Building out a Robust and Efficient Risk Management

Provided by Alan Cheung,MBA,CFE,CEH

Purpose

• In this workshop training, we will cover the following:

List of key activities related to credit portfolio, risk reporting, credit risk coordination, and market risk

Important elements use to verify the efficiency of credit risk rating systems

Imperfection of measuring risk using Value-at-Risk (VaR) calculation

Credit Risk • Reviewing Credit Portfolio

Evaluate credit monitoring procedures, annual reviews, and risk ratings. Determine all ‘Watchlist’ and non-performing loans book in an entity are properly

monitored. Credit approvals – verifying that credit applications are properly approved and any

subject to the conditions are satisfied. Credit documentation – evaluate the completeness of credit and legal files, as well as

controls over safe keeping of legal and credit documentation.

Structured Product -Credit Derivatives are off-balance sheet financial statements that permit one party to transfer the risk of a reference asset, which it typically owns, to another one party (the guarantor) without actually selling the assets.-Through the use of Credit Derivatives, a financial institution can acquire new credit risk or hedge on existing one. For example, TROR is consist of an agreement by one counterparty to pay the total rate of return on a public by the traded asset, in exchange for stream of payments reflecting LIBOR plus a negotiated spread received from the other counterparty.

Risk Management – Capital Market

Monitoring of risk exposures developed in financial institution with objective of enhancing the overall efficiency of the control framework;

Approve the credit risk (client ratings, transactions, individual credit applications and Global limits) after initial approval by the concerned operational managers;

Collaborate with business lines to develop standardized calculation models for risk exposures in respect of products and trading activities, while taking account of settlement and collateralization effects;

Perform monitoring and reporting for major risks, counterparties on the watch list and provisions;

Operates and/or develops information systems used to calculate and monitor risk exposures in respect of financial institutional and market counterparties.

Market Risks Maintain continuous monitoring (independent from the Front Office)

of positions and risk exposures arising from the Group’s trading activities; verifies that positions and exposures are within set limits;

Establish the appropriate set of limits, approval and escalation process;

Define methodologies (VaR, sensitivity, stress testing, …etc.), validates valuation models, verifies market parameters, establishes risk monitoring procedures and determines reserves;

Defines the functionalities and supervises the development of databases and information systems used to measure market risk;

Generate consolidated view of reporting for regulatory authorities (e.g. FBNY, FSB) in respect of capital requirements for market risk and counterparty risk. It is important to have continuously monitoring and ensuring the reliability of reporting.

Credit Risk Rating Systems and Capital Requirements

Implementation and enforcement of governance rules for the Group’s credit risk rating system:

Development of cross-disciplinary models for use by multiple Business Divisions;

Standardization and validation of methods and models used within the Group; and,

Establishment of performance reporting on the internal rating system. Definition and functionality of methodology for calculation of economic and

regulatory capital for various categories of risk (e.g. credit, operational). Definition of methods for the measurement of capital by risk exposures, Facilitation and contribution to various project initiatives within the Risk Group

for capital measurement (stress testing, portfolio analysis,…etc.) Definition of related key processes

Determine key requirements (e.g. tools & process models) and regulatory constraints,

Coordinates and facilitates between Operations, Model, and Risk teams, projects to create or upgrade processes, notably including efforts to use risk management modelling in banking environments.

Support for Management Efforts

Establish a working group led by Operational Risk to coordinate the Firm’s response to a ‘potential’ risk event;

Incorporate key infrastructure areas (e.g. Financial Risk Management, Operations and Independent Validation team/Product Control);

The aim of the working group is to identify and review key controls on a firm-wide basis, encompassing;

The substance of existing reports, and their approval and escalation procedures; Existence of any large positions; and, Other areas which may be subject to this type of activity.

The Board Risk Management Committee should request that IAD undertake issues assurance of any remedial activities of the working group. In addition, IAD will provide management any information required as a result of previous audits and issues assurance work.

Imperfection of Value at Risk (VaR)Below is a summary of proposed audit coverage for trading desk across business units globally

due to imperfection of measuring risk using VaR calculation.

