pricing, Interest Rate, Liquidity
  • Asset Liability
  • Systemic
  • Disaster
  • Fraud
  • Terrorism
  • Project
  • Contractual / Legal
  • Regulatory
  • Reputational
  • Pandemic
  • Environment
  • Government
  • Business decisions
  • Poor direction
  • Competition
  • New technology

Basel II Risk Coverage
  • Credit Risk
  • The risk of a bank not receiving payment for its
  • Market Risk
  • The risk that a banks assets lose value due to
    market fluctuations.
  • Operational Risk
  • The risk of loss resulting from inadequate or
    failed internal processes, people and systems or
    from external events, including legal risk, but
    excluding strategic and reputational risk.

Risk needs to be Categorised
  • Credit Risk
  • Counterparty categorisation, loan description,
    probability of default, expected loss, loss given
  • Market Risk
  • Trade details, market variables, probability
  • Operational Risk
  • Risk categories, event categories, probabilities,
    controls (descriptions, costs, effectiveness,
    etc), expected losses, unexpected losses, actual
    losses, indicators, responsibilities and
    authourisations, etc.

Operational risk categorisation frameworks can be
Risk Indicators (KRIs)
Financial risk management environment
Internal ratings, etc
High-tech, fast throughput, transaction processing
5 years transaction data
Daily trans-action data
Capital calculations,risk metrics, ALM, etc
Core processing systems
Operational risk management environment
Getting risk data from the
bottom (the point of incident)
to the top (for analysis) is key.
through layers of management
Technical implications
  • Non-financial (operational) risk
  • Once a day for input, once a month for reporting
  • Low performance requirements
  • Manual input, many users
  • Relatively small amounts of fairly complex data
  • Kept for a very long time (at least five years)
  • New data collection systems need to be developed
  • Financial (credit, market, liquidity, etc) risk
  • Real-time
  • High availability
  • High performance requirements
  • Automated input, few users
  • Very large amounts of relatively simple data
  • Kept for a long time (5 years)
  • Data comes from existing core systems

Developments in Risk Management people,
process and systems considerations Risk and
What is capital?
The net worth of a business i.e. the amount by
which its assets exceed its liabilities
Gearing Leverage
Assets Investments
Gearing Leverage
Balance Sheet
Capital covers risk
Non Financial Firms Risk Cover
Expected Losses
Unexpected Losses
Catastrophic Losses
Frequency of Loss
Debt/Bond Holders
Equity Capital
Reserve Financing
Severity of Loss
Source after Marshall, Operational Risks, 2001
Banks are very different
Bank assets are risk assets
Bank capital most exposed to asset value changes
Gearing Leverage
Assets Investments
Gearing Leverage
Bank liabilities are deposits
Balance Sheet
A different level of risk cover
Financial Firms Risk Cover
Expected Losses
Unexpected Losses
Catastrophic Losses
Frequency of Loss
Economic Capital
Debt/Bond Holders
Severity of Loss
The Public is at the End of the Road
  • Greenspan nor should we require individual
    banks to hold capital in amounts sufficient to
    fully protect against those rare systemic events
    which, in any event, may render standard
    probability evaluation moot. The management of
    systemic risk is properly the job of central
    banks. Individual banks should not be required
    to hold capital against the possibility of
    overall financial breakdown. Indeed central
    banks, by their existence, appropriately offer a
    form of catastrophe insurance to banks against
    such events

Source Alan Greenspan, FRBNY, 1996
Bank Capital
  • differs from a non financial firms capital it
    protects against future, unidentified risks and
    losses while enabling the bank to operate at the
    same level.
  • strengthens the stability and soundness of the
    (international) banking system and, if applied
    universally, the competitive inequality among
    banks is diminished.
  • So banks simply need to cover themselves against
    the risk of insolvency due to losses exceeding
    allocated capital.
  • Banks manage risks regulators decided on an
    arbitrary capital to risk asset ratio there is
    no correct answer.
  • Capital adequacy for banks was conceived in
    1988 (the Cooke Committee, to become the Basel
    Committee on Banking Regulations and Supervisory

The BIS created standards on capital
  • Basel Capital Accord (Basel I),
  • In 1988 the Basel Committee on Banking
    Supervision recommended a risk-weighted capital
    ratio for internationally active banks,
  • This set minimum standards of capital adequacy,
  • A New Capital Accord (Basel II) proposed in
  • Extended to cover regulatory (Pillar 2) and
    disclosure (Pillar 3) requirements, (Pillar 1
    approaches as how to calculate regulatory
  • Final (reviewed) version released November 2005
    (over 100 countries to implement still some
    questions regarding the US implementation
  • Complete Accord will take effect from 2007
    (earliest participants) onwards to 2012

and decided that
  • Risk-weighted assets would be basis for capital

Risk-weighted Assets
Minimum Capital Requirements
8 of
Credit Risk-weighting
Market Risk-weighting
Operational Risk-weighting

Introduced 1997, small changes in B2
Now variable more complex in B2 (3 approaches)
New in B2 and variable (also 3 approaches)
8 is the minimum
Citigroups Capital ratios (2003)
  • Tier 1 Capital Ratio 8.91
  • Total Capital Ratio 12.04
  • Minimum Regulatory Capital 60,023

But Basel Capital Adequacy is not all
  • Commercial banks, which comply with Basel II, can
    decide (or their regulator can decide) which
    approaches to calculating regulatory capital they
    adopt, but
  • regardless of capital approaches all Basel II
    compliant organisations must develop
  • an appropriate risk management environment,
  • risk identification, assessment, monitoring and
  • regular independent evaluation of policies,
    procedures and practices,
  • and make sufficient public disclosure to allow
    the market to assess their approach to
    operational risk management.

