Guan Seng Khoo, PhDGuan Seng Khoo, PhDHead, Group Risk (Models Validation)Head, Group Risk (Models Validation)

Standard Chartered BankStandard Chartered BankKhoo.GuanKhoo.Guan--Seng@standardchartered.comSeng@standardchartered.com

gskhoo@gmail.comgskhoo@gmail.com

Structuring ERM for Your Organization in an Era of Structuring ERM for Your Organization in an Era of Regulatory Convergence (Basel II, SOX, COSO, IAS): Regulatory Convergence (Basel II, SOX, COSO, IAS):

ERM from a RiskERM from a Risk--Return PerspectiveReturn Perspective

AgendaAgenda• Introductory Remarks

ERM from a Risk-Return Perspective• Identifying the top risks of your organization • How to develop an appropriate ERM framework:

Speaking the Same LanguageIntegration-centric approachImplementing a common risk language that’s “aggregatable” & flexible

• The Structure to Governing Risk (Proposed) • Developing the KPIs to measure the result of your ERM framework• How to achieve balance on cost of compliance• Concluding remarks

Economic Slowdown,

Credit crunchCredit risk

HedgingRegulatory/Operational/Market risk

Staff turnoverHR operational

risk

Earnings volatilityReputation risk

High Oil PriceStrategicBusiness/

Market Risk

Criteria for RiskResponse Plan

Priority ResponseCriteria

Liquidity & Enterprise Risk ManagementLiquidity & Enterprise Risk Management

Unit OperationsActionsLoss Event

Frequency of LossMajor Mod. Minor

High Risk Loss Exposure for Division 2Priority Division Facility Unit Loss Event Risk Certainty

Expected LossFrequencies for

Division 2MajorLoss

AnnualizedRisk

Mod.Loss

MinorLoss

Facility 1Facility 2Facility 3

Risk Contribution for Division 2

Facility 4

Organization

Division 1 Division 2

Facility 1 Facility 2

Unit 1

Assets PeopleManagement

Systems

1. Identify principal 1. Identify principal business risksbusiness risks

2. Develop 2. Develop EnterpriseEnterprise--wide wide

Risk ProfilesRisk Profiles

3. Prioritize Risk 3. Prioritize Risk Management PlansManagement Plans

4. Identify options 4. Identify options for mitigationfor mitigation

Envisioning meeting

Data from past losses Data from prior studies Risk mapping

InsuranceLoss control / mitigation Risk financing alternatives

Who decides acceptability of risks? How quickly to resolve?Who implements solutions?

1. Introductory Remarks:1. Introductory Remarks: Always Bear in Mind to be Never Always Bear in Mind to be Never

ComplacentComplacent• Even during good times, unexpected negative events

can occur – stressed environments! Recall:• space shuttle Columbia • Tsunami Tidal Wave & Impact in SE & South Asia• London 7/7, New York 11/9, etc.• Mumbai flood July 2005 – no BCP• Hurricane Katrina – impact on oil and lifestyle in Asia• Sustained high oil prices• Toxic mortgages/subprime contagion

ReminderReminder• Any EWRM framework must consider potential impact of

crises. • Preparation & implementation should be based on the

old military saying, “the more you sweat in peace the less you bleed in war”.

• That is, EWRM implementation should have a comprehensive program to test portfolios, staff readiness, systems, processes, etc. so as to be better prepared when a unexpected negative event occurs.

• Initial assessment/test of the attributes of an institution’s portfolio of infrastructure, human resource, systems and processes, to withstand scenarios that are likely to occur and calculating the losses should a crisis come to pass – Test first to unearth the inefficiencies & loopholes

What You Hope to AchieveWhat You Hope to Achieve• Every organization is different and has its own priorities with respect to the

risks and challenges it faces and the impact they will have • However, the greatest challenge has always been the internal environment

and the “silo” mindset of the organization, with different groups having their own agenda and priorities

• This presentation also proposes some strategies to help overcome the challenges posed by this type of organizational culture, namely:To obtain “buy-in” from senior mgt & BODIllustrate a possible outcome, which is aligned with regulatory reporting requirement and also value-adds to the information management process of the enterpriseIn order to implement, must be aware of the demanding and constraining environment of diverse regulatory and supervisory expectations, e.g. Basel II, IAS and SOXImplementation must take into account overlapping issues and aggregating the risk measures in order to have a bird’s eye-view of the enterpriseImplementation should be straight-forward and simple in terms of outcome and reporting Strong guidance & leadership critical to a (reasonably) successful implementation

ERM from a RiskERM from a Risk--Return Return Perspective: Perspective: ValueValue--forfor--MoneyMoney

• Risk-Return considerations: 3-D

Threat, e.g., high oil prices, terrorism, etc.

Uncertainty, e.g. impact of regulatory changes, fraudulent activity occurrence, etc.

Opportunity, e.g., cut down on fraud, enhance reputation and market growth, etc.

