0% found this document useful (0 votes)
50 views37 pagesFRM Risk P3
Uploaded by
pratap sarkarCopyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF or read online on Scribd
0% found this document useful (0 votes)
50 views37 pagesFRM Risk P3
Uploaded by
pratap sarkarCopyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF or read online on Scribd
/ 37
level). The fit was estimated using the five-day excess returns over
the US Treasury one-week rate from December 1998 to June 2019,
J.P. Morgan
Betas | XLB
XE
XU 1.000
xu
XiK
XU.
XLU
xv.
xy
‘To see how this might be used, consider an analyst that fore-
casts the excess returns over the next week as:
+ XLF = 5%,
1 XLK = 4.0%, and
+ XLP = 2.0%,
‘This would translate into an expected return of 3.68%
(= 1.000 x 5.0 + 0.223 x (~4.0) ~ 0.212 x (2.0) for a
position in J.P. Morgan.
Determining portfolio risk using all the stocks in the S&P 500 (in var-
ious portions) would require the calculation of about 125,000 ciffer-
‘ont variances. By using these nine factors, that number falls to leas
than 5,019. The later is much more feasible and in practice should
offer results that perform Just as well (given the error margins)
Statistical Factor Models
In a statistical factor model, historical and cross-sectional data
fon stock returns are used in the model. The statistical tech-
rique of principal components analysis is used is to explai
the observed stock retume with “factors” that are lin
‘combinations and uncorrelated with each other.
For example, suppose that the monthly returns for 2,000
‘companies for 10 years are computed. The goal of principal
components analysis is to produce factors that best explain the
‘beorved variance in the etock retume. Now suppose that five
factors explain most of the variation in the returns of the 2,000
stocks over the 10-yeer periods. These factors are statist
artifacts. The task then becomes to determine the economic
meaning of each of these factors
ing Theory and Multifactor Models of
.3 FACTOR ANALYSIS
IN HEDGING EXPOSURE
While idiosyncratic (Le., specific) risk can theoretically be
eliminated through diversification, the same is not true for sys-
‘tematic risk. However, factor betas can be used to construct 2
hedging strategy to eliminate systematic rt
Each factor can be regarded as a fundamental security and can
therefore be used to hedge the same factor that is reflected in
2 given security. For example, a countervailing factor exposure
in portfolio H can be used to hedge a specific type of risk in
portfolio P,
If the goal is to hedge out all the factor risks and create a zer0-
bbeta portfolio, then we can take the opposite positions in each
Of the factors so that the combined portfolio contains no factor
‘exposures, Ifthe goal s to leave a portfolio exposed to certain
types of systematic risks, then not all factor exposures need to
be neutralized
A parsimonious choice in the number of factors is essential,
{as each needs to serve an institution's risk-adjusted retuen
objectives. The selection of the appropriate systematic factors
depends (in part) on judgment and there is no single perfect set
of factors for al investors.
A key challenge is determining how often a hedge needs to
bbe adjusted. Note that there is a tradeoff between the cost of
hedging and the need to keep the hedge aligned to the portfo-
lio, If the hedging strategy is not implemented on a continuous
basis, then tracking errors will appear. I the hedging strategy
's updated too frequently, trading costs will be high and drag
down overall performance.
‘Another challenge is model risk, which includes both factor
‘model errors and the potential for errors in implementation.
Factor model errors occur when a model contains mathemat-
cal errors or is based on misleading/inappropriate assumptions.
For example, a hedging strategy that is based on linear factor
‘models that fll to capture nonlinear relationships among the
factors will be flawed.
‘Another common error in model building is to assume
stationarity In the underlying asset distribution, as often such
distributions can evolve over time, Additionally, assumptions
built into models may fail to hold in certain conditions, such
as during stressed markets. During the 2007-2009 financial
crisis, for example, many market-neutral hedge funds
performed poorly,
and Return mi 89
The following questions are intended to help candidates understand the material. They are not actual FRM exam questions.
QUESTIONS
64
6a
65
66
or
While APT demonstrates that there are other factors in
‘addition to the market factor that impact security returns,
it fils to identify what those factors ar.
A. True
B. False
APT assumes asset returns are normally distributed.
A. True
B. False
APT requires that investors make decisions based on
‘mean and variance.
A. True
B False
What is the basic idea of the APT?
What are the three key assumptions of the APT?
Chen, Roll, and Ross (1986) tested the APT model and
found several explanatory variables for the average rate of
return on stocks traded on the NYSE. Which of the follow-
ing is not an explanatory variable in their empirical test?
‘A. Expected and unexpected inflation
B. The yield spread between high and low tsk corporate
bonds
. The yield spread between long and short maturity
bonds
D. The change in money supply in the economy
Unlike the CAPM, the APT rewards investors for accepting
specific risk.
A. Irve
B, False
6.10
611
612
In a statistical factor model, ae the macroeconomic and
fundamental factors clearly identified using principal com-
ponent analysis?
Roll noted that wel-diversified portfolios are nonetheless
highly correlated ifthe holdings are concentrated within
the same asset class, True or false? Explain,
“The Fama-French three-factor model adds two risk factors
‘beyond the market index to explain past average rates of
return. Which of the fallowing ratios is a risk factor in the
Fama-French empirical model?
