ERM and internal controls- A dovetailed relationship Mr. Ravi Varadachari November 17, 2008.
-
Upload
blaze-nicholson -
Category
Documents
-
view
217 -
download
0
Transcript of ERM and internal controls- A dovetailed relationship Mr. Ravi Varadachari November 17, 2008.
<Insert Picture Here>
ERM and internal controls- A dovetailed relationship
Mr. Ravi VaradachariNovember 17, 2008
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions.The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
Safe Harbor Statement
<Insert Picture Here>
Agenda
• Setting the stage
• The changing landscape
• Key to Enterprise Risk Management
• Deep dive into ERM and Internal Controls
• Recommendations and Conclusions
3© 2008 Oracle Corporation – Proprietary and Confidential
Enterprise Risk Management
© 2008 Oracle Corporation – Proprietary and Confidential4
• Financial institutions are exposed to a variety of risks like financial risk, economic risk, geo-political risk and societal risk.
• Traditionally, the focus has been on understanding and managing the financial risk.
• Enterprise Risk Management is a mechanism to have a holistic view of all the risks that a financial institution is exposed to at the right level of granularity.
Economic Risk
Societal Risk
Financial Risk
Technological Risk
Geopolitical Risk
• Market risk
• Credit risk
• Operational risk
• Liquidity risk
• Interest rate risk
•ALM
• Concentration risk
Global risks
© 2008 Oracle Corporation – Proprietary and Confidential5
Economic• Oil price shock/energy supply interruptions• US economy• Chinese economic hard landing• Fiscal crises caused by demographic shift• Blow up in asset prices/excessive indebtedness
Geopolitical• International terrorism• Proliferation of weapons of mass destruction• Civil wars and failed and failing states • Retrenchment from globalization• Middle East instability
Technological • Breakdown of critical information infrastructure • Emergence of risks associated with nanotechnology
Societal• Pandemics• Infectious diseases in the developing world • Chronic disease in the developed world• Liability regimes
Financial• Market risk• Credit risk•Operations risk•Liquidity risk•Interest rate risk•Concentration risk
<Insert Picture Here>
Agenda
• Setting the stage
• The changing landscape
• Key to Enterprise Risk Management
• Deep dive into ERM and Internal Controls
• Recommendations and Conclusions
6© 2008 Oracle Corporation – Proprietary and Confidential
7
Changing Landscape of Risk
• Financial Crisis Experienced by Banks/Financial Institutions
• Increase in “Rare Events”
© 2008 Oracle Corporation – Proprietary and Confidential
The current financial crisis
16th Mar ’08- Bear Stearns
•Bear Stearns gets acquired for $2 a share by JP Morgan Chase in a fire sale avoiding bankruptcy.
7th Sept ’08- Fannie Mae & Freddie Mac
•Federal takeover of Fannie Mae and Freddie Mac was based on a growing concern about the liquidity of the firms• These two companies back-up nearly half the country’s mortgages.
•The US Federal Reserve loans $85 billion to American International Group (AIG) to avoid bankruptcy
17th Sept ’08- AIG
15th Sept ’08- Lehman Brothers
•Liquidity crisis forced Lehman Brothers to file for bankruptcy
8© 2008 Oracle Corporation – Proprietary and Confidential
25th Sept ’08- Washington Mutual
•Liquidity crisis due to a 10-day bank run forced the OTS (Office of Thrift and Supervision) to place the bank under FDIC.•The banking assets were sold to J P Morgan Chase.
29th Sept ’08- Wachovia Bank
•Wachovia Bank was acquired by Wells Fargo• The bank was invested heavily in adjustable-rate-mortgages and faced severe losses.
© 2008 Oracle Corporation – Proprietary and Confidential
The Global Story …
14th Sept ’07- Northern Rock Bank, UK
•UKs fifth largest mortgage lender sought financial support from the Bank of England. The bank was taken into state ownership/nationalized•This was on account of the global credit crunch triggered by the sub-prime mortgage crisis in the US.
18th Sept ’08- HBOS, UK
•HBOS was taken over by Lloyds Bank TSB.• The share prices suffered heavy fluctuations on account of short selling and rumors of a credit crunch.