⇒ Pro-active risk mgt instead of being reactive

Risk in 3 DimensionsRisk in 3 Dimensions• Every risk event can potentially lead to an “upside” return, status quo or “downside” loss

• Hence, ERM isn’t just about negative risk containment or avoidance,

• But, also about strategizing to leverage on the risk awareness and activities to enhance returns,

• To ensure the corporation’s growth and business continuity and to outperform the average

2. Identifying the Top Risks of 2. Identifying the Top Risks of Your OrganizationYour Organization

• In order to identify and prioritize the top risks, need to first measure or quantify them

• Use an ERM matrix based on global best practices and accepted principles

• Look for guidance from experts (internal or external)

• Categorize all possible risks & stakeholders• Localize the risk concentrations and further

analyze these risks based on probability and impact at different levels and hierarchy of the organization

Interest Rate Risk

Liquidity Risk

Price Risk

Foreign Exchange Risk

Transaction Risk

Compliance Risk

Strategic Risk

Reputation Risk

Credit Risk

Market Risk

Liquidity Risk

Operational Risk

Legal Risk

Reputational Risk

Credit Risk

OCC Risk Categories Fed Risk Categories

Establishing ERM Risk Categories Defined by the Regulatory Establishing ERM Risk Categories Defined by the Regulatory AgenciesAgencies

* Stick to prescribed regulatory definitions, removes ambiguity, don’t re-invent

* For BOD, senior mgt – ease of understanding & buy-in

Next Steps: Understand your Next Steps: Understand your risk, your goals, and your risk, your goals, and your

prioritiespriorities• Based on the risk appetite & ERM matrix, concentrate on the core

risks that the organization must either accept, prevent from occurring, must lessen the impact if they occur, or mitigate by transferring the risk away from the key tasks.

• Each risk is then analyzed by assigning it weighting factors such as those shown in the following matrix.

• This matrix weighs the probability of a risky event: The risk that it will occur only once (Low, Medium, High) as well as the risk that it will occur multiple times (Low Medium, High).

• The matrix also weighs the impact, should the event occur: The impact on a single department or product (Noticeable, Moderate, High) as well as the impact on the entire company or division (Noticeable, Moderate, High).

• The total risk of an event is the product of the probability and impact. This step gives us an objective approach to prioritizing risk and how the risk can be managed.

Prioritizing in terms of e.g.:

- Exposure loss

- Cost of recovery

- Reputation

- etc.

3. How to Develop an 3. How to Develop an Appropriate ERM framework:Appropriate ERM framework: The ABC of ERM Implementation

• Internal Environment Challenges• Getting the buy-in• Mindset change management:- From Silo-based to Enterprise-wide Holistic View - From Rules-based to Performance-based Environment • How to overcome (some suggestions):- SAP: show a possible outcome- KISS, e.g., speak the same, simple language- CLICK: provide creative leadership & strong guidance

with conviction & know-how

SAP SAP –– Show a PreviewShow a Preview• No matter how global or sophisticated your organization is, when you are

embarking on an ERM implementation, engagement is the key to gaining the buy-in from all levels of the organizational hierarchy – easier said than done though!

• One approach is to illustrate to the key personnel at all levels a prototype model of what they are going to get and how they can benefit from it (the preview). The prototype can first be developed in-house by a project team that will eventually lead and drive the implementation program. Alternatively, it could be based on an existing solution or system being used by other organizations ahead of the implementation curve, which the project team has access to. This initial effort in prototyping an interim system or model that can be shown to senior management or directors in the form of an ERM cockpit or dashboard (ala movie poster) brings a lot of benefits to the subsequent deployment and implementation of the ERM system.

• Firstly, much of the effort to produce the prototype will help the project team in establishing a foundation to support the creation of an ERM manual that will serve as the reference point for the establishment of management policies, procedures, and practices governing the initiation, definition, design, development, deployment, operation, maintenance, enhancement, and retirement of the ERM system.

SAP SAP –– Show a Preview 2Show a Preview 2• Secondly, the preview of the ultimate ERM system provides

visibility and transparency to the whole exercise, enhancing the confidence of the directors and senior management as it also provides an opportunity for them to have a first “taste” (encounter) of the final solution. More importantly, it also provides an avenue for them to be a critic, so that they can provide constructive feedback regarding the strengths and weaknesses of the interim system, which ultimately will be used by them – indirectly, they also become the stakeholders of the ERM implementation project based on their feedback and inputs.

• Thirdly, the preview allows for the identification and validation of an opportunity to improve business accomplishments of the organization or a deficiency related to the ERM project specification, identification of significant assumptions and constraints on solutions to that need, and recommendation for the exploration of alternative concepts and methods to satisfy the need.

The actual value of “Asset Turnover Ratio” is 39 and pointed out by black needle. The actual value is calculated on average of all subsidiary in year 2004.

The value 10 and 20 are two threshold value of Interest expense ratio.

Corporate Performance Corporate Performance CockpitCockpit

Example: ABC BankExample: ABC Bank KRIsKRIs

& & KPIsKPIs

RiskIndicators

Op Expense

NPL & LLP

Assetturnover

PerformingIndicators

Debt to Asset

Rate of ROE

RAROC

Near Misses

- Lack of products- Lack of expertise- Slow response time - No targeted market- Lack of risk- based pricing

Losses

- Internal Fraud- Market Share- Share price of parent- etc.

RiskAssessment

- Focus on business process improvements- Enhance internal controls (checks & balances)- etc.