‘A. EBITDA to total sales
B. Current assets to current liabilities
. Net profit to total assets
D. Book-to-market values
“The Fama-French five factor model added two more fac-
tors, Which of the following isa basis for one of these new
risk factors?
‘A. Operating profitability
Current assets to current liabilities
. Net profit to total assets
. Last month performance
Factor betas in a well-diversfied portfolio provide a means
for constructing a hedging strategy to reduce systematic
risk. True or False? Discuss.
90 m Financial Risk Manager Exam Part |: Foundations of Risk Management
The following questions are intended to help candidates understand the mater
ANSWERS
‘They are not actual FRM exam questions.
6.1 True
Although APT asserts there are multiple factors, it does
not identify those factors
6.2 False
6.3 False
6.8 The basic idea of APT is that investors can crate
zero-beta portfolio with zero net investment. If such a
portfolio yields positive return, then a sure profit can be
realized by arbitraging. In the real world, any existing
arbitrages would be exploited away.
6.5. APT has three underlying assumptions.
41. Asset returns can be explained by systematic factors.
2. By using diversification, investors can eliminate
specific risk from their portfolios
3. There are no arbitrage opportunities among well-
diversified portfolios. If any arbitrage opportunities
were to exis, investors would exploit them away.
6.8 D. The change in money supply in the economy
The explanatory variables were
‘©The spread between long-term and short
est rates (reflecting shifts in time preferences);
+ Expected and unexpected inflation;
‘+ Industrial production (retlecting changes in cash flow
expectations); and
'* The spread between high-risk and low-risk corporate
bond yields (reflecting changes in risk preferences)
6.7 Neither the APT nor the CAPM find that investors should,
be rewarded for accepting specific risk.
inter.
4.8 Ina ctatiotical factor model, principal component analy
provides factors that best explain the observed variance
Interns of the stocks being aralyeud, These factors
are statistically derived and are not identified as specific
‘macroeconomic or fundamental factors.
69
6.10 D.
6a
6.12
True
Roll noted that well-diversfied portfolios exhibit high
correlations when constrained to the same asset class,
‘whereas there is much less correlation when portfolios
are diversified across multiple asset classes.
9. Book-to-market values
HML is the difference between the returns on stocks with
high book-to-market values and those of stocks that have
low book-to-market values.
‘A. Operating profitability
Fama and French extended the model in 2015 by sug-
gesting two additional factors:
1. RMW, which is the difference between the returns of
‘companies with high (robust) and low (weak) operating
profitability; and
2. CMA, which isthe difference between the returns of
‘companies that invest conservatively and those that
invest aggressively.
Twe
Each factor can be used to hedge the same factor expo-
sure that is reflected in a given security. For example,
to hedge a positive exposure to a factor, another secu-
rity with a negative factor beta to that factor can be
purchased (or one with a positive factor beta could be
shorted)
Chapter 6 The Arbitrage Pricing Theory and Multifactor Models of Risk and Return mi 91
Principles for
Effective Data
Aggregation and
Risk Reporting
@ Learning Objectives
[Aver completing tht reading you ehould be able to:
© Explain the potential benefits of having effective risk data
‘aggregation and reporting.
{© Explain challenges to the implementation ofa strong risk
data aggregation and reporting process and the potential
impacts of using poor-quality data
‘© Describe key governance principles related to risk data
aggregation and risk reporting.
© Describe characteristics of effective data architecture, T
infrastructure, and risk reporting practices.
93
7.1 INTRODUCTION
Effective risk analysis requires sufficient and high-quality data,
‘This makes dats a major asset in today’s world, and it should be
treated as such
Risk analyses can be made using the internal data of an orgar
zation (e.g,, transaction data within a financial institution or the
specific costs of raw materials for a manufacturing compary).
The major concern with this type of data is whether itis kept
in an organized way so that it can be used for analysis. Statist-
cal techniques for analyzing this data are wide ranging and
can include tools such as machine learning and artificial intel-
ligence (Al),
Data can also come from outside the organization (e.g, exter-
ral data on the economy or on a specific industry). Financial
Institutions need data on past inflation rates, changes in money
supply, major interest rates, exchange rates, and so on. Some.
‘external data can be collected from public sources, whereas
‘other types of data may have to be purchased from traditional
and non-traditional sources. Non-traditional sources of infor-
‘mation are referred to as alternative data and includes data
gathered by third parties such as information from scrapping the
web, mobile devices, and sensors.
BOX 7.1 DATA IN MODEL RISK
Data acquisition plays an important role in model risk.
Financial institutions rely on models to guide their day-
‘to-day operations and to analyze their risk exposures. As
2 result, even the smallest of model errors can have dire
consequences.
Model risk can be decomposed into four components:*
input risk, estimation risk, valuation rsk, and hedging risk.
