Embed Size (px)
Citation preview
Presentation reflecting 2010 context in BanksBy Anthony Gagnon, MBA, C.Adm., CMC
The savings and loan crisis of the 1980's resulted in the failure of over 700 savings and loan associations. That crisis resulted in a huge wave of lawsuits and follow-on insurance recovery disputes.
The dot-com bubble in the mid-1990's lasted until March 10, 2000, when it burst. That crisis resulted in a huge wave of lawsuits and follow-on insurance recovery disputes.
The credit crisis of 2008 has resulted in Freddie Mac, Fannie May, AIG, Bear Stearns, Lehman Brothers and Washington Mutual all failing in one form or another. One might predict a wave of lawsuits and follow-on insurance recovery disputes.
3JA Gagnon, Executive Consultant
Poor economics: ◦ idea that free markets work with perfect information
sharing (efficient market theory)◦ Fiscal policies used to sustain demand (mortgage tax
incentives) but creating a debt culture (live on credit as asset values will always increase)
◦ Moral hazard (if things go wrong the central bank or government will «guarantee» everyone’s safety).
Greed fed by poorly designed remuneration/performance rewards (incentive payments in good and bad times)
Weak risk management Irrational exuberance (expectation of continuous
double digit asset value growth) Failure of the underwrite to distribute credit
model
4JA Gagnon, Executive Consultant
Firm Assets Date
Lehman Brothers $639.0 Sept. 15 2008
WorldCom 103.9 July 21 2002
Enron 63.4 Dec. 2 2001
Conseco 61.4 Dec. 18 2002
Texaco 35.9 April 12 1987
Financial Corp. Of America 33.9 Sept. 9 1988
Refco 33.3 Oct. 17 2005
IndyMac Bancorp 32.7 July 31 2008
Global Crossing 30.2 Jan. 28 2002
Calpine 27.2 Dec. 20 2005
Source: Bloomberg/The Globe and Mail
Bankruptcydata.com
5JA Gagnon, Executive Consultant
Risk management more critical than ever ERM is in, «siloed» approaches out More regulation coming, not less, with some
regulation of systematically important shadow markets
Risk management emphasis : Governance Liquidity Economic capital and procyclicality Product development risk and suitability Counterparty risk Reputation and moral hazard
6JA Gagnon, Executive Consultant
Strong and independent risk management will be required
Strengthening of resiliency of critical payment and settlement systems
Capital will remain key for financial institutions; expect higher minimum requirements, above model produced capital figures
Macro-prudential (systemic risk) focus for supervisors
Remember “Successful institutions are ahead of the regulator in managing their risks.”(1)
7
(1) Dickson, Julie, OSFI, KPMG 2009
Conference, Nov. 26 2009JA Gagnon, Executive Consultant [email protected]
Enterprise Risk Management, Governance and Compliance
8
Risk Assessment
Communicationand
Consultation
Monitoringand
Review
Establishing the context
Risk Identification
Risk Analysis
Risk Evaluation
Risk Treatment
Risk Assessment
Communicationand
Consultation
Monitoringand
Review
Establishing the context
Risk Identification
Risk Analysis
Risk Evaluation
Risk Treatment
JA Gagnon, Executive Consultant [email protected]
Governance : organizing the entity to achieve its mission, meeting shareholder and other stakeholder rights and expectations
Risk Management : proactively dealing with uncertainty and events which may adversely affect desired outcomes
Compliance : ensuring the conduct of the activity of the organization meets standards, self imposed or not, contractual obligations, regulations and laws
G : Vision, goals, structure; board and executive accountability, powers and oversight; strategic processes and controls over execution
R : Framework, processes and tools to identify, measure, report and mitigate uncertainties which may prevent the achievement of the corporate vision and strategy
C : Checks and balances, processes , controls and tests providing a reasonable assurance that the organization meets expected practices of governments, regulators, industry and stakeholders
9JA Gagnon, Executive Consultant
Risk management is about considering the downside of the normal risk taking that accompanies any decision making in any context, whether in a «for» or «not for profit» enterprise.
All risk management activities require the identification, measurement, analysis, mitigation or financing/assurance of any residual risk.