KISS KISS –– Keep It Simple, StupidKeep It Simple, Stupid• Another key consideration is simplicity. The final ERM system should be easy to use

and: • emphasize user friendliness over ease of technical design and application software

development• stick to prescribed terminologies understood by all, e.g., establishing ERM Risk

Categories that have already been defined by the Regulatory Agencies, in order to reduce ambiguity among the stakeholders and users of the ERM

• provide easier, secure, reliable access to data• tailor management information reports to customer needs • provide automated tools to facilitate end user access to and use of data • provide readily available help within the application software and provide for computer

based training modules • reduce the reliance on paper • provide easier, secure access and management to electronic records, e.g., digital

access rights mgt.• While the ERM system could be quite granular in terms of the depth of information to

be retrieved and displayed, the project team should always bear in mind that at the senior management and directors’ level, the big picture is more critical. Hence, the ERM should allow for customization and access along the different levels of usage across the organizational hierarchy so that line managers, auditors and directors can access the same repository of information but view the information differently according to their needs and functional roles – different access rights can be put in place.

ERM Implementation in the ERM Implementation in the Context of a Context of a

Diverse Regulatory Diverse Regulatory EnvironmentEnvironment

(Basel II, IAS, SOX, etc.)(Basel II, IAS, SOX, etc.)““Speaking the Same LanguageSpeaking the Same Language””

Principle: SSLPrinciple: SSL

Why Comply?

“...Simply complying with the rules is not enough. … if companies view the new laws as

opportunities - opportunities to improve internal controls, improve the performance of

the board, and improve their public reporting— they will ultimately be better run, more

transparent, and therefore more attractive to investors.”

William Donaldson, SEC Chairman, 4 November, 2004

IntegrationIntegration--Centric ApproachCentric Approach

• Whether it is SOX, Basel II, International Accounting Standards (IAS), etc., integrating information in support of compliance is not a one-off proposition.

• Compliance requires ongoing and constant enforcement. • It’s never a matter of simply checking a box and then moving to another project. • Compliance-driven requirements are usually phased in, evolve constantly, and invariably become more

complex and stringent over time. • An integration-centric approach enhances the flexibility, and thus the value, of such an architecture

because you can design the data integration capabilities necessary to meet whatever happens regulation wise.

• You have a supple, adaptable and (over time) familiar framework for integrating new data and types of data in new ways.

• In contrast, a non-integration-centric approach means having to recollect data for each new compliance mandate that comes along.

• An integration-centric approach allows institutions to standardize their risk language in terms of the underlying Basel II risk-compliance categories or items and the overlapping risk parameters in the context of associated regulations (SOX, IAS, etc.)

Basel II

• Advanced IRB Approach for Credit Risk

• AMA for Operational Risk

• Pillar 2 & 3

IPSB

• High level standards

• Liquidity risk

• PRMR

• PRCR

• PROR

SOX

• Internal controls effectiveness testing

• Internal controls disclosure

IAS

• Fair Value Accounting

• Impairment value

• Hedge effectiveness

• Income recognition

Loan Impairment

Organizational Structure

Controls Testing

Risk Mitigation

Synergy Examples

Integration of Risk & Finance

Time-Series Analysis for Hedge Effectiveness Test

Key:

Basel IIBasel II--compliant Integrated Approach to Risk Managementcompliant Integrated Approach to Risk Management

ReportsReporting Data

CalculatorsR

egulatory Reporting D

ata Mart

Regulatory R

eporting Data M

art

Basel II Calculation

Engines

Basel II Calculation

Engines

G\LG\L

Market & External

Market & External

RegulatoryRegulatory

DisclosureDisclosure

InternalInternal

Financial and Management Accounting

Financial and Management Accounting

IAS Calculation Engines

IAS Calculation Engines

Basel 2Basel 2

IASIAS

SharedShared

-- Risk Models & MeasurementsRisk Models & Measurements

Severity

Frequency

economic capital (EC) by scenario type

Monte-Carlo simulation

De-pegging of USD/RMB CaR1Asian Financial crisis/Pandemic flu CaR2Terrorist threat & rise in NPL CaR3Succession & general election CaR4Sectoral distress, e.g., dotcom bust CaR5Fall in FDI (threat from China/India) CaR6Bank merger & loss of market share CaR7

_____Average Economic Capital

Severity

Calculation engines act on Ratings, Calculation engines act on Ratings, Loss Distribution to yield the PD Loss Distribution to yield the PD (PE), LGD (LE), EAD, (PE), LGD (LE), EAD, VaRVaR as well as well as EC (as EC (CaRCaR))

Adjust severity & frequency distribution

Risk Category

Event Type Level 1

Event level 2

People Risk

Internal Acts Unauthorized Activity, Theft & Fraud Etc.

Employment Practices & Workplace Safety

Etc.

Process Execution, Delivery & Process Mgt

Transaction Capture, Execution, Monitoring & Reporting Etc.

Client, Products & Business Practices

Disclosure, Fiduciary,Improper Business PracticesEtc.

Systems Business Disruptions & system Failures

Hacking, PhishingEtc.

External Events

External Fraud

Etc.