Note that data acquisition is especially pertinent when
considering input risk. Models depend on the quality of
ata because iis Used to create statistical estimators
of their parameters. As the adage goes: “garbage-in,
garbage-out"
*M. Crouhy, D. Gala, and R, Mork, Risk Management, McGraw
Hl, 2002, p. 586,
For many years financial firms collected data on either a depart-
‘mental or business activity basis. Generally, these efforts were
not wall coordinated or managed. Different departmente often
used different data sources, resulting in duplication in some
‘cases. A lot of data was neglected and even destroyed (e.g.,
data loss can occur when moving from one computer system to
‘another).In the 1960s and 1970s, data were stored on paper,
cards or computer tapes. Later storage devices included floppy
disks and hard disk drives, neither of which were compatible
with the older generation of systems.
A special committee ofthe Basel Committee on Banking Supenv-
sion (BCBS) examined bank data collection, data storage, and
data analysis practices, That committee uncovered many problems
within the industry and subsequently published a special report on
risk data management. It concluded that data quality in the banking
Industry was inadequate to aggregate and report rsk exposures
‘across business lines, legal entities, and at the bank group level
In recognition of these inadequacies, the BCBS published a set
of 14 principles to guide banks as they overhauled their risk data
‘aggregation and reporting capabilities (BCBS 239).' The BCBS
defines risk data aggregation as the "process of defining, gath-
‘ering, and processing risk data according to [a firm's] risk report-
ing requirements to enable the bank to measure its performance
against its risk tolerance/appetite.
The principles and supervisory expectations outlined in BCBS
£239 apply to risk management data and models. These prin
ciples cover governance/infrastructure issues, risk data aggrega-
tion procedures and needs, reporting, and considerations for
supervising authorities.
Banks have struggled to comply with BCBS 239 and the original
timeline to achieve full compliance was not met by any bank,
This is largely due to the highly complex nature of the IT reengi-
neering involved in bringing the various systems into compliance
‘as well as the dynamic nature of the principles? The exponential
increase in the application of Al techniques on large data sets
bras also madle compliance with BCBS 239 more challenging.
‘Section 7.2 explains how effective risk data aggregation anid
reporting can allow organizations to measure risk across an
centerprse.? Section 7.3 describes the key BCBS governance
principles.4 Section 7.4 identifies the data and IT infrastructure
features that contribute to effective data aggregation and
reporting. Section 7.5 describes specific characteristics of a
strong risk aggregation capability as wel as the interactions.
between thoee charscterietce. Finally, eaction 7.6 deecribee the
characteristics of effective risk reporting practices and the need
{or forward looking capablliles vo give preemptive signals of
potential risk exceedances.
* Principles for effective nek data aggregation and nsk reporting ep.)
(2013, January). Retrieved https:/w bis.org/publ/nchs239. pf
* See Basel Committee on Banking Supervision, June 2018, Progress
in adopting the Principles for elfectve risk data aggregation and risk
epuring ROAR). n/m Lib. ony/pubVonts pl
3 The specific costs and benefits of enterprise rsk management (ERM)
wil be discussed in Chapter 8.
* Best practices in corporate governance were discussed in Chapter 2.
94 Financial Risk Manager Exam Part |: Foundations of Risk Management
7.2 BENEFITS OF EFFECTIVE
RISK DATA AGGREGATION AND
REPORTING
Hf afirm fully adheres to the BCBS principles, its risk manag-
ers will have less uncertainty regarding the accuracy, integrity,
‘completeness, timeliness, and adaptability of the data they use,
Simply put, risk management benefits from having high-quality
‘isk data at all levels of the organization,
Designing and implementing an effective risk data aggrega-
tion and reporting capability enhances tactical and strategic,
decision-making processes, This reduces the chance of losses.
and improves risk-adjusted returns.
Banks need to leverage the relevant risk information and care-
fully consider what data can be obtained (end at what cost. it
can be challenging for risk managers to process and refine fast
‘moving big data® into usable risk information. Its essential that
decision-makers have confidence in the quality of the underlying
data, Ifthe information is inaccurate or incomplete, manage-
ment may not be able to make sound risk decisions.
‘Advances in data analytics (e.g, machine learning) are being
used to collect, anaiyze, and convert large volumes of unstruc
tured data ito usable information. This makes it easier for orga
nizations to avoid information overload and enables them to turn
vast amounts of data into a strong competitive advantage.”
Rigorous model validation also plays a critical role in risk man-
agement. In the United States, model developers must comply
with regulatory guidance on model vetting. The Federal Reserve
provides comprehensive guidance for banks on effective model
risk management.” This guidance calls fora “rigorous assess-
ment of data quality... as well asthe proper documenta-
tion "9 Mad devalaners need to demonstrate that the cata
5 ig datas data that are so big and complox tat trational dat pro-
cessing techniques oe inadequate
Thine data without a pr-defined data model or otherwise lacking @
pre-defined approach to organization.
7 C050, “Enterprise Rsk Management: Integrating Strategy with
formance" June 2017 (See Prince 18: Leverages information and
Technology)
8M Cry. PGi, and. Mark, Tha Faso of Rick Managamant
(2 edition), Chaptr 15, MeGraw til 2014, offers a more complete
Conceptual madels take on ahigh-evel design ofthe groupings of
informational elements, structures, and processes that interact with each
96 Mm Financial Risk Manager Exam Part I: Foundations of Risk Management
‘models translate the data requirements and properties
‘expressed in the logical model into a specific implementation on
‘an T hardware/sofware vendor system platform?"
