1. Enterprise Risk Management – Global Best Practices David Millar Chief Operating Officer The Professional Risk Managers’ Association

2. Stan Monsowitz & FT Knowledge
Agenda
Definition of ERM
The risks that make up ERM
Standard ERM frameworks
Some case studies
The components of risk
Risk architectures
The benefits of ERM
Implementation issues
Some more case studies
Ten questions for best practice ERM

3. A definition of ERM
“Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”
COSO Standards

4. Breakdown – “a process”
Procedures, a framework, a set of standards, rules, etc governing activities and implementing controls
Involves many (possibly all) employees in an entity (company)
Is written down somewhere and must be kept up to date
There will be a person (not persons) ultimately responsible for the processes, i.e. Head of Group Risk, Chief Risk Officer
Involves communication (in both directions) as well as activities
Needs to be managed, monitored and, increasingly so, reported to the regulators and disclosed to the public.

5. Breakdown – “in a strategy setting”
etc
Project risk
Enterprise risk
etc, etc
ERM view
i.e. complex dependencies
etc, etc

6. Breakdown – “across the enterprise”
Bank TV
A single view of risk across the entire company or group
Farming
Oil
Shipping

7. Breakdown – “identify potential events” “manage risks”%
Expected Losses
Categorise
Identify
Assess
Consolidate
Monitor
Mitigate
Unexpected Loss (but identified risk) OR
Model
Record
Evaluate
Report
Disclose
“Tail” data $

8. Breakdown – “risk appetite” “reasonable assurance”
Business strategy = risk x benefit (both need to be identified)
100% risk-free is neither expected nor beneficial
Risk appetite needs to be agreed at board level and documented
An entity needs to identify risks (and their probability) and have a strategy to survive these events
Risk is a commodity and can be hedged
Risk can be covered internally
Risk can be insured externally
The requirement is to be able to apply measures

9. The risks that make up ERM
Stan Monsowitz & FT Knowledge
The risks that make up ERM

10. What risks are included in ERM
Definitely
Probably
Maybe …
Strategic
Credit
Market
Operational
Local disaster
Political / terrorism
External fraud
Mismanagement
Legal
Regulatory
Technology
Human Resources
Reputational
Material supplies
Energy supplies
Share liquidity
Internal fraud
Weather
Political / government
Global disaster
Ethical
ERM

11. Measure risk where possible ….
Example of the relative losses due to risk events measured in an European bank. Note that reputational and strategic losses have not been attributed or measured.
1.23%
4.76%
28.43%
38.09%
Note: In this example, ALM Risk is classified as Interest Risk and Liquidity Risk across the balance sheet. Market risk is Pricing & Currency Risks only.
27.49%
Source: Diagram - WestLB, March 2004, Ratio - DM

12. … even if not apparently possible
You may not have:
Overall probability = 0.15%,
Probability in this unit = 0.27%
Average impact = $49,500,
Maximum loss = $346,350
But you can have:
Probability = very likely
Effectiveness of this unit = moderate
Impact = serious
Losses = in range $200,000 to $500,000
Enough to create a traffic light system

13. Some initial definitions – strategic risk
Strategic risk creates adverse impact on an entity, its earnings or capital derived from:
adverse business decisions,
improper implementation of decisions, or
lack of responsiveness to industry changes.
It involves an entity’s
strategic goals,
the strategies to achieve those goals,
the resources available and
the quality of implementation.
Resources include communication channels, operating processes, delivery networks, and managerial capacity and capability.
These are evaluated against the impact of regulatory, economic, technological, competitive,, and environmental changes.

14. Financial risk Credit risk
The risk that counterparty to a financial obligation will default on repayments linked to the obligation
Market risk
The risk that investments will lose value based on the daily fluctuations of the market of share prices, currency rates and interest rates.
Liquidity risk
The risk that arises from the difficulty of selling an asset. The difference between the book value of the asset and the likely price to be obtained. What about physical assets such as plant and property?
ALM risk
A risk? I believe that Asset & Liability Management is not a risk but a framework of financial management of risks comprising the above three risks.

