1. �Developments in Risk Management�� – people, process and systems considerations��David Millar, COO, PRMIA��Hyderabad, 9th, October, 2007�
2. Why do we manage risks?
3. Developments in Risk Management�� – people, process and systems considerations����� History, Dimensions and Drivers of Risk Management
4. Risk in history
5. Drivers of risk management Regulatory drivers
Local
Regional
Global
Business drivers
Increased profitability
Reduced losses
Improved reputation (customers, public and analysts)
Credit agency ratings
6. Business drivers
7. What the rating agencies say … “Moody's believes that the assessment of risk is becoming increasingly central to the fundamental analysis of a rated bank. Put simply, risk management improves the quality and stability of earnings, thereby enhancing the competitive position of the bank and facilitating its long-term survival.”
“The ongoing integration of its subsidiary banks into a single network poses challenges in terms of operational, personnel, and systems integration. Moreover, the banks purchased by XXX may have hidden operational risks.” A Standard & Poor’s Report
“Fitch (Ratings) expects financial institutions, in their response to both regulatory and management requirements, to adopt a balanced approach to risk. This includes an emphasis on tools and techniques designed to assist the management of a financial institution in the prioritization of its risk budgets and in where to focus its efforts.”
8. Regulatory drivers
9. Cross-border implications There is no international jurisdiction. Regulations (global or local) implemented by local courts or regulators.
International implications are enforced by:
Agreement by local bodies that they will implement international regulations (i.e. Basel II but also such as transport regulations), sometimes with local variations
A local regulator imposing regulations on the local branch of an overseas company so that the implications extend to the home country and other branches, i.e. money laundering regulations, Australia’s Foreign Trade Practices Act, etc
An overseas company taking advantage of national facilities (i.e. listing on their stock exchange) which then convey obligations across the whole company, i.e. Sarbanes-Oxley
10. Developments in Risk Management�� – people, process and systems considerations����� Types of Risk�
11. Can we categorise risks?
12. Basel II Risk Coverage
13. Basel II Risk Coverage Credit Risk
The risk of a bank not receiving payment for its assets.
Market Risk
The risk that a banks assets lose value due to market fluctuations.
Operational Risk
The risk of loss resulting from inadequate or failed internal processes, people and systems or from external events, including legal risk, but excluding strategic and reputational risk.
14. Risk needs to be Categorised Credit Risk
Counterparty categorisation, loan description, probability of default, expected loss, loss given default.
Market Risk
Trade details, market variables, probability calculations.
Operational Risk
Risk categories, event categories, probabilities, controls (descriptions, costs, effectiveness, etc), expected losses, unexpected losses, actual losses, indicators, responsibilities and authourisations, etc.
15. Operational risk categorisation frameworks can be complex
16. Financial risk management environment
17. Operational risk management environment
18. Technical implications Financial (credit, market, liquidity, etc) risk
Real-time
High availability
High performance requirements
Automated input, few users
Very large amounts of relatively simple data
Kept for a long time (5 years)
Data comes from existing core systems Non-financial (operational) risk
Once a day for input, once a month for reporting
Low performance requirements
Manual input, many users
Relatively small amounts of fairly complex data
Kept for a very long time (at least five years)
New data collection systems need to be developed
19. Developments in Risk Management�� – people, process and systems considerations����� Risk and Capital�
20. What is capital?
21. Capital covers risk …
22. Banks are very different
23. A different level of risk cover …
24. The Public is at the End of the Road … Greenspan: “… nor should we require individual banks to hold capital in amounts sufficient to fully protect against those rare systemic events which, in any event, may render standard probability evaluation moot. The management of systemic risk is properly the job of central banks. Individual banks should not be required to hold capital against the possibility of overall financial breakdown. Indeed central banks, by their existence, appropriately offer a form of catastrophe insurance to banks against such events …”
25. Bank Capital … … differs from a non financial firm’s capital: it protects against future, unidentified risks and losses while enabling the bank to operate at the same level.
… strengthens the stability and soundness of the (international) banking system and, if applied universally, the competitive inequality among banks is diminished.
So banks simply need to cover themselves against the risk of insolvency due to losses exceeding allocated capital.
Banks manage risks; regulators decided on an arbitrary capital to risk asset ratio: there is no correct answer.
“Capital adequacy” for banks was conceived in 1988 (the Cooke Committee, to become the Basel Committee on Banking Regulations and Supervisory Practices).