In summary, banks with effective (.e., fully or largely compliant)
data architecture and IT infrastructure have consolidated their
"data categorization approaches and structures as well as inte-
‘grated data taxonomies."2?
Conversely, banks with ineffective (Le., non-compliant) data
architecture and IT infrastructure lack the “appropriate pro-
‘cesses and controls to ensure that the risk reference data is
updated following changes in business actvities."2
7.5 CHARACTERISTICS OF A
STRONG RISK DATA AGGREGATION
CAPABILITY
Firms need to monitor their data on an ongoing basis to ensure
its accuracy and integrity (see Principles 3 and 4 in Box 7.4) Risk
data should be complete, reconciled with sources, and include
all material risk disclosures at a granular level. Classifications
‘and categorizations are necessary to present complete and
‘manageable information to executive management. Ifclasifica-
tions are too broad, however, information loss and data distor-
tion can occur.
Banks should also be “able to produce aggregate risk informa-
tion on a timely basis’ (see Principle 5 in Box 7.4). The
degree of timeliness required depends on the risk area being
‘monitored. For example, data used to measure risk on the
trading floor will need to generate risk information on a time-
lier basis when compared to risk information on a corporate
loan. Information systems dedicated to trading rooms must
2 A physical data model can generate the specific operations, proce:
dures, and data loads to create a functioning database instance ofthe
logis data model
2 Basel Committe on Banking Supenision, June 2018, "Proaress
In adopting the Principles for eective risk data agaregation and risk
reporting (RDARR).” This report also mentions as an example “a data
‘Setionary and a single data repository or data warehouse for each risk
‘ype identified and constructed
Ibid. The report also mentions as an example ofthis "2 lack of a fr
lized exealtion process to communicate poor data quality to senior
nee
2 Basel Committee on Banking Supervision, January 2013, “Principles
for effective risk data aggregation and nak reporting
accommodate a wide variety of specific and potentially com-
plex financial instruments. These risks need to be evaluated
‘quickly and frequently for the purposes of managing a trading
book or a portfalio.
“Trading systems apply sophisticated analytical valuation and
pricing algorithms to portfolio positions. They typically use
data structures, customized either by vendors or designed by
in-house development teams, to record the details of financial
instrument contracts. Compromises in timeliness are often made
due to the need to extract and map data from different trading
systems into other systems that can integrate, summarize, and
report on the consolidated data,
Furthermore, risk data aggregation practices need to be adapt-
able (see Principle 6 in Box 7.4), An example of adaptability
would be the abilty to integrate a hypothetical stress scenario
with other parts of the portfolio to produce an aggregated
enterprise risk measure. Adaptability would also include the
capability to incorporate changes in an upcoming regulatory
framework (e.g., an update to Basel capital regulatory rules) and
the ability to combine that with historical data to produce an
overall risk measure.
‘The BCBS notes that an effective (Le. fully or largely compliant)
capability to aggregate risk data features “appropriate data el
‘ment centfcation, data quality documentation, data quality
‘assurance mechanisms, assessment of data quality per risk type,
‘and documented and effective controls for manual
processes."
Conversely, ineffective (ie., with compliance gaps) risk data
aggregation capabilities may feature “deficiencies in data qual-
ity controls. . lack of properly established] data quality rules
such as minimum standards for data quality reporting thresh-
lds: absence of a designated authority (oversight... : lack of
an effective escalation model ...; and weaknesses in [quality
controll” ac well as"... everrlignee on manual... procezoes
without proper documentation {and policy... lack of reconcil-
‘ation for certain key reports... andino variance analysis...
inability to promptly [also without automation] source rsk data
from foreign subsidiaries... , lack of standardization of refer-
ence data.’
2 Basol Committee on Banking Supervision, June 2018, “Progress
In adopting te Principles for elev ak dala ayyreyaven ad ak
reporting (ROARR).”
Data Aggregation and Risk Reporting 97
BOX 7.4 PRINCIPLES 3 TO 6*
Principle 3:
Accuracy and Integrity—A bank should be able to gen-
erate accurate and reliable risk data to meet normal and
stress/crisis reporting accuracy requirements. Data should
be aggregated on a largely automated basis to minimize
the probability of errors.
Principle 4:
Completeness—A bank should be able to capture and
aggregate all material risk data across the banking group.
Data should be available by business line, legal entity, asset
‘ype, industry, region, and other groupings, as relevant for
the risk in question, that permit identifying and reporting
risk exposures, concentrations, and emerging risks.
Principle 5:
‘Timeliness—A bank should be able to generate aggre-
Basel Committee on Banking Supervision, January 2013, “Principles
for effective risk data aggregation and risk reporting."
102 m Financial Risk Manager Exam Part I: Foundations of Risk Management
Enterprise Risk
Management and
Future Trends
@ Learning Objectives
‘After completing this reading you should be able to:
© Describe Enterprise Risk Management (ERM) and compare.