15. Operational risk Operational risk
The risk of loss resulting from inadequate or failed internal processes, people and systems or from external events, including legal risk but excluding strategic and reputational risk
Internal fraud - intentional misreporting of positions, employee theft, and insider trading on an employee’s own account.
External fraud - robbery, forgery, cheque fraud and computer hacking.
Employment practices - compensation claims, violation of health and safety rules, organised labour activities, discrimination claims, and general liability.
Clients, products, business practices – breach of trust, misuse of information, improper activities, money laundering, and sale of unauthorised products.
Damage to physical assets - terrorism, vandalism, earthquakes, fires and floods.
Business disruption and system failures - hardware and software failures, telecommunication problems, and utility outages.
Execution, delivery and process (middle) management - data entry errors, handling failures, incomplete legal documentation, unapproved access given to client accounts, non-client counterparty misperformance, and vendor disputes.
From - Basel Committee on Banking Supervision, Sound Practices for the Management and Supervision of Operational Risk, February 2003

16. Other risks Regulatory risk
The risk of penalties, restrictions on business or closing of business due to failure to adhere to regulatory requirements – less a risk, more a symptom, or a control
Government risk
Impact of political changes on the business – strategic risk?
Technology risk
Choosing wrong technology, fail to anticipate new technology, falling behind competition –in strategy risk?
Legal risk
Risk from uncertainty due to legal actions or uncertainty in the applicability or interpretation of contracts, laws or regulations – usually included in operational risk
Human Capital risk
Lack of resources, lack of the right resources – could be in operational or strategic risk
Supplies failures risk
Lack of raw materials, or geological developments for mining organisations – where does this go in the risk scenario?
Project risk
A combination of risk types applied to a single project – can be a subset of ERM at a low level for a fixed time.
Reputational risk
Corporate name, brand image, “word of mouth” – impact on public and analysts – include “ethical risk”?

17. Stan Monsowitz & FT Knowledge
Some case studies

18. A controls loss which will impact on share price.
Shell (2003-4)
Shell are quoted on both Dutch and UK exchanges and on the NYSE (via ADRs) as Shell Transport & Trading and Royal Dutch petroleum)
Shell overstated its proven oil reserves from 1998 to 2004 by up to 25%. Management were rewarded on the basis of reserves quoted.
The misrepresentation could no longer be hidden in the accounts and directors of Shell began to be worry about the Sarbox implications.
The FSA and SEC indicated in 2001 that they were unhappy about the figures. Shell said their views were “immaterial or overly pessimistic”.
Shell have now been found to have committed “market abuse” including the release of false data leading to inflated share prices.
Shell are fined $140M and have to put in extensive controls to prevent a repeat, There are criminal proceedings against individuals.
There is market concern that other oil companies have been doing the same. This will also impact the ratings of the sovereign oil countries.
A controls loss which will impact on share price.

19. Metallgesellschaft (1993)
Stan Monsowitz & FT Knowledge
Metallgesellschaft (1993)
A metal company, owned by DeutscheBank, Allianz/Dresdner, Daimler-Benz and the Kuwait Investment Authority, which moved into risk management services and energy derivatives.
It sold 10 year oil contracts at fixed prices over spot with an option to terminate early if the NYMEX price > MG selling price. MG then paid half the difference between the futures price and the MG prices.
It managed this through volume dealing and a hedging strategy. Studies have shown this strategy was mathematically valid.
It failed as the size of the deals impacted the market causing liquidity issues and creating cash flow problems. US (then) accounting rules allowed hedge proceeds to be netted, German rules did not, creating an poor balance sheet which effected credit rating and reputation.
The Management and Supervisory Boards pleaded ignorance of the situation. MG announced losses of $1.5 billion at the end of 1993.