Regardless of Pillar 1 approach
  • Even if the bank goes for the simplest approach
    to Risk-weighted Capital-
  • A risk assessment culture must be created,
  • Credit and operational risks must be monitored,
  • Risk must be tracked,
  • A risk trend history must be created,
  • Risk actions must be disclosed.

additional capital would not be the only
answer as capital is not a substitute for
appropriate risk assessment practices or adequate
internal control processes. Nicholas Le Pan,
Chairman of the Basel Committees Accord
Implementation Group, March 2004.
Developments in Risk Management people,
process and systems considerations Current
Implementation considerations
Banks are not homogeneous with respect to risk
management implementation
but a bank needs a view of risk which combines
different departmental profiles
Risk theories and regulations
Processes, tools and capital allocation
Rollout considerations
Ongoing maintenance and improvement
A risk culture
From financials to processes
  • Credit/market risk relatively mature (liquidity
    risk still causing concerns!)
  • But still needs data and model validation,
    corrections, backdating of parameters, etc
  • Operational risk still immature
  • Specifying it
  • What is it? How to recognise and classify it?
  • Setting it up
  • Involving the users, gaining commitment,
    regulatory approval, etc
  • Rolling it out and maintaining it
  • Collecting accurate data - feedback validation
    - correcting errors changing classifications
    renewing systems, etc

The Pillar II Maze
Risk theories and regulations
Updating the system
User acceptance
Create the risk framework
Processes, tools, capital allocation and
Regulatory approval
How much data to collect
Cleaning old data
Risk Culture
Ensuring clean data
User involvement
A risk culture
Some implementation issues
  • Processes, systems and capital allocations are
  • the problems are the people issues
  • Build the governance processes
  • Creating the framework consensus on risk
  • Getting user involvement from the right people
  • Achieving user acceptance why am I doing this?
    I have better things to do!
  • Deciding on how much data to collect too little
    poor statistics, too much inaccurate data
  • Ensuring clean data cleaning old data, ensuring
    new data is completing correctly
  • Gaining regulatory approval different
    interpretations/numerics in different
  • Building a risk culture everyone knows what
    risk is
  • Integrating feedback and statistics to improve
    the system
  • How to update the systems validating and
    changing processes, risk categories (framework)
    and systems upgrades

1. Why a governance process?
  • Basel II (and Sarbanes-Oxley and others) requires
    that the Board takes overall responsibility for
    risk management and is aware of risk
  • It requires that all senior management takes
    responsibility for the risk processing and
    management within their areas, and
  • It mandates a risk culture with in the

  • Commitment on risk management is needed from
  • Owners/shareholders
  • The Board
  • Senior management
  • Departmental managers
  • Audit, asset and liability management and
  • Human resources
  • Staff
  • Geographies

8. Building a risk culture
  • An internal risk culture is the sum of the
    individual and corporate values, attitudes,
    competencies and behaviour that determine
    commitment to and style of risk management.
  • It includes both an enterprise-wide risk and an
    internal control culture
  • It requires clear lines of responsibility,
    segregation of duties and effective internal
  • It requires high standards of ethical behaviour
    at all levels
  • Although a framework of formal, written policies
    and procedures is critical, it needs to be
    reinforced through a strong control culture
  • It is the responsibility of both the board and
    senior management

Examples of staff risk culture
  • All staff know
  • What a risk control or risk event is
  • Why they exist
  • What their risk responsibilities are
  • Prime and alternative reporting routes
  • What happens to their reports
  • What was the result of their events mitigation
  • What the institutions risk status is (overall
    and their part)
  • How it is improving (or getting worse)
  • What their risk training plan is

Examples of management risk culture
  • All Board and senior management know
  • What the institutions risk policy is
  • What their risk appetite is
  • What their own risk responsibilities are
  • What major risk controls have been infringed or
    what risk events have taken place
  • What cumulative risk situation have accumulated
  • What the institutions risk status is
  • How it is improving (or getting worse)
  • What the business impacts are

Why are Risk Cultures important?
  • Risks are managed by people
  • People can apply standards with greater or lesser
    degrees of efficiency or they can make mistakes
  • People must apply the appropriate risk management
    standards to the best of their ability
  • Regulators appreciate that the best standards and
    guidelines are only effective if implemented
    correctly and with diligence and enthusiasm.
  • Regulators will therefore test an organisations
    risk culture along with its risk standards, best
    practices, capital robustness and disclosure