26. Basel Capital Accord (Basel I),
In 1988 the Basel Committee on Banking Supervision recommended a risk-weighted capital ratio for internationally active banks,
This set minimum standards of capital adequacy,
A “New Capital Accord” (Basel II) proposed in 1999,
Extended to cover regulatory (Pillar 2) and disclosure (Pillar 3) requirements, (Pillar 1 = approaches as how to calculate regulatory capital)
Final (reviewed) version released November 2005 (over 100 countries to implement – still some questions regarding the US implementation
Complete Accord will take effect from 2007 (earliest participants) onwards to 2012 The BIS created standards on capital
27. … and decided that … Risk-weighted assets would be basis for capital requirements
28. 8% is the minimum
29. Citigroup’s Capital ratios (2003)
30. Commercial banks, which comply with Basel II, can decide (or their regulator can decide) which approaches to calculating regulatory capital they adopt, but …
… regardless of capital approaches all Basel II compliant organisations must develop:
an appropriate risk management environment,
risk identification, assessment, monitoring and mitigation/control,
regular independent evaluation of policies, procedures and practices,
and make sufficient public disclosure to allow the market to assess their approach to operational risk management. But Basel Capital Adequacy is not all
31. Even if the bank goes for the simplest approach to Risk-weighted Capital:-
A risk assessment culture must be created,
Credit and operational risks must be monitored,
Risk must be tracked,
A risk trend history must be created,
Risk actions must be disclosed. Regardless of Pillar 1 approach
32. Developments in Risk Management�� – people, process and systems considerations����� Current Implementation considerations�
33. Banks are not homogeneous �– with respect to risk management implementation
34. Implementation
35. From financials to processes Credit/market risk relatively mature (liquidity risk still causing concerns!)
But still needs data and model validation, corrections, backdating of parameters, etc
Operational risk still immature
Specifying it
What is it? How to recognise and classify it?
Setting it up
Involving the users, gaining commitment, regulatory approval, etc
Rolling it out and maintaining it
Collecting accurate data - feedback – validation - correcting errors – changing classifications – renewing systems, etc
36. The Pillar II Maze
37. Some implementation issues Processes, systems and capital allocations are easy
– the problems are the “people issues”:
Build the governance processes
Creating the framework – consensus on risk categorisation
Getting user involvement – from the right people
Achieving user acceptance – “why am I doing this? I have better things to do!”
Deciding on how much data to collect – too little = poor statistics, too much = inaccurate data
Ensuring clean data – cleaning old data, ensuring new data is completing correctly
Gaining regulatory approval – different interpretations/numerics in different jurisdictions
Building a risk culture – everyone knows what risk is
Integrating feedback and statistics – to improve the system
How to update the systems – validating and changing processes, risk categories (framework) and systems upgrades
38. #1. Why a governance process? Basel II (and Sarbanes-Oxley and others) requires that the Board takes overall responsibility for risk management – and is aware of risk developments
It requires that all senior management takes responsibility for the risk processing and management within their areas, and
It mandates a “risk culture” with in the organisation.
39. Commitment Commitment on risk management is needed from:
Owners/shareholders
The Board
Senior management
Departmental managers
Audit, asset and liability management and compliance
Human resources
Staff
Geographies
40. #8. Building a risk culture
41. Examples of staff risk culture All staff know:
What a risk control or risk event is
Why they exist
What their risk responsibilities are
Prime and alternative reporting routes
What happens to their reports
What was the result of “their” event’s mitigation
What the institution’s risk status is (overall and their part)
How it is improving (or getting worse)
What their risk training plan is
42. Examples of management risk culture All Board and senior management know:
What the institution’s risk policy is
What their risk appetite is
What their own risk responsibilities are
What major risk controls have been infringed or what risk events have taken place
What cumulative risk situation have accumulated
What the institution’s risk status is
How it is improving (or getting worse)
What the business impacts are
43. Why are Risk Cultures important? Risks are managed by people
People can apply standards with greater or lesser degrees of efficiency – or they can make mistakes
People must apply the appropriate risk management standards to the best of their ability
Regulators appreciate that the best standards and guidelines are only effective if implemented correctly – and with diligence and enthusiasm.
Regulators will therefore test an organisations’ risk culture along with its risk standards, best practices, capital robustness and disclosure procedures.
44. Attributes of a risk management culture Attention is paid to quantifiable and unquantifiable risks.
All risks are identified, reported and quantified.
Awareness of risk through performance measurement, risk-adjusted pricing, pay structures and forecasting.