SOX Risk

Misstatement of Client Fees

Common Risk

Basel II – Clients, Products & Business

Practices

Internal Audit Risk

Firm enters into a business relationship

with inappropriate parties or does not accurately

profile the client

Compliance Risk

Firm opens accts with persons intending to

launder money and does not detect, report or record suspicious activities by its

customers

Operational Risk

Failure to follow firm’s policies & procedures

Illustration: Implementing a Common Risk Illustration: Implementing a Common Risk Language that is Flexible & Language that is Flexible & ““AggregatableAggregatable””

IAS Risk

Overstatement of Hedge

Effectiveness, Fair Value

Measurement

ERM matrix provides:

- single enterprise-wide view & encompasses regulatory definition of risk categories

- ratings across whole hierarchy of organization

- comparative analysis

- segmented information for IA as well

- simplicity & ease of use

CLICK – Creative Leadership with Insight, Commitment & Know-how

• No matter how good the planning, budgeting and resource provisioning are, if the ERM implementation is performed by the “blind leading the blind”, e.g., buying off-the-shelf system and models, and with a lack of conviction and commitment, the final outcome would yield a white elephant.

• Risk management must be applied to all phases throughout the life cycle of the implementation. Risk, as used in project management, is associated with a lack of resources, information, and/or control. Risk management is distinguished from "problem management" in that risk management is concerned with situations that may or may not occur, whereas problem management is concerned with known difficulties that are a result of a risk having occurred. An analysis of risk and any strategy adopted to control risk should at least consider the effect of one or more of three factors: lack of resources (such as personnel or funding); lack of information (for example, completeness and confidence); or lack of control over the decision-making process (such as external project decisions affecting the project plans and assumptions).

• Applying risk management to the ERM production or infrastructure system stage includes considering backup and recovery in service level agreements and plans. Management responsibility for a risk must be assigned to individuals and units that can affect the risk's root causes. The Project Manager shall be responsible for managing project risks over which the Project Manager can exert direct control.

• Risks that affect the project, but are not under project control, shall be explicitly assigned to either the Program Sponsor or the CRO, as appropriate. Situations external to the project that could be sources of risk to the project shall be coordinated through the Project Manager. Risk shall be a consideration in a Review Board and management decisions. Project risk situations, plans, and progress against risks must be considered at all project reviews.

• Strong guidance must come from the Program Sponsor, Project Manager and Team so that the ERM implementation is carried out with a clear view of the objective and an insightful understanding of what it hopes to achieve. Coupled with the commitment of the team and management with the backing of the whole enterprise, and the strong political will of the stewards and stakeholders of the ERM project, the likelihood of a successful implementation will be enhanced.

Establishing ERM: The 7 Elements of the Risk Management ProcessEstablishing ERM: The 7 Elements of the Risk Management ProcessAka Aka ““The 7 Habits of Highly Effective Risk ManagersThe 7 Habits of Highly Effective Risk Managers””

Board Involvement

Risk Management Policies

Senior Mgt. Involvement

Decision-Making Process

Analytics

Reporting / Monitoring

Internal Controls

The decision process is backed by adequate analytical support and information management infrastructure

An active board of directors reviews strategic alternatives and develops corporate objectives and then formally approves policies. Also, evaluates whether business is being properly managed

The analytical support utilizes efficient models which analyze both qualitative and quantitative data.

All of the above take place within a strong and practical internal control regime

Provides broad guidance within which senior management operates and executes the firm’s objectives

Senior management then develops strategies consistent with corporate objectives and policies, and ensures that their execution is supported byan effective decision process

The analytical process in turn generates ongoing reports for performance monitoring, benchmarking and further consequent actions

PPlanninglanning

MeasuringMeasuringPPerformanceerformance

PPricingricingProductsProducts

PProvidingrovidingfor riskfor risk

PPrioritisingrioritisingresourcesresources

PPaying foraying forPerformancePerformance

Incorporating the 6 Incorporating the 6 PPrinciples rinciples of Shareholder Valueof Shareholder Value

aka aka ““6 Sigma6 Sigma””

Enhanced Shareholder

Value

WHAT (do you have)WHAT (do you have)In terms of “Hard” & “Soft” Infrastructure:• Corporate Culture• People• Process• Technology: Systems & IT

ERM Infrastructure ERM Infrastructure Component ViewComponent View

Foundation WarehouseDataMartDataScrub&CleanseDataSorterDataArchivalDataFeedManagerDataStream

RISK DECISIONSUPPORT SYSTEM

INFRASTRUCTURE MINDWARE

MarketIntelligence EnginesClientMS Engines

Simulation EnginesSurveillance EnginesScoring/Rating EnginesScenario AnalyzerSearch EnginesPortfolio Mgmt Engines

Methodologies

QuantitativeLinear/Non-Linear (AI)

Extreme Value Theory

etc.