ERM implies management across business lines and integrating all risk categories in a strategic view
10JA Gagnon, Executive Consultant
Risk ManagementEnterprise Risk Management
1. Silo, individual view
2. Mostly tactical orientation
3. Related to control and minimization
4. Viewed within legal or organization structures
5. Central and functional responsibilities prevail
1. From top to bottom, across the organisation and risks
2. Linked to strategy3. Related to
competitiveness4. Emphasises process
view across legal or other divides
5. Decentralized, business wide
11JA Gagnon, Executive Consultant
Risk ManagementEnterprise Risk Management
6. Reactive to issues
7. Focus on short term financial impact
8. Control and minimization specific to events or department processes
9. Individual risk analysis
6. Proactive with significant risks
7. Focus on mitigation of impact on organisation stability
8. Control and mitigation optimized in relation to importance and across interdependent structures or processes
9. Portfolio and strategic interdependence view
12JA Gagnon, Executive Consultant
Risk management and compliance are no substitute for:◦ Strong governance
◦ Shared values permeating the culture of the organization
◦ Sound practices
◦ Adequate control and oversight
◦ Independent expert assessment
ERM requires C-suite advocated support, discipline, resources and transparency/disclosure
13JA Gagnon, Executive Consultant
Operational Risk Management (ORM)
14
Process
Systems
People
External environnement
Exte
rna
l en
viro
nn
em
en
t
Exte
rna
l e
nviro
nn
em
en
t
External environnement
Plans Projects
Activities
Products
& services
JA Gagnon, Executive Consultant [email protected]
Operational risk (OR), sometimes wrongly defined as all risks other than credit or market (or other than financial and strategic), is embedded in each process and business activity. It is found in:◦ Practices, documented or not;
◦ Process design and execution;
◦ Planning: strategic, tactical and operational;
◦ Product design and sales;
◦ Project planning and execution;
◦ Etc. Note: it is useful to distinguish OR from business risk. The latter designates all risks of doing business and incorporates financial, strategic and operational.
15JA Gagnon, Executive Consultant
Many variants, however, Basel II:
Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. This definition includes legal risk, but
excludes strategic and reputational risk.
◦ Note; thus, it excludes Strategic and Reputational risks from capital calculations.
Certain FIs recognize the impact of not meeting strategic objectives and reputational damage in their definition.
16JA Gagnon, Executive Consultant
Market/Credit Risk Operational Risk
Defined groups execute Authority model in place Defined in relative clear
terms Language and metrics are
mature Real time, forward looking
focus Impact: losses aggregated
and tracked Risk models well
established with proven accuracy when fit for purpose
Everyone is involved Mostly emerging
frameworks Definition required with
boundary issues examined Language and metrics are
evolving More emphasis on loss
history and anecdotes Impact: losses often buried
in accounting and not always aggregated
Risk models: no common standard in the FI industry
17JA Gagnon, Executive Consultant
In managing OR, the FI wants to ◦ identify inherent risks associated with an activity;◦ eliminate them if possible and desirable; ◦ mitigate them through controls or process
improvements; and,◦ to the extent a residual risk
remains, transfer, insure or set up capital to provide for it.
Acceptance of residual risk should be done by optimizing the expected risk/return of an activity.
In summary make better decisions and avoid surprises
18JA Gagnon, Executive Consultant
Risk identification: Identify and capture events and issues
Risk analysis: measure and find causes Risk evaluation: assess, establish the impact Risk treatment: Mitigate and control Follow, review and improve on control and
mitigation measures Communicate and consult: disclose and
escalate issues; report to Executives/Board and disclose to stakeholders
19JA Gagnon, Executive Consultant
People, human behaviour, intentional or not, individual (ex. disregard of procedure) or collective (ex. lack of training);
Process failure (ex. due to incomplete or faulty design);
System failures; and
External events.
20JA Gagnon, Executive Consultant
Direct losses;◦ Write-offs◦ Costs: of waste, to repair or replace◦ Restitution or other settlements◦ Legal fees
Indirect losses:◦ Foregone revenues or ◦ Objectives missed; and◦ Loss of recourse
Reputation impact
Near-misses or incidents producing no loss or positive revenue (capture or not)
21JA Gagnon, Executive Consultant
Internal fraud. For example, intentional misreporting of positions, employee theft, and insider trading on an employee’s own account.
External fraud. For example, robbery, forgery, cheque kiting, and damage from computer hacking.
Employment practices and workplace safety. For example, workers compensation claims, violation of employee health and safety rules, organised labour activities, discrimination claims, and general liability.
Clients, products and business practices. For example, fiduciary breaches, misuse of confidential customer information, improper trading activities on the bank’s account, money laundering, and sale of unauthorised products.
Damage to physical assets. For example, terrorism, vandalism, earthquakes, fires and floods.
Business disruption and system failures. For example, hardware and software failures, telecommunication problems, and utility outages.