20. Stan Monsowitz & FT Knowledge
Citigroup (2004)
August 2nd - a quiet Monday holiday period in Europe.
Citigroup traders started dumping European government bonds - €11B worth of sell orders in 2 minutes in 100 bonds on 11 markets using 13 trading platforms. The trading platforms were swamped - prices fell rapidly.
An hour later, the Citigroup attacked again buying €4B of bonds cheaply. This trading coup netted the bank €15M+.
Citigroup did nothing wrong. However
the market (Citigroup’s counterparties) claim they broke a gentleman’s agreement for orderly trading in government bonds,
governments (Citigroup’s clients) are angered that their bond prices have fallen overall and their trading platforms were trashed.
Citigroup claim high ethical values. The market would disagree. This is may have cost Citigroup more than the €15M profit in lost fees.

21. Standard risk frameworks

22. Strategic & Regulatory Risks
Risk frameworks
Enterprise Risk
Risk assessments, indicators, controls and events data
Financial Risks
Operational Risks
Other Risks
Strategic & Regulatory Risks
Credit
Market Pricing
Interest Rate
Liquidity
ALM
Operational
Disaster
Fraud
Terrorism
Project
Supplies failure
Legal
Technology
Government

23. Enterprise Risk Framework
Enterprise risk frameworks:
… are the consolidation of many lower level, risk area specific risk frameworks - many of these will already be in existence (credit risk, project risk, ALM)
… can be built (and should be so planned) over time
… should be structured to suit individual need (business, regulations, share structure)
… must not detract from and works in harmony with current and local risk framework solutions
Do not get obsessed with quantification over qualification.
There are no complete pre-packaged solutions but a number of established ERM frameworks
Globally, most are building their own framework from scratch around established software packages or are modifying / expanding the COSO standards.

24. The COSO Framework
The Treadway Commission (1987) recommended that public companies must be able to “identify, understand, and assess the factors that may cause its financial statements to be fraudulently misstated”.
This was not enacted (lots of US lobbying) but a control framework was developed entitled "Committee of Sponsoring Organizations Internal Control - Integrated Framework" (COSO) – released in 1992.
COSO ERM project launched in 2001, builds on COSO Internal Control Framework, consists of framework and application guidance. Draft released in 2003 and full version released in August, 2004 (
The SEC rule-making for Sarbanes-Oxley Section 404 mandated that a company’s internal control over financial reporting be based on a recognized internal control framework. The COSO framework was suggested by the SEC but they will accept locally-approved risk frameworks from overseas if they match COSO.

25. The COSO structure Allows structured risk management
Is enterprise-wide
Allows objectives to be assessed with different criteria
Allows controls to be looked at from different perspectives
Source: 2003 COSO Draft

26. Reference – for later reading
The COSO Components
Internal Environment
Lays down a philosophy and culture (unexpected as well as expected events), considers all activities.
Objective Setting
Enables management to consider risk appetites, policies and tolerances when setting objectives.
Event Identification
Identifies risks and opportunities. Concentrates on internal and external risks that effect objectives.
Risk Assessment
Looks at impact and likelihood – qualitative and quantitative measures – inherent and residual risk.
Risk Response
Identifies and evaluates possible responses – costs v. benefits – impact of responses.
Control Activities
Common standard throughout organisation – ensures policies are adhered to and responses carried out.
Information & Communication
Provides top level information – communicates events and impact up, down and across the organisation.
Monitoring
Monitors effectiveness against agreed measures – evaluates responses – allows scenario testing.
Source: 2003 COSO Draft

27. Reference – for later reading
The COSO Control Model
Reference – for later reading
CONTROL ENVIRONMENT
Integrity and Ethical Values
Commitment to Competence
Board of Directors/Audit Committee
Management Philosophy and Operating Style
Organization Structure
Assignment of Authority and Responsibility
Human Resource Policies and Practices
RISK ASSESSMENT
Entity-Wide Objectives
Activity-Level Objectives
Risk Identification
Change Management
CONTROL ACTIVITIES
Top Level Reviews
Direct Functional or Activity Management
Information Processing
Physical Controls
Performance Indicators
Segregation of Duties
Controls Over Information Systems
Data Centre
Application Development & Maintenance
System Software
Access Security
Application Controls
INFORMATION AND COMMUNICATION
Information
Communication
MONITORING
Ongoing Monitoring
Separate Evaluations
Reporting Deficiencies

