(Compiled from various sources including COSO Publications)
The essence of banking business is taking risks. Banking is, by definition, accepting money from public for the purpose of lending and investment. Lending and investment activities is all about taking a view on safe return of funds lent/invested and that is assuming risk exposure.
Dealing with risks, therefore, is at the heart of banking business. Evolving with the requirements of banking business, banks have developed and implemented internal controls and risk assessment methodologies and have documented policies, procedures and processes to manage various risks, including Credit Risk, Market Risks, Liquidity Risk, Operational Risk, Compliance and Legal Risks etc.
Risk management information as a decision making tool is the manifestation of increasing awareness and involvement of top management in risk management function of banks. Enterprise Risk Management (ERM) helps consolidate risk management practices within the larger framework of a bank’s strategic goals.
Bankers should view ERM as a mechanism to manage uncertainty for a successful conduct of business. ERM is now a “big idea” which provides a logical structure to make a fair assessment of business risks to address critical business issues such as growth, return, consistency and value creation.
ERM deals with risks and opportunities affecting value creation or preservation. An effective ERM program is organization-wide and enables efficient, effective use of resources focused toward reliable financial reporting and compliance with applicable laws and regulations.
What is ERM?
The Committee of Sponsoring Organizations of Tradeway Commission (COSO), a joint initiative of five premier industry organizations in USA, concerning accounting and auditing, has defined ERM as follows:
ERM is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.
The definition reflects certain fundamental concepts. Enterprise risk management is:
1. A process, ongoing and flowing through an entity
2. Effected by people at every level of an organization
3. Applied in strategy setting
4. Applied across the enterprise, at every level and unit, and includes taking an entity level
5. Portfolio view of risk
6. Designed to identify potential events that, if they occur, will affect the entity and to manage risk within its risk appetite
7. Able to provide reasonable assurance to an entity’s management and board of directors
8. Geared to achievement of objectives in one or more separate but overlapping categories
This definition is purposefully broad. It captures key concepts and focuses directly on achievement of objectives.
Objectives of ERM
Enterprise risk management encompasses:
a) Aligning risk appetite and strategy – Management considers the entity’s risk appetite in evaluating strategic alternatives, setting related objectives, and developing mechanisms to manage related risks.
b) Enhancing risk response decisions – Enterprise risk management provides the rigor to identify and select among alternative risk responses – risk avoidance, reduction, sharing, and acceptance.
c) Reducing operational surprises and losses – Entities gain enhanced capability to identify potential events and establish responses, reducing surprises and associated costs or losses.
d) Identifying and managing multiple and cross-enterprise risks – Every enterprise faces a myriad of risks affecting different parts of the organization, and enterprise risk management facilitates effective response to the interrelated impacts, and integrated responses to multiple risks.
e) Seizing opportunities – By considering a full range of potential events, management is positioned to identify and proactively realize opportunities.
f) Improving deployment of capital – Obtaining robust risk information allows management to effectively assess overall capital needs and enhance capital allocation.
These capabilities inherent in enterprise risk management help management achieve the entity’s performance and profitability targets and prevent loss of resources. Enterprise risk management helps ensure effective reporting and compliance with laws and regulations, and helps avoid damage to the entity’s reputation and associated consequences. In sum, enterprise risk management helps an entity get to where it wants to go and avoid pitfalls and surprises along the way.
Key components of ERM
ERM consists of eight interrelated components. These are derived from the way management runs an enterprise and are integrated with the management process. These components are:
1. Internal Environment – The internal environment encompasses the tone of an organization, and sets the basis for how risk is viewed and addressed by an entity’s people, including risk management philosophy and risk appetite, integrity and ethical values, and the environment in which they operate.
2. Objective Setting – Objectives must exist before management can identify potential events affecting their achievement. Enterprise risk management ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entity’s mission and are consistent with its risk appetite.
3. Event Identification – Internal and external events affecting achievement of an entity’s objectives must be identified, distinguishing between risks and opportunities. Opportunities are channeled back to management’s strategy or objective-setting processes.
4. Risk Assessment – Risks are analyzed, considering likelihood and impact, as a basis for determining how they should be managed. Risks are assessed on an inherent and a residual basis.
5. Risk Response – Management selects risk responses – avoiding, accepting, reducing, or sharing risk – developing a set of actions to align risks with the entity’s risk tolerances and risk appetite.
6. Control Activities – Policies and procedures are established and implemented to help ensure the risk responses are effectively carried out.