Execution, delivery and process management. For example, data entry errors, collateral management failures, incomplete legal documentation, unapproved access given to client accounts, non-client counterparty misperformance, and vendor disputes.
22JA Gagnon, Executive Consultant
Regulatory compliance Product suitability Outsourcing and vendor dependencies Information security including client privacy
issues Business Continuity Fraud management Money laundering Model and spreadsheet risk Fiduciary duties
23JA Gagnon, Executive Consultant
Risk and control self-assessment (RCSA); Loss data collection (LDC); Key risk indicators (KRI) and risk measurement; Outsourcing risk management; Major changes management
(activities, reorganisations, products and services, acquisitions, divestitures, etc.);
Action planning, incident management and follow-up;
Business Continuity Management (BCM) Residual risk financing: capital and insurance
program; Transparency and reporting.
24JA Gagnon, Executive Consultant
The three levels of oversight (lines of defence) include at the 1st level, the business unit oversight of processes, at the 2nd
level, the independent risk management function and finally at the 3rd level, the independent verification of both by (a) third party (ies), normally internal or external auditors.
25JA Gagnon, Executive Consultant
ORM Implementation
26
Mandate andCommitment
Design of Framework for Managing Risk
Monitoring and Review of the Framework
Implementing Risk
Management
Continual Improvement
of the Risk Framework
JA Gagnon, Executive Consultant [email protected]
A realistic implementation strategy must position the project as a desired maturity target within a reasonable time frame given the current state of practices in place.
Most major Canadian FIs targetted the most sophisticated ORM framework including Advanced Measurement Approaches (AMA) to calculating capital.
However, Canadians Fis, except one, started at the intermediate, standardized, approach level.
Design, consensus building, approval and implementation of a standardized framework requires as much as 3 to 5 years of efforts.
27JA Gagnon, Executive Consultant
Board mandate, support and oversight
Governance structure and reporting lines
Tone at the top backed by resources for the project
Awareness and communication programs
Internal risk management culture◦ ORM understood as everyone’s business◦ Balance of focus between governance/management and
quantification/capital requirements
Available financial and expert resources
Clear link of risk assessment/profile with strategic plans
Integration of ORM in routine processes and daily operations
28JA Gagnon, Executive Consultant
«Silo approaches» vs. need for integrated (all risks)/enterprise view (all of FI - top down and across)
Cost/benefit approach difficult to articulate and may not be totally useful or possible to quantify
Need/desire for convergence of competing disciplines not yet achieved: governance, risk and compliance (GRC)
Discipline is a work-in-progress, not a science Current level of automation, state of enabling
technologies, do not necessarily support all integration needs in one platform and the production of a customized «dashboard» based on risk profiles and context.
Measurement and lost data collection: quality, consistency and comparative value within the FI and throughout the industry. [benchmarks in development; external databases available and improving]
29JA Gagnon, Executive Consultant
ConcludingRemarks
30
Operational
Tactical
Strategic
JA Gagnon, Executive Consultant [email protected]
An appropriate ERM framework is the responsibility of the Board and Executives.
Strong Governance, tone at the top, sound practices, RM functions independence and adequate resources are key to implementation success.
An efficient framework comes with embedding the RM processes in routine processes and daily activities.
OR must be managed at all levels and requires an enterprise view, across all entities and business units.
Cooperation and convergence of risk disciplines is desirable and possible albeit requiring hard work.
The OR framework is necessarily an interpretation of principles and a work-in-progress along a continuum of maturity targets.
31JA Gagnon, Executive Consultant
◦ Basel Committee on Banking Supervision, Sound Practices for the Management and Supervision of Operational Risk, February 2003
◦ Office of the Superintendant of Financial Institutions Canada (OSFI), Capital Adequacy Requirements (CAR) No: A-1 Effective Date: November 2007 or
Bank for International Settlements (BIS), Basel II: International Convergence of Capital Measurement and Capital Standards: A Revised Framework - Comprehensive Version, June 2006
◦ BIS, Results from the 2008 Loss Data Collection Exercise for operational risk, July 2009
◦ BIS, Observed range of practice in key elements of Advanced Measurement Approaches (AMA), July 2009
33JA Gagnon, Executive Consultant
High-level principles for business continuity, August 2006
Initiatives by the BCBS, IAIS and IOSCO to combat money laundering and the financing of terrorism, June 2003
Operational risk transfer across financial sectors, August 2003
Outsourcing in Financial Services, February 2005
Regulatory and market differences: issues and observations, May 2006
34JA Gagnon, Executive Consultant