‘an ERM program with a traditional silo-based risk manage-
‘ment program.
© Describe the motivations for a firm to adopt an ERM
initiative,
© Explain best practices for the aovernance and implemen-
tation of an ERM program,
© Describe risk culture, explain the characteristics of a
strang corporate risk culture, and describe challenges to
the establishment of a strong risk culture at a firm.
(© Explain the role of scenario analysis in the implementa-
tion of an ERM program and describe its advantages and
disadvantages.
(© Explain the use of scenario analysis in stress testing pro-
grams and capital plannina.
103
8.1 ERM: WHAT IS IT AND WHY DO.
FIRMS NEED IT?
Earlier chapters of this book have focused on specific risk types
(eg, credit risk, market risk, or operational ris). This approach
has also been adopted by banking regulators, who require
banks to hold minimum capital against eredt, market, and oper
ational risk (e.g, Pillar of Base Il)* Looking at risk within isk
types and specific business portfolios makes it easier to:
+ Define and measure risk (.g,, most financial models deal
with specific risks),
‘= Aggregate risk within business lines, and
‘+ Determine whether to retain risk or partially/ully hedge risk
+ Use derivative instruments {if hedging risk), which tend to be
risk specific
However, it is also important to compare exposures to one another.
Doing 20 allows firms to prioritize rk management and under
stand how risktype and business line exposures add up to their
total exposure. At the enterprise level, risks may negate each other
(e.g, through netting? and diversification) or exacerbate each other
(2g, through risk concentrations, contagion, and cross-over risks)
BOX 8.1 CROSS-OVER RISKS—THE
NORTHERN ROCK EXAMPLE
‘A perceived weakness in one risk management area (e.9.,
credit risk) can reveal weakness in another area (e.g, funding
liquidity). Northern Rock discovered this to its detriment dur-
ing the initial tages of the 2007 2008 global financial crisis.
‘The fast-growing bank had developed a strategy that left
highly dependent on investors and wholesale markets—rather
‘than customers’ deposits —for its funding, It tried to manage
‘this funding concentration risk by dversiying geographically
beyond its home markt in the United Kingdom by tapping
fundling merkets in continental Europe and the United States,
However that approach left the institution wuinerable to
the global storm in funding markets that erupted when
investors began shunning banks perceived as having
sky landing strategies (es we discussed in Chapter 9).
Northern Rock oficial later claimed that ths kind of
global funding market shutdown was “unforeseeable.”
Source: House of Commons, Treasury Committee, “The
Run on the Rock,” January 2008, p. 16.
* Regulators are also concemed with many other risks facing a bank and
‘uy to make sure banks consider them by applying Pilla Il the superv-
sory review process.
or example, a global financial institution will ave inflows and/or
‘outflows denominated in some foceign curency. Currency skin this
‘ase isthe net exposure from the inflows and outfiow.
Enterprise risk management (ERM) applies the perspective and
resources at the top of the enterprise to manage the entice port-
folio of risks and account for them in strategic decisions.® ERM
improves the traditional risk management approach, popularly
referred to as silo-based risk management or stove-pipe risk
‘management, by giving senior management an integrated,
‘enterprise-level view of risk. Under silo-based risk management,
the risks of an organization are managed at the business unit,
level. ERM offers an important supplement to the more limited
perspective available from specific business lines or risk-type
functions. It also focuses attention on the largest threats to @
firms survival and core functionality.
Another important feature of ERM is that it supports a con-
sistent approach to enterprise risks throughout a firm, from
the boardroom to the business line. This consistency can be.
‘achieved through a robust risk culture and an adherence to
enterprise risk appetites and governance. Firms that lack this,
consistency may see one business unit reject an opportunity due
tt its risk, while similar opportunity is embraced by another unit.
This chapter explains how ERM evolved to help firms manage
risk efficiently, identify overlooked enterprise risks, manage
risk concentrations, and understand how different risk types
interact (Figure 8.1) It also introduces the key ERM dimensions
1 Helps firms define and adhere to enterprise risk
appetites
2, Focuses oversight on most threatening risks
43. Identities enterprise-scale risks generated at business
line level
4, Manages risk concentrations across the enterprise
5. Manages emerging enterprise risks (e.g., cyber risk,
‘ANIL (anti-money laundering) risk, reputation risk)
‘6. Supports reaulatory compliance and stakeholder
7, Helps firms to understand risk-ype correlations and.
cross-over risks
18. Optimizes risk transfer expenses in line with risk scale
and total cort
9 Incorporates stress scenario capital costs into pricing
and business decisions
410. Incorporate rth into bueinoss modal caloction and
strategic decisions
Top ten benefits of ERM.
2 Enterprise risks, meanwhile, ae those rsks large enough to make
enterprise outcomes fall materially short of enterprise goals.