7. Information and Communication – Relevant information is identified, captured, and communicated in a form and timeframe that enable people to carry out their responsibilities. Effective communication also occurs in a broader sense, flowing down, across, and up the entity.
8. Monitoring – The entirety of enterprise risk management is monitored and modifications made as necessary. Monitoring is accomplished through ongoing management activities, separate evaluations, or both.
Enterprise risk management is not strictly a serial process, where one component affects only the next. It is a multidirectional, iterative process in which almost any component can and does influence another.
ERM – Implementation
Outlined below is an initial high-level draft of an action plan for ERM. This draft plan highlights key events and actions that organizations should consider in starting an ERM initiative. The draft is not intended to be viewed as a complete plan; furthermore, it requires careful tailoring and expansion prior to use. However, we believe it reflects useful information and is a practical draft plan as a basis to start.
1. Seek Board and Senior Management Involvement and Oversight
- Set an agenda item for the board and executive management to discuss ERM and its benefits
- Agree on high-level objectives and expectations regarding risk management
- Understand the process to communicate and set the tone and expectations of ERM for the organization
- Agree on a high-level approach, resources and target dates for the initial ERM effort
2. Identify and position a leader to drive the ERM Initiative
a) Identify a person with the right attributes to serve as the risk management leader
- Does not have to be a CRO (Chief Risk Officer)
- Use existing resources
b) Set objectives and expectations for the leader
c) Allocate appropriate resources to enable success
3. Establish a Management Working Group
a) Establish a management working group to support the risk leader and drive the effort across the organization
b) Have the right, key people in the group
- Sufficient stature
- “C-suite” representation
- Business unit management
c) Look at using cross-functional teams
d) Agree on objectives for the working group
- Build ERM using incremental steps
- Define some sought-after benefit to evaluate each step
- Establish reporting process for management and the board
4. Conduct an Initial Enterprise-wide Risk Assessment and Action Plan
a) Focus on identifying the organization’s most significant risks
b) Look for risks at the strategic level
c) Consider risk factors beyond just probability and impact, e.g. i. Velocity of risk, ii. Preparedness and iii. Other factors
d) For the most significant risks – i. Assess exposure to the risk; ii. Assess adequacy of existing risk mitigation or monitoring; iii. Identify opportunities to enhance mitigation or monitoring activities
e) Develop action plans to enhance risk management practices related to the risk identified
- Identify actions to implement the opportunities identified above
- Establish target dates and responsibilities
- Develop process to monitor and track implementation
5. Inventory the Existing Risk Management Practices
a) Identify and inventory existing practices
b) Identify gaps and opportunities – Consider initial completion of the Risk Management Alignment Guide
c) Develop specific action steps to close gaps
d) Produce and implement action plans to close gaps and manage risks
6. Develop Initial Risk Reporting
a) Assess adequacy and effectiveness of existing risk reporting
b) Develop new reporting formats – (i) Consider extensive use of graphics and colours; (ii) Consider developing a risk “dashboard” for the board
c) Develop process for periodic reporting of emerging risks
d) Assess effectiveness of new reporting with stakeholders and revise as appropriate
7. Develop the Next Phase of Action Plans and Ongoing Communications
a) Conduct a critical assessment of the accomplishments of the working group
b) Revisit the risk process inventory and identify next processes for enhancement
c) Identify tangible steps for a new action plan including benefits sought and target dates – Review with executive management and the board
d) Implement with appropriate resources and support
e) Schedule sessions for updating or further educating directors and executive management
f) Assess progress and benefits of ERM initiative against objectives and communicate to target audiences
g) Continue organization-wide communication process to build risk culture
Risk Assessment Questions
Outlined below are some example questions that could be used in an interview with a senior executive or director during the risk assessment process. These questions are representative of the types of questions that could be asked to help identify the organization’s most significant strategic or emerging risks.
1. What are your primary business objectives or strategies?
2. What are the key components of enabling your business strategy or objectives?
3. What internal factors or events could impede or derail each of these key components?
4. What events external to the organization could impede or derail each of the key components?
5. What are the three most significant risk events that concern you regarding the organization’s ability to achieve business objectives?
6. Where should the organization enhance its risk management processes to have maximum benefit and impact on its ability to achieve business objectives?
7. What types of catastrophic risks does the organization face? How prepared is the organization to handle them, if they occur?
8. Can you identify any significant risks or exposures to third parties (vendors, service providers, alliance partners etc) that concern you?