28. AS/NZS 4360-1999 The world’s first ERM standard?
Australia New Zealand Standard 4360 : volumes (from AUD$ in pdf format)
Risk Scoring – Consequence x Likelihood
Risk Assessment - Qualitative and / or Quantitative
Updated Sept ’04 – to include risk opportunity features

29. Reference – for later reading
AS/NZS – Contents
1 Scope and general 
2 Risk management process overview 
3 Communication and consultation 
3.1 General 
3.2 What is communication and consultation? 
3.3 Why communication and consultation are important 
3.4 Developing a process for communication and consultation 
4 Establish the context 
4.1 Context 
4.2 Objectives and environment 
4.3 Stakeholder identification and analysis 
4.4 Criteria 
4.5 Consequence criteria 
4.6 Key elements 
4.7 Documentation of this step 
5 Risk identification 
5.1 Aim 
5.2 Components of a risk 
5.3 Identification process 
5.4 Information for identifying risks 
5.5 Approaches to identifying risks 
5.6 Documentation of this step 
6 Risk analysis 
6.1 Overview 
6.2 Consequence and likelihood tables 
6.3 Level of risk
6.4 Uncertainty 
6.5 Analysing opportunities 
6.6 Methods of analysis 
6.7 Key questions in analysing risk 
6.8 Documentation of the analysis 
7 Risk evaluation 
7.1 Overview 
7.2 Types of evaluation criteria 
7.3 Evaluation from qualitative analysis 
7.4 Tolerable risk 
7.5 Judgement implicit in criteria 
7.6 Evaluation criteria and historical events
8 Risk treatment 
8.1 Introduction 
8.2 Identify options 
8.3 Evaluate treatment options 
8.4 Selecting options for treatment
8.5 Preparing treatment plans 
8.6 Residual risk 
9 Monitoring and review 
9.1 Purpose
 9.2 Changes in context and risks 
9.3 Risk management assurance and monitoring 
9.4 Risk management performance measurement 
9.5 Post-event analysis 
10 Recording the risk management process 
10.1 Overview 
10.2 Compliance and due diligence statement 
10.3 Risk register 
10.4 Risk treatment schedule and action plan 
10.5 Monitoring and audit documents 
10.6 Incident data base 
10.7 Risk Management Plan 
11 Establishing effective risk management  
11.1 Policy 
11.2 Management commitment 
11.3 Responsibility and authority 
11.4 Resources and infrastructure 
11.5 Culture change 
11.6 Monitor and review risk management effectiveness 
11.7 The challenge for leaders- Integration 
11.8 The challenge for managers- Leadership 
11.9 The challenge for all- Continuous improvement 
11.10 Key messages and questions for managers 
12 References 
12.1 Standards and Handbooks 
12.2 Further reading

30. Reference – for later reading
Other Frameworks
The UK’s Turnbull Committee’s 1999 report was updated in
The Canadian Institute of Chartered Accountants created the Criteria of Control (CoCo) Board, now the Risk Management and Governance Board, and published the CoCo Guidance on Control (1995) (
The Association of Insurance & Risk Managers ( The Institute of Risk Management ( and The National Forum for Risk Management in the Public Sector ( have created a Risk Management Standard for their members. Available free at their websites.
The King Committee on Corporate Governance (King II) from South Africa. Copies for R 600 plus postage – from
Another available standard is that from the UK's Treasury Department. This is available from treasury.gov.uk/media/3/5/FE66035B-BCDC-D4B A7707D2521F.pdf

31. Risk components

32. Financial and Non-Financial Risk
Non-Financial (will include some financial)
Enterprise Risk
Enterprise Risk is essentially non-financial with a large financial component.
Pure Financial
Risk data
Strategic Risks
Financial (Trading) Risks
Operational (Procedural) Risks
Other Risks
Credit
Market Pricing
Interest Rate
Liquidity
ALM
Operational
Disaster
Fraud
Terrorism
Project
Legal
Regulatory
Reputational
Pandemic
Environment
Government