104 Financial Risk Manager Exam Part I: Foundations of Risk Management
‘and tools, including risk culture indicators and enterprise-wide
stress testing,
8.2 ERM—A BRIEF HISTORY
‘The need for ERM's holistic approach to risk seems almost self
‘evident, so why ist still a work in progress? The answer lies
in the difficulty of the task and in how risk management has
‘evolved at the firm and industry levels
Risk management is usually fully integrated within small firms,
‘even if its not necessarily well developed. But as firms grow,
they create specialist risk functions to improve their management
of specific risks. (Ths is what was discussed in earlier chapters)
“These risk types may initially be managed independently of one
other, with some firms operating separate risk management,
functions across ther lines of business. Overtime, firms may try
‘to move beyond this siloed risk management structure. For
‘example, they may bring their risk managers together to
improve risk management skill ensure all key risks are covered,
{and inerease purchasing power in the risk transfer markets.*
This kind of enterprise-level rationalization became more urgent
after a wave of financial market liberalization in the 1970s
increased price volatilities and created new derivative instru-
‘ments across interest rate, commodities, foreign exchange, and
cother markets. By the 1990s, financial institutions realized that
they needed to manage their derivatives portfolios and underly-
ing economic exposures in @ more integrated fashion,
First banks, and then large corporations, began to build global
risk management divisions. They appointed chief risk officers
(CROs}responsible forall types of risk and began to use
universal risk metrics (e.g, Value-at-Risk (VaR) to compare and
aggregate risks across the firm,
* k prescrasriinghe tlh Winapeca eacaraiae pa
chaser in US corporations and the evolution ofthis role into a more inte-
biel onda yotee ocala arinarighe® vig tee WDE)
1960s. During this period, large US. corporations began to centralize
‘and rationalize insurance purchases, hitherto spread over many business
divisions and activities. Pooling sk wth other entities through an insurer
can be an expensive way to tansfer isk or fies with good claims
focus, The Lope finn” petspectine il it leare Use larger
firms could choose between transfering an insurable sk to an external
inairer or ucingthair nun capital in cauae 3 potion of th te thrgh
the use of elt insurance, captive inaurance companies, and similar
smachanisms, Setting up 2 captive to retain sk meant understanding—
rather than outsourcing —the risk and ineentivzed firms to capture risk
data, This in turn spawned new ideas about how to mitigate risk at the
{in ie evel Teter “ak ener” fiat Lmao ed
In elation to this widened role ofthe corporate insurance purchaser.
Though inuieaneerak managers had n un different ene tn that of
today’s bank risk manager, ther is one striking parallel integrating rise
management at the enterprise level changed how the frm saw and
‘managed risk.
In the mid-1990s, derivatives disasters (e.g., Barings Bank)
showed how institutions lacking robust risk management frame-
works could be destroyed by one out-of-control individual. At
the same time, banks expanded the scope of credit risk man-
‘agement from 2 focus on the credit ratings of obligors to the.
active management of enterprise credit portfolios (e.g, through
the use of credit derivatives)
By the late 1990s, banks had begun to track and measure
‘operational risks. At the same time, some institutions began
trading new types of transferable risk (e.g,, weather risk and
political risk). Inthe same way that VaR had helped firms build
an overall perspective of market risk, new global risk commit.
tees and risk transfer tools helped firms to build an overarching
perspective of enterprise risk across business lines and
risk types.
In the early days of global risk management, many firms had
trouble setting up integrated ERM programs across large
enterprises. Then, as now, firms preferred to devolve responsi-
bility for risk to the business line (where risk can be controlled
at the source). However, firms keep coming back to ERM
because managing risk demands a portfolio management
perspective.
By the early 2000s, some of the benefits of an ERM view wer
beginning to be realized (Table 8.1). However, the global finan-
ial crisis of 2007-2009 revealed many weaknesses in risk man-
agement practices. Among these included
= Afailure to properly apply aggregate risk measures,
‘© An inability to identify enterprise risk concentrations across
business lines, and
‘+ An inability to see risks within certain business models.
‘The years following the criss saw a greater regulatory emphasis
(on ERM tools such as risk appetite and risk capacity (Chapters 2
‘and 3), data aggregation and reporting (Chapter 7), enterprise-
level scenario analysis, and risk culture (the latter two being key
topics in this chapter)
‘A.2018 survey of 94 financial institutions by Deloitte found that
83% had an ERM program in place, up from 73% in 2016.
During that same timeframe, the percentage of financial institu:
tions with a CRO rose to 95%. Despite the increase inthe num-
ber of CROs, those surveyed flt that there was zoom for
improvement inthe reporting relationship and thatthe CRO
should report to both the CEO and to the bosrd. The aurvey
found that 25% of the respondents indicated that the CRO did
5 Delete, Global Risk Management Survey, 11" Edition, Deloitte
Insights http:/fowv2. dloite.com/content/dam/Delotte/ca/
Documents/sk/D|_globabrsk-management survey paf
Chapter 8 Enterprise Risk Management and Future Trends ™@ 105,
ERM versus Traditional Silo-based Risk Management
‘Traditional Risk Management
ERM View
Risk viewed in business line, risk-type, and functional silos
Risk viewed actoss business lines, functions, and risk types,
looking at diversification and concentration
Risk managers work in isolation
Risk team integrated using global risk management committee
and chief risk officer
Many different risk metrics that cannot be compared (apples to
oranges)
Development of rational risk management frameworks and
‘cross-isk universal metrics (.g., VaR and scenario analysis) to
integrate risk view (.., apples to apples)
Risk aggregated, if at all, within business lines and risk types.