QualitativeExpert Judgment

Structured Scenarios Technology & Know-How

Policy

Enterprise

Reporting Consolidation & Document ManagementBoard Involvement

Risk Management Policies

Senior Mgt. Involvem

ent

Decision-Making Process

Analy

tics

Reporting / Monitoring

Internal Controls

Soft Hard

Balanced ERM Implementation Approach

Model

Human Resources

Calculator

Reporting

Data

IT

Managing Expectations

Training

Physical

MindStrategy

Flexibility

Innovation

““SOFTSOFT””WARE, WARE, ““MINDMIND””WARE, WARE, ““HARDHARD””WAREWARE

““HEARTHEART””WAREWARE

People

3 in 1 Basic Pillars3 in 1 Basic Pillars

ProcessProcess TechnologyTechnology

4. The Structure to Governing Risk4. The Structure to Governing Risk EWRM Infrastructure FundamentalsEWRM Infrastructure Fundamentals

Corporate Culture

Corporate Culture

The 4 Pillars & EWRM Success The 4 Pillars & EWRM Success

People

Greatest challenge is not having the human resource expertise in terms of

depth & breadth *e.g. BI implementation in ERM

Hence, advisory services & training

should be part & parcel of good ERM project

management governance

Pillar 1Pillar 1

Managing Managing expectationsexpectations

*e.g., *e.g., Transfer of expertise,Transfer of expertise,

Mindset change management Mindset change management

HR/People Responsibility HR/People Responsibility Governance Framework in EWRMGovernance Framework in EWRM

• Board responsibilities– Strategic oversight; alignment

• CEO responsibilities– Assign resp./accountability/

authority; oversee compliance• Executives responsibilities

– Project implementation commensurate with risk; integrate with operations

• Senior Managers responsibilities– Risk assessment, implement

policies, oversee implementation operations

• All employees responsibilities– Awareness; compliance;

reporting

• HR Implementation Program – Providing support for networks,

systems (ref. ISO17799)– Periodic assessment of risk– Policies/procedures to address

security risks and implementation obstacles; full lifecycle

– Operational awareness training– Periodic testing; remedial action

processes– Incident response procedures– Business continuity plans

• Reporting– Adequacy, effectiveness,

acceptable residual risk reported to executives

– Independent evaluation reported to the board

ProcessProcess

Pillar 2Pillar 2

Workflow checklist of critical business processes in project implementation

ERM managers/supervisors check that parameters and conditions used to evaluate key risk measures are sound and rigorous – How?

Business Process Management: Business Process Management: Assessment of Process Workflow, Assessment of Process Workflow, Scenario Analysis complemented by Scenario Analysis complemented by documentation & policy manuals documentation & policy manuals

Business Process Business Process Governance Governance

Design a process Design a process datadata--warehousewarehouse****

Enterprise PerformanceEnterprise Performance

““WHATWHAT““ResultsResults

““HOWHOW““HistoryHistory

““WHYWHY““CausesCauses

Business PerformanceBusiness Performance

Bus

ines

s In

telli

genc

eB

usin

ess

Inte

llige

nce

Finance & balance +Finance & balance +static indicatorsstatic indicators

Liquidity / Cashflow

Return on Investment

RAROC

ROA

Process Performance = Indicators + Processes

Time

Cost

Quality

Risk

Enterorder

can be doneautomatically

Orderentered

Matchorder

Data transferedto OMAR

SETS

SETS

Checkorder

completely filled

Orderchecked

OMAR

CustomerTrading

CustomerTrading

Order isfor SETS

Large Capsselected MidCaps

Completeorder

Price

Ordercompleted

OMAR CustomerTrading

Business Process

Performance Indicators + Process Chain

Bus

ines

s Pr

oces

s In

telli

genc

e

TechnologyTechnology

Pillar 3Pillar 3

The third pillar seeks to leverage the ability of technology to provide discipline and consistency to help the ERM personnel and staff to optimize the business processes via the appropriate enabling tools & systems

Hence, ERM team performs stress tests to ensure ERM implementation adequacy in times of shocks or unforeseen obstacles

Enhance transparency & reputation Enhance transparency & reputation of project management deliveryof project management delivery

Technology Infrastructure Technology Infrastructure ReadinessReadiness

Scenario AnalysisScenario AnalysisCauses

Failure of relevant key risk

factors

Scenario

(Potential Event)Severity of potential loss

Frequency of potential loss

Range of frequency

Range of severity

Typical severity

Typical frequency

Evaluation

KPIs/KRFs

ERM Project Management GovernanceERM Project Management Governance• Project GovernanceTo evaluate the adequacy of the control in place

for the following risks:1. Lack of procedures leads to inconsistencies of

approach, and potentially project failures or inefficiencies.

2. Not sponsored by the business or out of scope.3. etc.• Quality ManagementTo evaluate the adequacy of the control in place

for the following risks:1. Quality is not an integral part of the project.2. Poor quality procedures may lead to poor

deliverables and customer dissatisfaction3. etc.• Project PlanningTo evaluate the adequacy of the control in place

for the following risks:1. Plans are unreadable and difficult to manage.2. Poor plans lead to increased costs and delays.3. etc.• Risk & Issue ManagementTo evaluate the adequacy of the control in place

for the following risks:1. Risks and issues are identified and managed2. etc.

• Financial ManagementTo evaluate the adequacy of the control in place for the following risks:1. Costs associated with the project are unknown or inconsistent.2. Costs are not being recorded properly leading to inaccurate financial reporting.3. etc.• Monitoring & ReportingTo evaluate the adequacy of the control in place for the following risks:1. Progress against plan and budget is not monitored leading to possible loss of management control.• Project Close-DownTo evaluate the adequacy of the control in place for the following risks:1. The project has delivered acceptable products within time and cost.2. Poor security or controls can lead to loss of confidentiality, integrity or availability of information services. 3. etc.