33. Financial risk Financial Risk – Balance Sheet Risk
Assets (what you have or what is due to come into your possession at a future date) and Liabilities (what you owe to someone else) can all be given a numeric financial value and these values can be balanced.
However, the value of these can vary:
The market price can go up or down
The value you give can be right or wrong
The expected payment for services given or taken can vary
The currencies involved can move against each other
You may not receive what is owed to you
You may not be able to realise the validly quoted price

34. Financial risk
All financial risk can be modelled (in theory and as long as you get the modelling factors right)
The risk are a combination of many, volatile parameters
An asset or a liability can be given a value – and the risk that an asset or liability can vary in value (to zero in the case of default) can also be given a value
This value can then be protected through:
Hedging – buying an liability or asset which varies in price exactly opposite to the value of the original asset or liability
Insurance – purchasing a policy that pays up in the event of the value of the asset or liability changing by more than an agreed value.
Capital – storing money away against a rainy day

35. Non-financial (operational) risk
Has financial and non-financial impacts
A much wider range of categories of types of risk
A much smaller volume of incidents (risk or loss events)
Cannot always be quantified
Less historic data
Less commonality of recording incidents
May be dependent on qualitative analysis
Can have a much greater impact than financial risk
Incidents are not always obvious
Recording depends on human intervention, attitude, willingness and interpretation

36. What are the components to non-financial risk management?
Risk identification
Risk (and other components) categorisation
Organisational modelling
Risk assessment
Loss event recording
Management and mitigation
Reporting and analysis

37. The building blocks of non-financial risk
Risk categorisation
Descriptions
Likelihood (probability)
Impact – both inherent and residual
Risk structure (s)
Risk controls
Risk indicators
Risk events (incidents or transactions)
Parameters
Potential impact
Actual impact
Knock-on effects

38. A risk structure
RISK REGISTER
Attributes2
1 – flat table 2 3 4
etc

39. Up to N levels, risks linked at lowest level
A risk structure
RISK REGISTER
PRIME RISK STRUCTURE1
Attributes2
1 – flat table 2 3 4
etc
One to many 1
i.e. People, Processes, Systems and External – by board director responsibilities – with alternative frameworks 2
i.e. Geography – Product Line – Regulation (FSA, Health & Safety, Data Protection, etc)
Up to N levels, risks linked at lowest level

40. Up to N levels, risks linked at lowest level
A risk structure
RISK REGISTER
EVENTS REGISTER
PRIME RISK STRUCTURE1
Attributes2
Attributes3
1 – flat table 2 3 4
etc
A – flat table B C D
etc
Many to many
One to many 1
i.e. People, Processes, Systems and External – by board director responsibilities – with alternative frameworks 2
i.e. Geography – Product Line – Regulation (FSA, Health & Safety, Data Protection, etc)
Up to N levels, risks linked at lowest level 3
i.e. ORX structure - BBA GOLD structure - Basel structure

41. Up to N levels, risks linked at lowest level
A risk structure
RISK REGISTER
EVENTS REGISTER
PRIME RISK STRUCTURE1
Attributes2
Attributes3
1 – flat table 2 3 4
etc
A – flat table B C D
etc
Many to many
One to many 1
i.e. People, Processes, Systems and External – by board director responsibilities – with alternative frameworks
Attributes4
Α – flat table β γ δ
etc 2
i.e. Geography – Product Line – Regulation (FSA, Health & Safety, Data Protection, etc)
Up to N levels, risks linked at lowest level 3
i.e. ORX structure - BBA GOLD structure - Basel structure
CONTROLS REGISTER 4
i.e. Manual controls - Automated controls - Management controls, Accounting controls, etc

42. A risk structure with indicators
EVENTS
PRIME RISK STRUCTURE
Up to N levels, risks linked at lowest level
Attributes
Attributes
1 – flat table 2 3 4
etc
A – flat table B C D
etc
a – flat table b c d
etc
Attributes 4
INDICATORS
Transaction indicators, HR indicators, External indicators such as weather, etc
Attributes4
Α – flat table β γ δ
etc
CONTROLS