9© 2008 Oracle Corporation – Proprietary and Confidential
29th Sept ’08- Bradford & Bingley, UK
•The share prices of the bank fell on account of the credit crunch.•The bank was nationalized and the Spanish bank Group Santander acquired all the savings bank assets.
29th Sept ’08- Fortis Bank, Belgium
•The bank was partially nationalized by the European Central Bank• The share prices fell dramatically on account of rumors of insolvency.•Can be attributed to the sub-prime mortgage crisis in the US
The Black Swam Phenomenon
“No amount of observations of white swans can allow the inference that all swans are white, but the observation of a single black swan is
sufficient to refute that conclusion.”
What is a Black Swam?
•It is an Event
•Hard to predict based on historical data
•After the event – many people saw it coming
Stress testing models must assume black swan events to ensure greater predictive power.
The London “Millennium Bridge” Incident
Source: http://www.urban75.org/london/
The London “Millennium Bridge” Incident
London Bridge – Architect Lord Norman Foster
Source: http://www.urban75.org/london/
<Insert Picture Here>
Agenda
• Setting the stage
• The changing landscape
• Key to Enterprise Risk Management
• Deep dive into ERM and Internal Controls
• Recommendations and Conclusions
13© 2008 Oracle Corporation – Proprietary and Confidential
Key to effective Enterprise Risk Management
• How Do We Address ERM?
• Risk measurement and management• Regulatory capital• Economic capital• Risk based pricing and compensation• Stress testing
• Internal controls and mechanisms• Strategy• Governance• Organization structure• Processes, Policies and Procedures
© 2008 Oracle Corporation – Proprietary and Confidential14
<Insert Picture Here>
Agenda
• Setting the stage
• The changing landscape
• Key to Enterprise Risk Management
• Deep dive into ERM and Internal Controls
• Recommendations and Conclusions
15© 2008 Oracle Corporation – Proprietary and Confidential
Regulatory, Economic and Book Capital Regulatory Capital : Capital that banks are required to hold by their regulator
“The amount of capital a bank must have to stay in business”
Under the Basel II framework – computed based on a prescriptive formula for credit risk
Economic Capital : Capital that is required commensurate with the risk profile of the bank
“The amount of capital a bank should have”
Various models to estimate economic capital - stochastic view
Endeavor is to use it for business decisions
Book Capital : Capital that a prudent bank would choose to hold
“The amount of capital a bank that a bank has on its book”
Economic book value – different from accounting concept of book value
Concept of risk appetite
Credit Risk Capital Market Risk Capital Operational Risk Capital
Risk Capital –Other Risks
Total Capital
Capital Management
Framework for Capital Estimation
18
Key Differences – EC and RC
Economic Capital Regulatory Capital
Doing it RightSuccess Condition Doing it Right & demonstrating
that “we have done it right”
Lower focus on auditabilityAuditability High focus on auditability
Continuous ProcessFrequency Monthly/Quarterly/Year End focused
Objective Focus on deriving numbers useful
for business decisions Focus on “dotting the “i’s” and
crossing the “t’s”
Will RC Converge with EC?
Uniformity – Regulatory capital should be based on similar principles
while economic capital can be different
Simplicity – Regulatory capital methods need to be simple while
economic capital models can be sophisticated in tune with the
underlying business
Conservatism: Regulatory capital would be more conservative that
economic capital methods
Substantial “Distance to Travel” before convergence!!