Corporate CultureCorporate Culture

• Strengthening Corporate Governance from Viewpoints of:Boards of DirectorsManagementInternal Control FunctionsOvercoming Silos

In +1 PillarIn +1 Pillar

Achieving a usable & relevant Achieving a usable & relevant ERM system?ERM system?

• No One Answer (depends on scale of implementation, location, global or localized, etc.)

• Ability to standardize & measure project implementation risk-based indicators based on some key criteria:

- risk-return considerations, e.g., risk appetite, growth vs. pricing (adaptability) - cost-effectiveness, e.g., shared services, integrated data-warehouse, manual vs.

automation, via ABC (Activity-based costing), etc.- adaptability and transferability, e.g., tackle issues of obsolescence, cross-geographic

applications, etc.- Alignment with corporate governance objectives - Based on identification of the top risks (known & unknown problems) faced by your

organization- Prioritizing Risk based on Impact & Probability - Seek benefits beyond “downside” risk management & cost issues to transform overall

corporate performance, competitiveness, and shareholder value from ordinary to exceptional

- Aim to minimize operational surprises and losses: What’s the likelihood of risks “falling through” silo gaps?

At a practical level the Group risk framework needs to meet the At a practical level the Group risk framework needs to meet the expectations of different partiesexpectations of different parties

…… effective risk management combines effective risk management combines providing protectionproviding protection and and enabling business opportunitiesenabling business opportunities

Regula

tors a

nd ot

her

stake

holde

rs

Business Line• Ensure compliance with policy• Capital measurement/

allocation• Enhance shareholder value• Reduce earnings volatility• Lessons learnt form outside

the firm• Aggregated reporting• Loss transfer mechanisms• Methodology design

• Applicability of policy• Transparency of capital

calculation• Meet performance measures

set• Avoid losses as far as

practical• Lessons learnt within the firm• Business line reporting• Central and efficiency• Methodology implementation

Group

Financial Institution

Shareholders

• Effective allocation and efficient use of capital• A risk adjusted basis to performance measurement

• A cost effective risk management framework• Risk management aligned to value creation

• Effecti

ve ris

k ide

ntific

ation

• Robus

t con

trols

in lin

e with

the ris

k app

etite

• Adequ

ate ca

pital

to co

ver

unex

pecte

d los

ses

• Groupw

ide ris

k and

contr

ol

monito

ring r

egim

e

Enterprise Risk Management (ERM) FrameworkAn Overview

5. Developing the KPIs to measure the result of your ERM

framework

Developing Key Risk and Control Indicators and establishing an

early warning systemAll About KRIs, KCIs, KPIs & KTIs

Fundamentals of Enterprise Risk Management

ERM is a process, effected by an entity’s board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.

- Proposed by COSO (2003)

WHY ERMWHY ERMAre we taking the right risks?

• How are the risks we take related to our strategies & objectives?• Do we know the significant risks we are taking?• Do the risks we take give us a competitive advantage?• How are the risks we take related to activities that create value?• Do we recognize that business is about taking risks & do we make conscious choices concerning these risks?

Are we taking the right amount of risk?

• Are we getting a return that is consistent with our overall level of risk?• Does our organizational culture promote or discourage the right level of risk taking activities?• Do we have a well-defined organizational risk appetite?• Has our risk appetite been quantified in aggregate and per occurrence?• Is our actual risk level consistent with our risk appetite?

Do we have the right processes to manage the risk?

• Are our risk management processes aligned with our strategic decision-making process & existing performance measures?• Are our risk management processes coordinated & consistent across the entire enterprise?• Does everyone use the same definition of risk?• Do we have gaps and/or overlaps in our risk coverage?• Is our risk management process cost- effective?

KRIs

KPIs

KCIs

Inherently linked to organization’s risk

appetite & tolerance

Identifying Events

Analyzing Causes of Events

Risk Mapping

Risk Control Capital Management

Identifying Past Events

Analyzing Causes of Occurring

Events

Comparative Analysis by

Benchmarking

Prevention Measures for

Occurring Events

Capital Allocation etc.

Identifying Potential Events

Analyzing Causes of Occurring or

Expanding Losses

Detection Measures for

Occurring Losses

Risk Mitigation or

Transfer

VaR Engine

Scenario Analysis & Stress-Test Engine

Risk Measurement (Group, Business Line & Risk Types)

Market Data – IR, FX, Liquidity,

etc.

Potential Risk Scenario

Review of Audit & Inspection

Risk Management

Qualitative Management

Layer

Quantitative Management

Layer

Audit and Inspection

Layer

Enterprise Risk Management FrameworkComprehensive Foundation for Sustainable Delivery

KEY -- LinkingBusiness

Value& ERMLife-Cycle

Management

Compliance

HR & BPGovernance

ERM CAPITAL

PLANNINGBest PracticeOperations

Architecture& Standards

Information Management

CUSTOMER CUSTOMER SERVICESERVICE

Linking the Business Values & ERM Strategies – Ultimate keys to portfolio “success”

Other ConsiderationsOther Considerations

• Regulatory changes: Convergence & Overlap of Global Guidelines & Regulations, e.g., Basel 2, IAS39/FAS133, SOX, etc.