9. What financial market risks do you believe are or will be significant?
10.What current or developing legal/regulatory/governmental events or risks might be significant to the success of the business?
11. Are you concerned about any emerging risks or events? If so, what are they?
12. What risks are competitors identifying in their regulatory reports that we have not been addressing in our risk analysis?
Key Risk Indicators (KRIs)
KRIs are metrics used to provide an early signal of increasing risk exposure in various areas of the organization. In some instances, they may be little more than key ratios that the board and senior management track as indicators of evolving problems, which signal that corrective or mitigating actions need to be taken. Other times, they may be more elaborate, involving the aggregation of several individual risk indicators into a multi-dimensional risk score about emerging potential risk exposures.
KRIs are typically derived from specific events or root causes, identified internally or externally, that can prevent achievement of strategic objectives. Examples can include items such as the introduction of a new product by a competitor, a strike at a supplier’s plant, proposed changes in the regulatory environment, or input-price changes.
The design and roll-out of a set of KRIs is an important element of an organization’s enterprise risk management process. This paper has identified the potential benefits of developing a set of KRIs, important design elements of those KRIs, and an appropriate methodology for communicating KRI data to members of senior management and the board.
Sources for Development of KRIs
While the development of effective KRIs is a challenge, there are some readily available sources from which KRIs can be developed. These sources include:
1. Policies and regulations: The regulations that govern the business activities of the company, as well as the corporate policies and limits established by management and the board, provide useful compliance KRIs. These KRIs may include risk exposures against limits or compliance with regulatory requirements and standards.
2. Strategies and objectives: The corporate and business strategies established by senior management, and the associated performance metrics, are another good source of KRIs. For example, performance metrics are designed to measure expected performance, whereas KRIs should be designed to measure downside risk or volatility of performance.
3. Previous losses and incidents: Many companies have compiled loss/event databases that capture historical losses and incidents. These databases, or even anecdotic evidence, can provide useful input on what processes or events can cause financial or reputational loss. KRIs can then be developed for these processes and events.
4. Stakeholder requirements: Beyond the regulators, the expectations and requirements of other stakeholders – customers, rating agencies, stock analysts, business partners – can help develop KRIs on variables that are important to these key stakeholders.
5. Risk Assessments: The risk assessments performed by the company, including audit assessments, control self assessments, and Sarbanes-Oxley tests, can provide valuable input on the business entities, processes, or risks where KRIs are needed.
Key Characteristics of KRIs
Given the various sources of KRIs, the objective should be to develop a high quality set of KRIs, as opposed to high quantity. The following list provides ten key characteristics of effective KRIs:
1. Based on consistent methodologies and standards
2. Incorporate risk drivers: exposure, probability, severity, and correlation
3. Be quantifiable: $, %, or #
4. Track in time series against standards or limits
5. Tie to objectives, risk owners, and standard risk categories
6. Balance of leading and lagging indicators
7. Be useful in supporting management decisions and actions
8. Can be benchmarked internally and externally
9. Timely and cost effective
10. Simplify risk, without being simplistic
ERM in banks:
Risk management in banks involves risk management and risk control at the individual risk level, including market risk for trading books, credit risk for banking book as well as trading book, operational risk and aggregate risk management.
In many banks, aggregate risk is defined using a roll-up or risk aggregation model; capital; as well as capital allocation, is based on the aggregate risk model. The aggregate risk is the basis for defining bank’s economic capital, and is used in value-based management such as risk adjusted performance management.
In practice, the different approaches to risk aggregation can be considered either one of the two types: top-down or bottom-up aggregation.
In the top-down aggregation, risk is measured on sub-risk level such as market risk, credit risk and operational risk and thereafter the risk is aggregated.
In bottom-up aggregation model, different risk factors for credit, market, operational risk etc. are simulated jointly.
While bottom-up risk aggregation may be considered a preferred method for capturing the correlation between sub-risks, sometimes bottom-up risk aggregation is difficult to achieve because some risks are observed and measured at different time horizons.
For example, trading risks are measured intraday or at least daily while operational risk is typically measured yearly. The difficulty in assigning a common time horizon for risks that are subject to integration does not necessarily become easier using a top down method.
Current risk aggregation models in banks range from very simple models that add sub-risks together to liner risk aggregation, and in some cases, risk aggregation using copula models (In probability theory and statistics, a copula can be used to describe the dependence between random variables). Also some banks use combination of bottom-up and top-down approaches to risk aggregation.