Risk Adjusted Performance EvaluationAccounting notion of return on assets (ROA), has long been used as a bank-wide performance metric
Shareholders perspective brought in by using return on equity (ROE) instead of ROA
Both of the above performance metrics have two shortfalls namely:The measures do not take into account “risk”These measures can only be applied at a bank wide level & not for individual business lines
Risk adjusted performance metrics were hence developed to counter the above shortfalls. Bankers trust a commercial bank came out with the concept of RAROC (“Risk Adjusted Return On Capital)
Where :
“Expected Loss” is the mean of the loss distribution associated with the portfolio/business line
“Capital” is the capital deployed for the portfolio/business line; it is mostly understood as the “Economic Capital” for the portfolio/business line & the “Income from Capital” is the additional income generated by investing that capital
Stress testing – Key to Capital Management
• Demanded as part of Pillar II by most regulators
• Estimation of capital under Pillar I assumes “Steady State” and the estimate may be
“point-in-time” as opposed to a range based on economic cycles (Through the cycle
rating)
• The requirement of capital under “stressed conditions” and “unfavorable events” need to
be understood
• Stress testing can be used to check if the “capital buffer” is sufficient under conditions
described
• Regulators concerned about Procyclicality that may exacerbate an economic crisis
further– stress testing may be a solution
• Rigor in methodology to be demonstrated
Regulator Prescription
Basel II • Basel II Pillar 1 • Paragraphs 435 -437, highlights requirements for stressing risk parameters like PD, LGD &
EAD under downturn economic conditions.• Stress testing to include impact of a deterioration in the credit quality of the protection
providers. • Basel II Pillar 2 Principal
• Banks should have a process for assessing their overall capital adequacy in relation to their risk profile and a strategy for maintaining their capital levels.
“ In assessing capital adequacy, bank management needs to be mindful of the particular stage of the business cycle in which the bank is operating. Rigorous, forward-looking stress testing that identifies possible events or changes in market conditions that could adversely impact the bank should be performed.”
NPR Supervisors expect that banks will manage their regulatory capital position so that they remain at least adequately capitalized during all phases of the economic cycle.
• A bank may choose to have scenarios apply to an entire portfolio, or it may identify scenarios specific to various sub portfolio.
• The severity of the stress scenarios should be consistent with the periodic economic downturns experienced in the bank’s market areas.
• The scope of stress testing analysis should be broad and include all material portfolios.• The time horizon of the analysis should be consistent with the specifics of the scenario on key
performance measures.
Regulatory Expectation
Regulatory Expectation: CRD – FSA - BIPRU
Regulator Prescription
FSA Guidelines, CP06/3
“A firm must have in place sound stress testing processes for use in the assessment of its capital adequacy. Stress testing must involve identifying possible events or future changes in economic conditions that could have unfavorable effects on the firm’s credit exposures and assessment of the firm’s ability to withstand such changes.”
FSA Guidelines, CP06/3
“The CRD requires firms to perform this stress-test but is silent on what they should do with the results. CP05/3 (BIPRU) made the superequivalent proposal that the amount that results from the stress-test be held as an additional capital requirement. In response to the feedback to CP05/3, we now propose that the stress-test be used as the starting point of a discussion with firms as to whether they have adequate contingency plans to manage their capital (relative to their Pillar 1 capital requirements) through a recession (now defined as a recession roughly equal in severity to the early 1990s recession).”
© 2008 Oracle Corporation – Proprietary and Confidential
• Based on past events (9-11, market crash of 1987, financial crisis of 2008)
• Plausible scenarios/identification of a set of appropriate risk factors in the specific context of the portfolio:
• Realistic
• Corresponds to the approach and portfolio of exposures
• Informative and valuable to risk management objectives
• Design of “Perfect Storms”
• Simultaneous occurrence of multiple events/scenarios
• Bottoms-up: Stressing PDs, Transition matrices, top ten accounts
• Top-Down: Stressing GDP and other macro economic variables
Design of Stress Tests - Critical
Integrating Internal controls
© 2008 Oracle Corporation – Proprietary and Confidential25
• Internal control is a process, effected by an entity’s board of directors, management and other personnel and designed to encompass the following key elements-• Strategy• Governance• Organization structure• Policies, procedures and processes
ERM frameworks for internal control
• UK - The Combined Code (2003) and Turnbull (2005)
• US – Committee of Sponsoring Organizations (COSO) ERM (2004)
• Australia/New Zealand 4360 Standard on Risk Management 1999, 2004
• South Africa– King II Report (2002)
• Federation of European Risk Management Association (FERMA) (2004)
• Basel II (2004)
© 2008 Oracle Corporation – Proprietary and Confidential26
The COSO ERM framework
© 2008 Oracle Corporation – Proprietary and Confidential27
ERM Framework
Internal environment
Objective setting
Event identification
Risk assessment
Risk response
Control activities
Information and communication
Monitoring
•The eight components of the framework are interrelated.