• Infrastructure (Resource, Process, Technology) Readiness

• Corporate Culture: Mindset Change Management

ERM Internal Control FrameworkERM Internal Control Framework e.g. Utilizing e.g. Utilizing COSOCOSO’’ss modelmodel

• Focus on the processes between each stage of ERM

• Suggested 8 components: Internal Environment, Objective Setting, Event Identification, Project Risk Assessment, Risk Response, Control Activities, Information & Communication, Monitoring

The COSO FrameworkCan view in context of 4

categories

Considers activities at all

levels of enterprise

8 components to ERM

Applying The COSO FrameworkApplying The COSO Framework• Internal Environment

– Code of conduct/ethics– Ethics hotline– Hiring and promotion– Audit committee oversight– Investigative process– Remediation

• Objective Setting– Policy to reduce loss event incidences– Incentivization– Development of database of known loss

event activities

• Event Identification– Monitoring of parameters, KRIs, KPIs– Comparison and evaluation of certain

attributes and trends against previously measured patterns and known signs of risk events

– Outlier and exception analysis

• Risk Assessment– Systematic process – Level within organization– Likelihood and significance– Via Risk Probability & Impact Analysis

• Risk Response– Evaluate threshold to mitigate – Discontinuation, realignment of process– New policies & procedures– Risk Response Options:

• Accept = Do nothing. Willing to take on risk

• Avoid = Back-out strategy. Disengage from process leading to risk

• Share = Shift some of risk to external parties (e.g., insurance, outsource, joint venture)

• Mitigate = Design processes to reduce risk exposures

• Control Activities– Linking controls to identified risk activities– Map type of loss events to business

process – Specify how possible future loss events is

to be minimized or contained

• Information/Communication– Information systems & technology– Knowledge management– Training/Inculcating Talent

• Monitoring– Ongoing monitoring by management– Separate “after the fact” evaluations by

internal audit– Etc.

KPI & EWS Examples KPI & EWS Examples

Benchmarking Governance:Benchmarking Governance:• Benchmarking for Financial Subsidiariese.g. RAROC, EVA, CAR, etc.• Benchmarking for Non-finance subsidiariese.g. Key Risk-based Performance Measures (KRPM), ROA,

ROE, Liquidity, etc.KRPM can be evaluated quantitatively or qualitatively (using a

rating matrix) Forward-Looking Strategic & Managerial Flexibility• e.g., Real Options-based Scenario Modeling

Example of Key RiskExample of Key Risk--based based Performance Measure (KRPM) Performance Measure (KRPM)

CriteriaCriteria (can be applied to both finance* & non(can be applied to both finance* & non--finance finance

subsidiaries)subsidiaries)• *Till Aggregated Economic Capital (market, credit, operational) for banking institutions can be evaluated

• Other Risk measures (Expected Loss, Economic Capital):?- Liquidity- Operational- Reputational- etc.

Low Stress

High Stress

Negative

2 1 or less

60% or more30%

10%

1% or less5%

5% or less

80% or more60%

20% or more10%

110% or less135%

20% or less40%

Liquidity

– Current ratio

Solvency

– Debt to Asset ratio Profitability

– Net Operating Income

Repayment Capacity

- Debt coverage ratio

Efficiency

- Operating expense ratio

- Interest expense ratio

- Asset turnover ratio

- Rate of return on equity

- Rate of return on assets

Balance Sheet Stress Test

Related Risk & Financial Analysis

Example

Using risk indicators - escalation limits and targets for monitoring liquidity & reconciliation

at one ATM/branch locationEscalation Limits and Targets

50

100

150

200

250

Jan-9

8Mar-

98May

-98Ju

l-98

Sep-98

Nov-98

Jan-9

9Mar-

99May

-99Ju

l-99

Sep-99

Nov-99

Jan-0

0Mar-

00May

-00Ju

l-00

Sep-00

Nov-00

Jan-0

1Mar-

01May

-01Ju

l-01

Date

ATM

Cas

h Fl

oat

HistoricalIdle cashbalance

EscalationLimit

– 1st warning

Base Limit/Goal

e

Cash Management (Operational Risk Management) Strategy

Economic Capital

Enhanced ProfitabilityStrategy (marketing campaign)

Liquidity PerformanceReputation

Cash Pooling

Liquidity Management

Branch Performance Bank Performance

Risk-Based Performance Benchmarking (PIT Snapshot)

ERM view (RAROC vs Hurdle)

0

2

4

6

8

10

12

14

16

18

0 2 4 6 8 10 12

Organization

RARO

C (%

)

Hurdle RateNOTE: Important to have supplementary trending indicator, e.g.,

‘Trending RAROC’

ForwardForward--Looking Scenario Modeling Looking Scenario Modeling e.g. Capitale.g. Capital--atat--Risk/Economic CapitalRisk/Economic Capital