43. Risk categorisation (Merrill Lynch Capital)
52 risks grouped into categories
People
Financial
Credit
Reporting & Control
Customer Suitability & Servicing
External
Technology
Legal/Regulatory
Reputational (!)
Employee Fraud
Resource Management
Involuntary Downsizing / Restructuring / Constrained Resources
Loss of Key Individuals / Teams
Lack of Training/Experience / Knowledge / Ability
Knowledge Capital Risk
Efficiency Risk
Leadership Risk
Authority / Limit Risk
Performance Incentives Risk
Change Readiness Risk
Alignment Risk
People Risk: The risk of loss related to management and deployment of people including inappropriate resource management (e.g., lack of training and constrained resources) inappropriate management oversight, employee irregularities, discrimination, harassment and turnover.

44. Architecture - how does it all fit together?

45. An ERM architecture consists of interlocking parts
Transaction Compliance – transparency, best execution, Conduct Of Business, etc.
Transaction Processing – quote, buy/sell, clear, settle, report, etc.
Risk Management – capital adequacy, risk management, event repair, etc.
Business Controls – trading limits, management processes and authorisations, etc.
MIS and Internal Audit – strategic direction and control, disclosure, etc
A similar model could be created for the retail financial or insurance businesses

46. Financial (Trading) Risks Operational (Procedural) Risks
Types of risk
Enterprise Risk
Strategic Risks
Risk assessments, indicators, controls and events data
Financial (Trading) Risks
Operational (Procedural) Risks
Other Risks
Credit
Market Pricing
Interest Rate
Liquidity
ALM
Operational
Disaster
Fraud
Terrorism
Project
Regulatory
Pandemic
Legal
Environment
Government

47. Board/Senior Management Operational Risk System
A risk MIS view
Board/Senior Management
Risk MIS
Risk indicators
Days debtors
Net sales
Parts
returned
ALM / ALCO
Limits and positions
Capital allocation
% leavers
Response time
Oil reserves
Liquidity Risk System
Operational Risk System
Market Risk System
Credit Risk System
Accounts
HR management
Sales systems
CRM
Manufacturing
etc.
Transaction data and local KRIs

48. An enterprise risk MIS view
Board/Senior Management
Enterprise Risk MIS
Corporate Goals
Strategic Risk System
Risk indicators
Risk Appetite
Days debtors
Net sales
Parts
returned
ALM / ALCO
Limits and positions
Capital allocation
% leavers
Response time
Oil reserves
External Information
Competitor reports
Demographics
Weather trends
Financial trends
Gartner, etc
New technologies
Political moves
Etc.
Liquidity Risk System
Operational Risk System
Market Risk System
Accounts
HR management
Sales systems
CRM
Manufacturing
etc.
Credit Risk System
Transaction data and local KRIs

49. A corporate MIS view Corporate MIS Enterprise Risk MIS
Board/Senior Management
Corporate MIS
Enterprise Risk MIS
Strategic Risk System
Corporate Goals
Risk Appetite
Risk indicators
External Information
Competitor reports
Demographics
Weather trends
Financial trends
Gartner, etc
New technologies
Political moves
Etc.
Days debtors
Net sales
Parts
returned
Regular corporate performance data
ALM / ALCO
Limits and positions
Capital allocation
% leavers
Response time
Oil reserves
Liquidity Risk System
Operational Risk System
Market Risk System
Accounts
HR management
Sales systems
CRM
Manufacturing
etc.
Credit Risk System
Transaction data and local KRIs

50. Data implications Financial (credit, market, liquidity, etc) risk
Real-time
High availability
High performance requirements
Very large amounts of data
Kept for a long time
Data comes from existing core systems
Non-financial (operational and strategic) risk
Once a day for input
Once a month for reporting
Low performance requirements
Relatively small amounts of data
Kept for a long time
Data collection systems need to be developed

51. Stan Monsowitz & FT Knowledge
The benefits of ERM

52. Enterprise risk management
Organisations believe Enterprise Risk Management (ERM) can help increase the value of their companies. This belief is founded upon ERM’s potential to:
avoid “land mines” and other surprises
improve the stability and quality of earnings
enhance growth and return by more knowledgeably exploiting risk opportunities and managing/allocating capital
identify specific opportunities such as natural synergies and risk arbitrage
reassure their many stakeholders that the business is well managed — stakeholders that include investors, analysts, rating agencies, regulators and the press.