Difficulty seeing the aggregate risk picture
‘Tools and integrated frameworks make it possible to more:
accurately measure and track enterprise risk. Potentially, risk is
aggregated across multiple risk types.
Each risk type managed using risk-specific transfer instruments
Possibility of cutting risk transfer costs firm-wide and integrated
(eg., mult-trigger) instruments
Each risk management approach (e.g., avoid/retain/mitigate/
transfer) often treated separately, with strategy rarely being
optimized.
Each risk management approach is viewed as one component
(of @ total cost of risk, ideally measured in a single currency.
‘Component choice is optimized as far as possible in rsk/reward
and cost/benefit terms expressed in that currency.
Impossible to integrate the management and transfer of risk
with balance shect management and financing stratogi
Risk management is increasingly integrated with balance sheet
management, capital management, and financing strategies.
not report to the CEO and about half said the CRO did not
report to the board of directors or even a sub-set of the board.
In addition to data and IT system issues, the three issues that
‘more than half the respondents cited as being extremely urgent
‘or ahigh priority for their institution's ERM program were
(1) managing increasing requlatory requirements and expecta
tions, (2) callaharation hatwaen the buinees nite and the ik
‘management function, and (3) establishing and embedding the
Fisk culture ecross the enterprise.*
8.3 ERM: FROM VISION TO ACTION
So far this chapter has covered ERM's evolution and basic goals.
But how is ERM organized in practice?” This depends alot on
the size and type of firm. but ithelps to think of ERM practices
across five dimensions (Table 8.2)
1. Targets: Ihese include the enterprise's risk appetite and
how it relates to its strategic goals (discussed in Chapter 2)
hid, poe.
” In organizational terms, ERM programs are often implemented through
Une Senor manager risk wine, Oiler bk eos, sul
the Credit Rsk committee, may adopt ERM initiatives. Meanwhile, some
tnan-fnancal Rem that lek lahat ae ermmmitten crirtves may
set up ERM committees that help coordinate ERM activities with their
respective business lines.
Five Key ERM Dimensions
ERM Dimension
Examples
Enterprise goals: Enterprise risk appetite,
enterprise limit frameworks, risk-sensitive
business goals and strategy formulation
Targets
Structure How we organize ERM: Board risk
‘oversight, global risk committee.
Risk Officer: ERM subcommittee: reporting
lines for ERM: reporting structures
Metrics How we rmeasure enterprise 1k
Enterprise-level risk metrics, enterprise
2tre29 testing, aggregate risk mea
sures (Value-at-Risk, Cash-Flow-at Risk,
Earninge-at Risk, ete), "total cost of risk"
approaches, enterprise level risk mapping
and flagging, choica of enterprise-level
ak limit metrics
ERM Strategies | How we manage ERM: Enterprise level
risk transfer strategies, enterprise risk
tronsfer instruments, enterprise moni-
toring of business line management of
conterprice ecalercke
Culture How we do things: “tone at the top",
accountability tor key enterprise risks,
‘openness and effective challenge, risk-
aligned compensation, staff risk Iteracy,
whistle-blowing mechanisms
106 m Financial Risk Manager Exam Part I: Foundations of Risk Management
Risk appetite is linked to operational mechanisms, such
8 global limit frameworks and incentive compensation
schemes. One goal of ERM is to set the right targets and
make sure they are not in conflict with other strategic goals.
2. Structure: The organizational structure of an ERM program
icludes the role of the board, the global risk committee
and other risk committees, the CRO, and the corporate
governance framework described in Chapter 3, The goal of
ERM is to make each structure sensitive to the enterprise
scale risks faced by the firm, including indirect losses.
3. Identification & Metrics: No amount of thoughtful target
setting or ERM reorganization will help ifa firm cannot
identity enterprise-scale risks and measure their severity,
Jimpact, and (ideally) frequency. This chapter discusses key
ERM metrics such as enterprise-level scenario analysis and
stress testing. Other metrics include aggregate risk mea-
sures such as VaR, total-cost-of risk methodologies, rskspe-
cif metrics, and whole-of firm risk mapping and flagging
mechanisms. Here, the goal of ERM is to make sure the firm
hhas the right family of metres to capture enterprise risks,
4, ERM strategies: Firms also need to articulate specific strate
gies for managing enterprise-scale risks at either the ent
prise level or through the business lines. This includes the
fundamental decisions to avoid, mitigate, or transfer risks,
‘along with the choice of enterprise risk transfer instruments.
'5. Culture: Iftargets, structure, and metrics are the bones of
the ERM strategy, then culture isthe flesh and blood. In
short, a strong risk culture is built from a pervasive sense of
‘common goals, practices, and behaviors.
Itis tempting to rank a firm's commitment to ERM in terms of
identifiable ERM attributes across these five dimensions.
However, the success of ERM i governed by the how these five
dimensions interact with each other. For example, appointing 3
[CRO might either lead to important improvements in enterprise
stress testing or be a cynical re-badging exercise that changes
nothing, Meanubile, an improvement in stress testing and other
risk metrics might not lead to improvements in risk management
if a firm lacks a healthy risk culture.