•It considers activities at all levels of the organization.
•The objectives can be viewed in the context of four categories-
•Strategic•Operations•Reporting•Compliance
•A strong system of internal control is essential to effective enterprise risk management.
<Insert Picture Here>
Agenda
• Setting the stage
• The changing landscape
• Key to Enterprise Risk Management
• Deep dive into ERM
• Recommendations and Conclusions
28© 2008 Oracle Corporation – Proprietary and Confidential
Six principles for effective ERM implementation
• Ensure Top Management Commitment• Holistic view of risk management, compliance and
controls• Bridge the Islands• Ensure Data Quality • Design an Appropriate Technology Architecture• Cost- benefit analysis
© 2008 Oracle Corporation – Proprietary and Confidential29
30
1. Management Commitment
Management to see benefits of compliance – else will be treated as a cost of doing business
Source: www.cartoonbank.com
31
IFRS / IAS 32,39• Harmonizing & Upgrading
of accounting standards• Valuation methodology• Disclosure & presentation
of financial statements
COSO Framework • ERM program• Risk assessment and
response• Internal control• Monitoring and reporting
SOX Selection 404• CEO / CFO certification on
accuracy & reliability of Financial Statement
• Management assessment & audition attestation
Basel II – Credit , Market & Operations Risk
• Capital Adequacy• Supervisory Review and
Market Disclosure• Improved Risk management
SOX & IFRS / IAS 32,39 • Internal Controls over
recording, validating & accounting
• Presentation, Disclosure & Financial reporting
Basel II Credit, Operations & Market Risk & IFRS / IAS 32.39
• MTM / Valuation of assets, instruments, Collaterals
• NPA & default definition• Hedging treatment• Reconciliation of risk &
finance data
SOX & Operational Risk• Risk & Control identification
& assessment • Key Risk Indicators• Scenario & Risk
Management • Reporting
AML & Operational Risk• AML operational process• Surveillance & detection
of suspicious transactions• Scenarios• Reporting
2. Holistic view
32
3. Bridge the Islands …
Compliance
Audit
Legal
CorporateCommunications
FacilitiesMgt
HR
Security
BDRP
Controllers
Customer Service
ITSecurity
InsuranceIndividual
LoBMgt
Traditional Approach Enterprise Wide Approach
Line of BusinessPrimary
Responsibility for OR
OpRisk Function Facilitator and
validator
Internal Audit
Independent validation
External Audit, Regulators
Specialist Departments
Legal, Compliance, HR, Insurance…
33
4. Ensure Data Quality
Source: www.cartoonbank.com
34
5. Appropriate technology architecture
Controls
Assessment
Monitoring
Exposure Measurement
Loss Estimates
Capital Computation
Capital Allocation/Attribution
Performance Management
Technology Sophistication
Risk Managem
ent Sophistic
ation
Co
ver
age
35
6. Cost Benefit Analysis
Source: www.cartoonbank.com
Potential benefit and cost
20022.95 billion USD
Source: Forbes – Wall Street Fine Tracker
20034.21 billion USD
20044.53 billion USD
Time
Capital 10 10 10 10
Borrowings 90 100 110 120
Total assets 100 110 120 130
Average cost of borrowings
4% 4% 4% 4%
Average yield on loans
7% 7% 7% 7%
Average costs 1% 1% 1% 1%
Interest Income 7.0 7.7 8.4 9.1
Interest Expenses 3.6 4.0 4.4 4.8
Other Expenses 1.0 1.1 1.2 1.3
Net Income 2.4 2.6 2.8 3.0
Return on Equity 24% 26% 28% 30%
Substantial impact on RoE and profitability in the long term
Thank you
Mr. Ravi Varadachari
Practice Leader – Risk Management & [email protected]
+1 917 502 9480
© 2008 Oracle Corporation – Proprietary and Confidential37