• Time-horizon usually 1 year• Confidence level consistent with rating target

– Usually 99.95% or higher• Whole balance sheet

CaR

Probability of outcom

e

Level consistent with AA-rating

1 year

Worst Case

Expected

0

CurrentValue

Value

In stressed In stressed environments, environments, typically greater loss typically greater loss in value, hence in value, hence leading to credit leading to credit downgradedowngrade

6. How to Achieve Balance on 6. How to Achieve Balance on Cost of ComplianceCost of Compliance

• Back to how risk is perceived with regards to threat, uncertainty and opportunity

• Compliance/Regulatory risk represents an uncertainty that can be managed via:

• connectivity and integration of ERM’s main risk management components,

• the coverage of the risk management process and the contexts under which it is considered

• The critical incorporation of corporate governance into the risk universe, including the audit and compliance assurance to be provided, and the critical success factors of the appropriate risk-and- return balance in providing superior client service and innovative products and solutions are encapsulated in the EWRM framework

• Benchmarking to Key Risk-based Performance Measures & Forward-looking Scenario Analysis

Post- Implementation: ERM Cycle

FI PROFILE

Internal/External Changes

RM Evaluation

Priority System

Supervision

Consider Changes to:•Agency Ratings •Ownership/Management/ Corporate Structure

•Business Strategy/Plan•CPA Report or Auditor•Legal or Regulatory Status

Risk-Focused Examination

•Identify Functional Activities•Identify/Assess Inherent Risk•Identify & Evaluate Controls•Determine Residual Risk•Establish Procedures and Conduct Evaluation

• Eval Report/Mgmt Letter

Develop Ongoing Internal Supervision

That Includes:•Frequency of Audit•Scope of Audit•Meetings with BL, Risk Management

•Follow-Up on Recommendations

•Financial Analysis Monitoring

Priority System Based on Ratios and Analysis to Measure:•Capital Adequacy•Asset Quality•Reinsurance•Reserves•Management•Earnings•Liquidity•Sensitivity to Market

Financial Analysis includes:•Risk Assessment Results •Financial Analysis Handbook Process

•Ratio Analysis (IRIS, FAST, Internal Ratios)

•Actuarial Analysis

Financial Analysis

ValueManagement

How muchCapital do I

need ?

Portfolio ofEnterprise

Risks

Portfolio ofCapital

Resources

ValueCreation

EconomicCapital

CapitalCosts

ReturnOn Risk

CapitalCosts

RiskStructure

Capital Adequacy

Risk and CapitalManagement

What typeof capital do

I need ?

ERM ValueERM ValueFrameworkFramework

Maximize valueby using economiccapital to relatea firm’s decisions on the risks it takes tothe decisions on the capital it uses to finance its business

7. Concluding Remarks7. Concluding Remarks EWRM DefinedEWRM Defined

While the final outcome is a working ERM system, ERM by itself is always a work in progress.

In a dynamic and changing business environment, ERM should be viewed as an evolutionary development and provide for an incremental delivery of products, services and tools that can help an organization manage its risks going forward.

It has to take into account the demands and needs of diverse regulatory drivers like Basel 2, IAS and SOX and yet, be able to aggregate and present the risk-based information in a uniform and simple language, understood by all and to be acted upon for the benefit of the organization.

Implications of a Good EWRM Implications of a Good EWRM Implementation Implementation

• Enhancing Business Continuity/Endurance • Enhancing Shareholder Value• Enhancing Profit & Performance • Ensuring Enforcement for Regulatory Compliance • Exploiting Opportunities via Managerial Flexibility

with Strategic Planning

Criteria for RiskResponse Plan

Priority ResponseCriteria

Liquidity & Enterprise Risk ManagementLiquidity & Enterprise Risk Management

Unit OperationsActionsLoss Event

Frequency of LossMajor Mod. Minor

High Risk Loss Exposure for Division 2Priority Division Facility Unit Loss Event Risk Certainty

Expected LossFrequencies for

Division 2MajorLoss

AnnualizedRisk

Mod.Loss

MinorLoss

Facility 1Facility 2Facility 3

Risk Contribution for Division 2

Facility 4

Organization

Division 1 Division 2

Facility 1 Facility 2

Unit 1

Assets PeopleManagement

Systems

1. Identify principal 1. Identify principal business risksbusiness risks

2. Develop 2. Develop EnterpriseEnterprise--wide wide

Risk ProfilesRisk Profiles

3. Prioritize Risk 3. Prioritize Risk Management PlansManagement Plans

4. Identify options 4. Identify options for mitigationfor mitigation

Envisioning meeting

Data from past losses Data from prior studies Risk mapping

InsuranceLoss control / mitigation Risk financing alternatives

Who decides acceptability of risks? How quickly to resolve?Who implements solutions?

““CLICKCLICK”” Thank YouThank You

GS Khoo, PhDGS Khoo, PhDHead, Global Risk (Models Validation)Head, Global Risk (Models Validation)Standard Chartered BankStandard Chartered BankOffice: +65 6427 5283Office: +65 6427 5283SS’’porepore cell: +65 9825 2148cell: +65 9825 2148Email: Email: Khoo.GuanKhoo.Guan--Seng@standardchartered.comSeng@standardchartered.comOr Or wtehistory@yahoo.comwtehistory@yahoo.com