Risk management is accepted as everyone’s responsibility.
Risk managers have teeth.
The enterprise avoids what it doesn’t understand.
Uncertainty is accepted.
Risk managers are monitored.
Risk management is not to stop people from taking risks but to create value, by enhancing the chances of success.
The risk culture is defined, the risk appetite is understood.
45. … and finally Talk to the supervisors
Regulations are interpreted and implemented by regulators, central banks and supervisors
They will have national interpretations – and local preferences and good practices
They are responsible for cross-border cooperation and interpretation
They will set implementation practices – rule and regulation based – or risk and principle based
Because commitment to the regulations is their primary function, whereas, for the bank it is a secondary activity
46. Developments in Risk Management�� – people, process and systems considerations����� … and what of the future?�
47. What has the sub-prime crisis taught us? We have not solved liquidity risk
How to model it?
What is its impact on credit and market risk?
How to put capital aside?
Are Rating Agencies the right measurement?
Are they trustworthy?
They are paid by the sellers of instruments
Rating agency arbitrage
Is operational risk-derived capital enough?
Is bad rating an op risk?
Is bad loan manegment an op risk?
48. Risk models have not yet been tested First banks move to advanced methods in 2008
No one is comparing model performance
Will the US com into line?
Can Basel survive double standards?
Does scenario testing work?
How long before we have sufficient data?
Will models be rated? Is so, by whom?
49. A global operational risk standard? There is no common practice for:
Risk and event categorisation
Risk assessment
Global operational risk databases are limited
ORX, what else?
How to compare bank v bank?
How do we merge operational risk data?
Cross-border comparison
50. Basel III Is risk-adjusted capital the only way to measure and control risk?
Will operational risk-adjusted capital be a glorious failure?
What will replace the rating agencies?
Can we ever solve liquidity risk?
Can we continue ignoring strategic and reputational risk?
Why has it all become so complicated?
51. Hyderabad Chapter, 9th October, 2007����� A PRMIA Members Update�
52. The Global Organisation The Professional Risk Managers’ International Association (PRMIA) - the world’s leading risk professional’s association.
44,500+ risk professionals from all segments of the financial services industry in 179+ countries (both free and paid membership)
Members from 4,000+ organisations, 200+ members meetings annually in 60+ chapters
A quarterly journal and a monthly newsletter
The Professional Risk Manager’s Handbook
The PRM exam – the world’s most comprehensive risk manager’s exam with 2,150 candidates in 96 countries
Member-led (400+ volunteers), grass-roots organisation with its own Code of Risk Ethics
A “not for profit” organisation governed by its members
Standards – accreditation – meetings – events – training networking – website – research
53. PRMIA – the past year New chapters - Tokyo, Bangalore, Hyderabad, Vienna, Beijing, Amsterdam, Frankfurt, San Francisco, Kolkata and S Africa.
First one day PRMIA conference given in NY in February, second already held and two more planned for 2007
Toronto University and NUS running PRM courses in China and Singapore. Regulators approve PRM in Singapore and Bahrain
Indian chapters initiate research program
Corporate membership services launched
Website remodelled
Publishers McGraw-Hill to reformat the Handbook, also wider availability and translation of the PRMIA Handbook
Henry Stewart Publications to issue a quarterly Journal of Risk Management in Financial Institutions – free to PRMIA Full Sustaining Members
PRMIA expand support team to take on marketing, sales and conference/event support staff
54. PRMIA – the next 12 months New chapters - LA, Delhi, Brussels, Miami, West Indies, Turkey, Bermuda, Romania, Trinidad and re-open Dusseldorf, Madrid, Bangkok, KL, Taiwan and Australian chapters amongst others.
2008 Global Event Series – Credit Risk in February, ERM in April, Operational Risk in September, Valuation in an Environment of High Complexity and Liquidity Risk in November. Each month to include 3-4 one day events in major centres plus chapter events.
Handbook to be updated via Academic Committee, reformatted to 10-12 books and released to public sale through bookshops via McGraw-Hill starting end 2007.
Opening up the PRM exam to offer a non-quantitative, entry-level exam – the Foundation PRM – to be released Q1 2008
White papers sought for JRMFI – editorial committee of PRMIA and non-PRMIA. Also PRMIA quarterly members news newsletter
David Koenig changes role.
Objectives to increase PRM candidates: more solid financial status through exam and handbook income, sponsorships, corporate memberships, and Sustaining Memberships.
55. ���
