Discuss the framework for risk management and control within a company
Describe an appropriate framework for an organization’s ERM
Describe governance issues including market conduct, audit, and legal risk
Discuss the cultural aspects of risk assessment and management including the problems of bias
Describe how to determine a company’s risk appetite, risk capacity and risk objectives
Discuss the application of the RM control cycle, including the relevance of external influences and emerging risks
Information require to meet each accountabilities and responsibilities thus far is obtained by means of monitoring and communication processes within the organization
This module will consider all the activities associated with the monitoring of:
Risk exposures
Risk processes
Organization must gather suitable data (internal and external) on which to base its risk analysis to support the risk monitoring and communication process
Need to invest in appropriate systems and technology with adequate HR to support this process
People need to have clear objectives and reporting lines
RM process should be supported with thorough documentation using common templates cross business
Things that should be properly documented
RM decisions made and reasons
Systems
(e.g. system spec and user acceptance testing of IT systems)
Financial models (incl. assumptions and data used)
Risk management failures (incl. nature of failure and losses incurred)
Substantial amount of information is needed to operate and manage risk effectively
Information needs to be delivered in a timely manner and reliable
Trade off between the amount of data:
Too much data so that processing it cannot be usefully digested
Too little data, so that it is uninformative
Communication:
The way that information is collected and disseminated
Types of communication
Internal (management info):
About what is happening inside the business
(e.g. CF position, sales, inventory levels)
External (inwards):
What is happening outside the company
(e.g. competitors’ sales)
External (outwards):
Distributing information about the company to interested parties
(e.g. media, s/h, regulators)
Informal:
Word of mouth (or social media)
Formal:
Through corporate intranet, management information systems, reports and or corporate newsletters
RM process and results must be communicated effectively to stakeholders to enable them to monoitor the RM strategies and complete the necessary feedback loops
Internal communications
(e.g. to Board or relevant committees)
External communications
(e.g. supervisory bodies, investors, analysts)
Need to clearly articulate its risk management strategies to these key stakeholders to receive the full benefit of its investment in ERM
Need to be aware of sharing sensitive information
Benefits of consistent risk language (taxonomy)
Helps avoid problems such as duplication or omission of risk
Increase the speed with which ERM becomes embedded in an organization
Particularly important for multi-national companies, where the use of different terminology in different domains can confound the ERM process
Risk metrics are included in regular risk reporting
Purpose of risk metrics
Support the implementation of the risk appetite framework
(Usually using multiple risk metrics at the same times)
Measure whether the company is operating within its risk tolerance limits
Easier to use in real business decisions
Risk appetite and risk tolerance statements are typically probabilistic statements relating to financial and non financial events
\(\therefore\) difficult and time consuming to measure
Risk Metrics
Consist of quantitative and qualitative indicators of the level of risk in a specific part of the organization
Each level of risk appetite statement may utilize a number of risk metrics (see Module 14 for more)
Risk metrics can be found at a supporting level below the detail included in the risk tolerance and limit statements
e.g. IT systems downtime and staff turnover rates can be used as indicator of the level of op-risk to which the org. is exposed to
Quantitative or qualitative thresholds in these metrics may act as triggers to identify potential problem areas so that actions can be taken
Board set limit on the level of market risk
RM function then implement this limit by conducting analysis to identify the key drivers of market risk that might lead to a breach of this limit (e.g. equity and interest rate risk)
RM function than decide to monitor simple indicators such as the % of equity in the portfolio and the level of duration mismatch between asset and liabilities for a quick and early indication of changes in the risk profile that may lead to a breach of risk tolerance
These indicators are the risk metrics
Key Risk Indicators:
Risk metrics that form a key part of an organization’s risk management framework
Range of quantitative and qualitative risk metrics that are developed to ensure the org. have a board view of their risk exposures
The design, implement, monitor and report of KRI is part of the EMR control cycle (from Module 8)
Using KRIs
Managers can use KRIs to identify when risk limits are close to being exceeded
Prompt actions designed to keep the organization within its risk tolerances
Factors to consider on what KRIs to use:
Policies and regulations
(e.g. regulatory limits)
Strategies and objectives
(e.g. volatility of results)
Past losses and incidents (to help judge what is significant)
Stakeholder requirements
(e.g. variables monitored by credit rating agencies)
Risk assessments (some areas maybe require closer scrutiny than others)
Desirable features of KRI:
Quantifiable (i.e. %, $, numbers)
Based on consistent methodologies and standards
Incorporate key risk drivers
(e.g. exposure, probability, severity and correlation)
Tracked over time
Tied to objectives
Linked to an accountable individual
Useful in decision making
Able to be bench-marked externally
Timely
Cost effective to measure
Simple (not simplistic)
Balance of leading and lagging indicators
Feedback loop:
Process by which management and other stakeholders are informed of any significant issues or changes in the business and/or the environment
Information about changes may come from sources that provide information about past events, the presents or expectations for the future
Incorporating feedback loops is one way in which an org. can ensure that its ERM framework is able to identify and respond appropriately to such changes
Importance of effective reporting
Ensure stakeholder have the risk information required
Ensure RM framework is embedded within an org.
Reflect risk in management decisions
Effective monitoring of risk levels
Board and senior management need info and feedback to assess effectiveness of the RM policies and identify areas for improvement
Risk reporting should answer 5 key questions
Are our business objectives at risk?
Are we in compliance with policies, laws and regulations?
What risk incidents have been escalated and require attention?
What KPIs or KRIs need attention?
What risk assessments need to be reviewed?
Good Risk reporting
Clear and relevant
Closely linked to the management of the org.’s risk appetite and risk tolerances
Link clearly to decisions that the org. needs to make
Include KRIs to provide sufficient information to allow clear and timely decision making
Balance between the need to include all relevant information vs need for clarity and simplicity
Important that it includes information at the appropriate level of detail for the intended audience
Key components of risk report to a Board
Qualitative and quantitative information
Summary of losses and incidents
Summary of business risks and the key discussions and decisions required from the Board
Narrative from management on important data and trends
KPIs against KRIs with important deviations and trends highlighted
Important events / milestones
(e.g. regulatory visit)
Risk reports to business managers can be more detailed with an emphasis on quantitative rather than qualitative analysis (Module 14)
Risk report structure:
Split according to risk types and operating units
Include summaries of key risk areas
(In tabular or graphical form)
Indication of likelihood and severity of impact of each key risk areas
Traffic light systems (RAG) are common way in which to highlight areas of focus
Monitoring and evaluation of risk management actions
Incl. clear statement of accountabilities
Effectiveness of RM actions should be considered against the status of each risk area
Report on new, emerging risks and trends over time
Need to present sufficient data to ensure decision makers are well informed yet not so much data that they can’t see the wood for the trees
Top down approach
Best way to do it
For a given audience, think about what information they need to make the decisions they are responsible for
Once identified, the information needs to be presented in a way that is easily understood
Good reporting system:
Forward looking, dynamic, decisions-driven, online
Example:
Single point of access to critical risk information collated from various risk systems and data sources
Role-based summary of risk to key decision makers with drill-down capabilities to more detailed information
Prioritized just-in-time information
(e.g. from real-time alerts to quarterly summaries)
Mixture of qualitative vs quantitative, internal vs external data
Opportunity for users to provide commentary, explanation or analysis of the information
Bad reporting system:
Historically focused, silo-based, data driven, manually prepared, paper based, static
Example:
Simply collating data from silos
Overwhelming users with too much information
Providing too much qualitative data that does not aid decision making
Focusing on quantity rather than quality of information
See example of 2001 GE Business cockpit
Balanced scorecard
Commond reporting approach
Integrates business and financial reporting
Risk assessment in the form of KRIs is usually incorporated (on top of KPIs)
Similar to Lam’s dashboard reporting
Common area of assessment for balanced scorecard
Finance
Stakeholders (e.g. customers or clients)
Growth and learning
Internal business processes
Balance scorecard for effectiveness of the ERM function
Is the cost of risk minimized?
(e.g. losses and mitigation/ management cost)
No surprises on regulatory/ policy violations?
Performance based feedback loops
(e.g. risk assessments (ex-ante) vs actual losses / events (ex-post))
ERM development milestones met?