Business Area Parameters Comments

Daily Calculation of VaR (not monthly)

PricesCorrelation measures

Greek scenarios

Prices and correlation may not always be available on

the open markets

Counterparty Risk Analysis

Credit Default swaps

Credit Spread

Recovery rate

Must not exceed specific thresholds

Trend AnalysisMTM on

exposureDashboards

Reference on CBOE

Determine if the patterns are aligned with the

business line strategies and risk appetite

ValuationIncome

Attribution

Independent Price

Verification

Pricing Models

All price changes/inputs must be reflected

accurately to the P&L with support.

Market Risk Limits Limits ThresholdsChange

Management

Determine the limit breaches are increasing

exposure bets.

Risk Management – Credit & Market Risks

What uniquely distinguishes large financial institutions from other companies is their role in risk transfer and risk management.

As Walter Wriston famously said: “…managing risk … is the business of banking.”

Attributed to Walter Wriston, ex-CEO and Chairman of CitiCorp by the Economist in 1993 (“Survey of International Bankers: A comedy of errors” April 1993) though other sources also attribute the quote to John Pierpoint Morgan.

Market Risk Credit RiskThe bank’s assets are mostly invested in loans and securities (about 90% of average assets). These loans and securities have differing interest rate structures – some are fixed and some are floating. They also have different set of maturities.

The bank’s liabilities, deposits and borrowings also have differing maturities and interest rate characteristics. If the bank’s (asset-based) interest income structure is not properly aligned with the (liability-based) interest expense structure, the result is interest rate risk.

Market risk involves calculating risk that the value of a portfolio, either an investment portfolio or a trading portfolio, will decrease due to the change in value of the market risk factors.

Credit risk involves going through the financials of the clients and analyzing them with debt ratios ...etc. to determine credit quality.

Market risk focuses more on the trading desk's activities and stress testing/sensitivity analysis of current and prospective trades.

Credit risk involves looking at the financial statements of the company and analyzing their industry (e.g. Issuer credit risk requires a detailed understanding of how cash flows through a company and how leverage affects company health).

Market risk is typically measured over very short time periods (daily).

Credit risk is typically measured over a long time horizon (annually).

The five “C’s” of Credit - Capital, Capacity, Conditions, Collateral, and Character.

Key Differences between Market Risk vs. Credit Risk

http://Independentaudit.com

Risk Management

Challenges in Credit and Market Risk Areas

• The front office has sometimes breach assigned limits – this is particularly important because banks and large financial institutions have historically operated some proprietary trading or principal trading businesses which required close supervision given the risks being taken.

• Losses in the US structured credit business suggest that the business did not fully assess the risk taken on (although the market volatility was unusually high).

• The real estate portfolio in certain business units, for example, in Portugal, Ireland, Greece, and Spain, became overly leveraged and concentrated in property and construction.

• Missing the appropriate monitoring and escalation process for timely alerts and awareness of the potential limit breaches to senior management.

• Lack of senior management oversight and governance over market risk stress testing.

• Incomplete review of stress methodologies, including VaR and Non-VaR type.

• Data integrity and manual intervention processing.

http://dilbert.com

Risk Management

How management should address Credit and Market Risks?

Reinforcing the risk culture and business ownership of risk and embedding the risk appetite

Define the process for managing the control environment (e.g. create an internal control and assurance framework and key risk policies)

Provide a common language of risk terminology

Assign accountability for risks

Focus on ensuring the framework covers all risk types and articulates responsibilities

Strengthening the control functions

Audit Considerations on Credit and Market Risks

Development of a formal risk appetite process for financial risks The establishment of authorities, limits and governance (e.g. policies

and procedures) Develop credit portfolio analytics Joint sign-off between market and credit risk Integrated daily Value at Risk (VaR) production Stress testing Reporting/Escalation

Risk Management: Challenges and Opportunities

• Internal Audit Resources‒ Training the auditors‒ Recruiting subject matter expertise, e.g., model risk experts, quants, actuaries‒ Using Data Analytics

• Increasing and changing regulatory expectations

• Blurring of the 1st and 2nd Line – Risk Management as a process owner

• Risk Management as an assurance partner

• Risk Convergence vs. Auditor Independence

• Beyond looking at the controls

• Internal Audit as the 3rd Line of Defense - Effective Challenge

• Be relevant