53. Stan Monsowitz & FT Knowledge
The benefits of ERM
ERM
Optimising
risk
Support objectives,
improve earnings and cash flow, manage growth, capture opportunities
Advanced
Managing
risk
Defensive
Transferring risk
Reduce losses, lower insurance costs, anticipate and mitigate losses
Report risk, analyse past risks, insure against risks

54. Examples of ERM Benefits
Multimillion-dollar project undertaken once risk profile understood
Offshore outsourcing program cancelled once high risk was assessed
Natural hedge discovered
Facilitated M&A process
Reduced insurance rates
Business line discontinued following correct allocation of credit failure and reputational knock-on impact of other businesses
Decided not to discontinue product once risk was understood
Price revisions implemented after a risk review demonstrated true cost of manufacture and delivery

55. Implementation considerations
Stan Monsowitz & FT Knowledge
Implementation considerations

56. Creation of an internal risk culture
Stan Monsowitz & FT Knowledge
Creation of an internal risk culture
An internal risk culture is the sum of the individual and corporate values, attitudes, competencies and behaviour that determine commitment to and style of risk management.
It includes both an enterprise risk and an internal control culture
It requires clear lines of responsibility, segregation of duties and effective internal reporting
It requires high standards of ethical behaviour at all levels
Although a framework of formal, written policies and procedures is critical, it needs to be reinforced through a strong control culture
It is the responsibility of both the board and senior management

57. Why plan? This is a major (significance, if not cost) programme
So first confirm all the reasons for doing it!
Business improvement
Organisational change
Regulatory compliance
Risk mitigation
Shareholder/public image
Removal of specific risk situations
Company value
You need strategic objectives and a benefits target

58. Business considerations
The Board needs to develop and to communicate the long-term business risk vision and risk strategy.
Moving towards a shared risk culture must be supported by a management of change process.
It will effect all parts of the business and all these need to be aware and committed to success.
Success depends on multi-level buy-in and cultural change.

59. Initial requirements Board and senior management education.
Heads of department responsibilities.
Firm wide understanding of capital and compliance implications (benefits, threats and costs).
Establishment of peer support (or pressure) group of champions.
Awareness and support of programme.
Supervisor relationship and support.
Quick hits and ancillary benefits.

60. Start simply
“Arguably, some ERM frameworks are simply too complex for many community banks, given their traditional nature, structure, and business lines. However, creating an ERM framework does provide even the smallest institutions with a structured and disciplined approach to aligning strategy, processes, people, technology, and knowledge.”
Source: Federal Reserve Bank of Philadephia

61. Commitment Commitment is needed from: Plan for it now.
Owners/shareholders
The Board
Senior management
Departmental managers
Audit, asset and liability management and compliance
Human resources
Staff
Geographies
Plan for it now.

62. Some final case studies
Stan Monsowitz & FT Knowledge
Some final case studies

63. Stan Monsowitz & FT Knowledge
One.Tel (2001)
Created in 1995 as a youth-oriented telecomms carrier and service provider (land-lines, mobile and internet)
By 2000 was the 3rd largest Australian internet provider and signing up subscribers very rapidly.
One.Tel had gained its market by reselling the services of other providers and by aggressively discounting charges.
However the balance of payments and receivables was very narrow, perhaps even unfavourable at times.
In mid-2000 its billing system failed under pressure of volumes and complex payment structures.
This resulted in cash flow problems as cash was not coming in to pay suppliers.
In April 2001, directors (mis)forecast an AU$ 75M cash surplus by the end of the year. Directors and major shareholders began to sell shares.
In June 2001 administrators were called in and staff laid off.