Attributes of a risk management culture
  • Attention is paid to quantifiable and
    unquantifiable risks.
  • All risks are identified, reported and
  • Awareness of risk through performance
    measurement, risk-adjusted pricing, pay
    structures and forecasting.
  • Risk management is accepted as everyones
  • Risk managers have teeth.
  • The enterprise avoids what it doesnt understand.
  • Uncertainty is accepted.
  • Risk managers are monitored.
  • Risk management is not to stop people from taking
    risks but to create value, by enhancing the
    chances of success.
  • The risk culture is defined, the risk appetite is

Source Operational Risk Management, PWC,
November 2003 (abbreviated)
and finally
  • Talk to the supervisors
  • Regulations are interpreted and implemented by
    regulators, central banks and supervisors
  • They will have national interpretations and
    local preferences and good practices
  • They are responsible for cross-border cooperation
    and interpretation
  • They will set implementation practices rule and
    regulation based or risk and principle based
  • Because commitment to the regulations is their
    primary function, whereas, for the bank it is a
    secondary activity

Developments in Risk Management people,
process and systems considerations and
what of the future?
What has the sub-prime crisis taught us?
  • We have not solved liquidity risk
  • How to model it?
  • What is its impact on credit and market risk?
  • How to put capital aside?
  • Are Rating Agencies the right measurement?
  • Are they trustworthy?
  • They are paid by the sellers of instruments
  • Rating agency arbitrage
  • Is operational risk-derived capital enough?
  • Is bad rating an op risk?
  • Is bad loan manegment an op risk?

Risk models have not yet been tested
  • First banks move to advanced methods in 2008
  • No one is comparing model performance
  • Will the US com into line?
  • Can Basel survive double standards?
  • Does scenario testing work?
  • How long before we have sufficient data?
  • Will models be rated? Is so, by whom?

A global operational risk standard?
  • There is no common practice for
  • Risk and event categorisation
  • Risk assessment
  • Global operational risk databases are limited
  • ORX, what else?
  • How to compare bank v bank?
  • How do we merge operational risk data?
  • Cross-border comparison

Basel III
  • Is risk-adjusted capital the only way to measure
    and control risk?
  • Will operational risk-adjusted capital be a
    glorious failure?
  • What will replace the rating agencies?
  • Can we ever solve liquidity risk?
  • Can we continue ignoring strategic and
    reputational risk?
  • Why has it all become so complicated?

Hyderabad Chapter, 9th October, 2007 A PRMIA
Members Update
The Global Organisation
  • The Professional Risk Managers International
    Association (PRMIA) - the worlds leading risk
    professionals association.
  • 44,500 risk professionals from all segments of
    the financial services industry in 179 countries
    (both free and paid membership)
  • Members from 4,000 organisations, 200 members
    meetings annually in 60 chapters
  • A quarterly journal and a monthly newsletter
  • The Professional Risk Managers Handbook
  • The PRM exam the worlds most comprehensive
    risk managers exam with 2,150 candidates in 96
  • Member-led (400 volunteers), grass-roots
    organisation with its own Code of Risk Ethics
  • A not for profit organisation governed by its
  • Standards accreditation meetings events
    training networking website research

PRMIA the past year
  • New chapters - Tokyo, Bangalore, Hyderabad,
    Vienna, Beijing, Amsterdam, Frankfurt, San
    Francisco, Kolkata and S Africa.
  • First one day PRMIA conference given in NY in
    February, second already held and two more
    planned for 2007
  • Toronto University and NUS running PRM courses in
    China and Singapore. Regulators approve PRM in
    Singapore and Bahrain
  • Indian chapters initiate research program
  • Corporate membership services launched
  • Website remodelled
  • Publishers McGraw-Hill to reformat the Handbook,
    also wider availability and translation of the
    PRMIA Handbook
  • Henry Stewart Publications to issue a quarterly
    Journal of Risk Management in Financial
    Institutions free to PRMIA Full Sustaining
  • PRMIA expand support team to take on marketing,
    sales and conference/event support staff

PRMIA the next 12 months
  • New chapters - LA, Delhi, Brussels, Miami, West
    Indies, Turkey, Bermuda, Romania, Trinidad and
    re-open Dusseldorf, Madrid, Bangkok, KL, Taiwan
    and Australian chapters amongst others.
  • 2008 Global Event Series Credit Risk in
    February, ERM in April, Operational Risk in
    September, Valuation in an Environment of High
    Complexity and Liquidity Risk in November. Each
    month to include 3-4 one day events in major
    centres plus chapter events.
  • Handbook to be updated via Academic Committee,
    reformatted to 10-12 books and released to public
    sale through bookshops via McGraw-Hill starting
    end 2007.
  • Opening up the PRM exam to offer a
    non-quantitative, entry-level exam the
    Foundation PRM to be released Q1 2008
  • White papers sought for JRMFI editorial
    committee of PRMIA and non-PRMIA. Also PRMIA
    quarterly members news newsletter
  • David Koenig changes role.
  • Objectives to increase PRM candidates more solid
    financial status through exam and handbook
    income, sponsorships, corporate memberships, and
    Sustaining Memberships.

  • Thank you
  • David Millar
  • Chief Operating Officer
Write a Comment
User Comments (0)