Illustration of KRIs in banks:
1. Capital : Capital Adequacy Levels, Composition of Capital, Economic Capital Estimates etc. Capital Risk is the risk arising from not maintaining adequate level of capital to support the level of risk being taken by the Bank. The business plan and the strategy of the Bank shall clearly outline the bank’s capital needs, anticipated capital expenditures, desirable capital level, and external capital sources.
2. Credit Risk : Credit Quality Breakdowns, Credit Rating Migration, Past-due analysis, Large Exposures, Security Coverage, Sector Exposures, Country Exposures, Debt Investment Portfolio risk attributes etc. Credit Risk is the risk arising from an obligor’s failure to meet the terms of any contract with the Group or failure to otherwise perform as agreed. Credit risk arises whenever funds are extended, committed, invested or otherwise exposed through actual or implied contractual agreements, whether reflected on or off the balance sheet. Examples of credit risk may be found in lending products, investment portfolio products, derivatives trading partners, foreign exchange counterparties, country or sovereign exposures and indirectly through guarantor performance.
3. Market Risk: Equity Trading Book – VaR, Liquidity Horizon, Stop Loss limit breaches, Exposure Limits etc., Fx Var, Fx Exposure Limits, Hedge effectiveness, Stop Losses, Derivative Trade Exposure risk details etc. Market Risk is the risk arising from changes in the value of portfolios of financial instruments or other assets. Market risk can be thought of as price risk and arises from market making, dealing and position taking activities in interest rate, foreign exchange, equity and other commodities markets. The primary accounts affected by market or price risk are those which are revalued for financial presentation e.g. trading accounts for securities, derivatives and foreign exchange products.
4. Liquidity Risk: Liquid assets stock, Various liquidity gaps and ratios, contingency funding etc. Liquidity Risk is the risk arising from a bank’s inability to meet its obligations as they fall due, without incurring unacceptable losses. Liquidity risk includes the inability to manage unplanned increases or decreases in funding sources. It also arises from the business failure to recognize or address changes in market conditions that affect the ability to liquidate assets quickly and with minimal loss in value.
5. Interest Rate Risk: Earnings at Risk, Gaps, Funding Cost etc. Interest Rate Risk is the risk arising from movements in interest rates rates. Interest rate risk arises from differences between the timing of rate changes and the timing of cash flows (re-pricing risk); from changing rate relationships among different yield curves affecting business activities (basis risk); from changing rate relationships across the spectrum of maturities (yield curve risk); and from the availability of options, with the Bank’s counterparties, to make prepayments or early withdrawals can leave the Bank with excess or deficit funds that need to be invested or funded again at unknown profit rates. This imposes a rate of return risk on the Bank.
6. Strategic Risk: Business Strategy related risks, competetion etc. This is the risk arising from adverse business decisions or the improper implementation of such decisions. Strategic risk is the function of the compatibility of an organisation’s strategic goals, the resources deployed against those goals and the quality of implementation. The risk focuses on more than a written strategic plan. The focus must be on determining how the plans, systems and their implementation affect the franchise value and how management analyzes external factors, which impact the strategic direction of the Group.
7. Reputation Risk: Code of Ethics compliance, disclosures and other related information – Reputational Risk is the risk arising from negative public opinion. Reputational risk impacts the Bank’s ability to establish new relationships or services or to continue to service existing ones. This risk is inherent in all activities, including asset management and agency transactions, but it is very difficult to identify and quantify quickly. Financial institutions that associate their name with products and services, such as fiduciary services, are more likely to have higher reputational risk exposure.
8. Fiduciary Risk: Fiduciary Risk is the risk arising from the non-performance of the legal or contractual duties associated with acting on behalf of and in the best interests of Trust customers.
9. Operational Risk: People, Processes, Policies and Procedures, Technology, BCP, Insurance, Loss Data etc. Operational Risk is the risk arising from direct and indirect loss resulting from inadequate or failed internal processes, people or systems or from external events. This definition includes disaster recovery planning as another element of operational risk management.
10. Compliance Risk information: Compliance Risk is the risk arising from breach of or non-compliance with laws, rules, policies, regulations, prescribed practices or ethical standards. It exposes the Bank to fines, civil penalties, payment of damages, voiding of contracts and/or increased reputational risk. It encompasses all laws, prudent ethical standards and contractual obligations and includes litigation from all aspects of financial services.