64. Long-Term Capital Management
Stan Monsowitz & FT Knowledge
Long-Term Capital Management
In 1994, LTCM founded based on the latest models from Nobel-prize winning economists Myron Scholes and Robert Merton.
Major investors put in $1.3 billion - 80 founding investors with a minimum of $10 million, including Bear Sterns President James Cayne.
LTCM's strategy was convergence trading - finding government bonds mispriced relative to each other, taking long positions in the cheap ones and short positions in the rich ones.
Differences in values tiny so the fund took large, highly-leveraged positions - equity of $5 billion and borrowings of over $125 billion. LTCM’s models showed that the long and short positions were highly correlated and so the net risk was small.
In August 1998, Russia devalues and reneges on 281 billion roubles ($13.5 billion) of Treasury debt. The result is a massive "flight to quality", with investors flooding into the "risk-free" government bond market.
LTCM was caught out by the "price" of liquidity – if it became more valuable (in the crisis) its short positions would increase in price relative to its long positions. This was an unhedged exposure to a single risk factor.
The Federal Reserve Bank of New York organises a rescue package under which a consortium of leading investment and commercial banks.

65. And today’s sub-prime crisis
Stan Monsowitz & FT Knowledge
And today’s sub-prime crisis
Structured products - instruments devised on the basis of grouped assets rather than the credit standing of the entity concerned, and where the cash flows of the entity are used to pay off the lender.
US investment banks bundle up large quantities of sub-prime, adjustable-rate mortgages (borrowers normally unlikely to get loans) into a securitized structured product and sell to mainstream investors. These get high ratings from the credit rating agencies based on their underlying assets (property) and the issuing bank.
Mortgage lenders borrow short on the inter-bank market and lend long to sub-prime clients, then bundle these loans and sell as above. The market was competitive – but safe as long as the initial lender could sell on the loans – so spreading market risk!
Mortgage defaults in the US increase due to economy and interest rate issues. A small number of sub-prime lending specialists get into trouble. The credit ratings become suspect. The big banks react by suspecting everyone of being in trouble and withdrawing from the interbank markets – a liquidity problem

66. Stan Monsowitz & FT Knowledge
And finally

67. The Turnbull 10 questions for corporate risk management
Stan Monsowitz & FT Knowledge
The Turnbull 10 questions for corporate risk management
1. Have you identified the potential business risks to the organisation?
Y/N
2. Have you assessed the likelihood and consequence of the significant risk being realised?
3. Have you assessed those risks that could:
Damage your reputation?
Affect your market position?
Result in prosecution?
4. Have you established controls to manage significant business risks?
5. Have you established a positive culture for controlling the risks?
6. Have you established a contingency plan to mitigate disaster?
7. Have you established continuity management control arrangements?
8. Do you regularly audit compliance with control arrangements?
9. Do you regularly review these arrangements with respect to their adequacy and effectiveness?
10. Do you report annually on your risk and control measures?

68. The Turnbull 10 questions for corporate risk management
Stan Monsowitz & FT Knowledge
The Turnbull 10 questions for corporate risk management
1. Have you identified the potential business risks to the organisation?
Y/N
2. Have you assessed the likelihood and consequence of the significant risk being realised?
3. Have you assessed those risks that could:
Damage your reputation?
Affect your market position?
Result in prosecution?
4. Have you established controls to manage significant business risks?
5. Have you established a positive culture for controlling the risks?
6. Have you established a contingency plan to mitigate disaster?
7. Have you established continuity management control arrangements?
8. Do you regularly audit compliance with control arrangements?
9. Do you regularly review these arrangements with respect to their adequacy and effectiveness?
10. Do you report annually on your risk and control measures?
Can you answer “YES”
to all 10 questions?

69. Stan Monsowitz & FT Knowledge
Thank you
For questions –
Regarding membership or exams –