Furthermore, many ERM programs that look well established may
not be comprehensive, For example, surveys suggest that only
‘around half of CROs review the impact of compensation plans on a
firm's risk appetite and culture—arquably a critical ERM function®
‘The true test for ERM is whether its growing adoption leads to a
decrease in negative surprises and mishaps. So far, empirical
® Deloitte, Global Risk Management Survey, 10" edition; p. 6 and p. 18.
The Deloitte survey is available at https:/www2.deloitte com/insghts/
slen/topic/risk-manegement/globaliskmanagement-survey htm!
research has yielded ambiguous results. Some researchers have
Identified positive results from adopting ERM (e.g, in terms of
bbank default swap spreads)? while others have so far failed to
find evidence of tangible benefits.
“The ambiguity in the research data probably stems from the dif-
ficulty in identifying empirical markers of successful ERM adop-
ton and the relatively short time series available to researchers.
In addition, ERM is continually evolving. For example, there
has been a much greater emphasis placed on risk culture in the
years since the crisis.
In the years ahead, the financial industry will continue to gather
data and refine its methodology for back-testing the results of
ERM adoption.
8.4 WHY MIGHT ENTERPRISE RISK
DEMAND ERM: FOUR KEY REASONS
Perhaps the most important argument for ERM is that an
enterprise-level perspective is the best way to prioritize risks
‘and optimize risk management."® A risk that looks minimal at
the business line level can develop into a threat to the whole
enterprise. Conversely, a risk that looks threatening at a busi-
ress line level might look trivial in the context of the diversified
enterprise risk portfolio.
Top to Bottom—Vertical Vision
Large risks often begin ther life along way from the board,
room, As ai example, consider the case Of @ car manufacture
‘Suppose that a poor design or sourcing decision is made, and a
potentially dangerous car partis installed. The risk is engineered
into countless cars and therefore threatens the enterprise, its,
suppliers, and their insurers through recall and compensation
costs lost sales. and reputational harm
We can see something similar happening in the "product facto-
ries" of financial institutions. For example, misconduct issues have
plagued large financial firms in recent years. In these firms, seling
‘a poor invastment product may not seem lke a critical thraat at
the business line level when the business is young. As the business
grows, however, that threat can rise dramatically overtime.
5. A Lundevist and A. Wihelmsson, “Enterprise Risk Management
and Default Risk Evidanee from the Banking Industry" Journal of
Fisk ard insurance 85), 2018, 127-187, wth a discussion of the
literature around ERM and value creation on pp 130-132 See also
MK: Meshane, A. Nai and ERustambokoy, "Does Enterprise Risk
Management increase Firm Value? Journal of Accounting, Auditing and
See B. W. Nocco and R. M. Stulz, “Enterprise Risk Management: Theory
and Practice," Journal of Applied Corporate Finance 18 4), 2008, 8-20.
Chapter 8 Enterprise Risk Management and Future Trends ™ 107
For both nancial and non-financial fms, the remedy might be
something simple (eg, tweaking the design or spending marginal
amounts on better components or something pinfl (9, clos-
ing product ine and fring the ine manager) tight also mean
recognizing that the rei being riven by poor target setting by
senior management. Whatever the remedy, ERM ithe process of
‘+ Recognizing the potential threat to the whole enterprise aris-
ing from the risky design/production decision, and
‘+ Picking up on early signs that things are going wrong to
reduce the leveraging effect of time.
ERM brings risk decisions, across time and space, inline with the
‘enterprise's stated risk appatite.""
Are There Potentially Dangerous
Concentrations of Risk within the Firm?
Line managers look after specific business lines and therefore it
can be difficult for them to spot risk concentrations across the
enterprise. Credit concentrations, for example, are the big red
lever of the credit portfolio. '@ bank loans too much to one
person (ie., name concentration), the bank risks a significant
loss. If too many borrowers belong to the same industry, a sec-
tor downturn could wreak havoc to the loan portfolio.
Hidden concentrations often build up across many different busi-
nesses because line managers cannot see the connections. In bank
ing, for example, an institution may lend to one firm ints corporate
Joan division and then create a counterparty exposure with the
‘same firm init derivatives division, Many kinds of concentration
riak can creep across enterprises. Examples include the folowing,
+ Geographical and industry concentrations. Examples include
where a manufacturer's production facilities or a bank's core
{Tis located within a given region, or where a financial firm
is over-exposed to default rik in a local economy or type of,
industry
‘+ Product concentrations. For example, a derivative or retail
product might be mispriced in multiple divisions.
‘+ Supplier concentrations. An example would be a firm that
has too great of a dependency ona lnk in its global supply
chain or inthe ease of financial inctitutions, on technology
suppliers or data/risk analysis providers.
"One complication i that business line short-term priorities are often
seta the top of the firm. For example, the business line might be ty-
Jing wu seve momay on produut empress Laval ils tepotted profit
‘margin. It might be tying to make headquarters’ sales targets, through
tbninver manne. FRM is theese alen aut managing agency rick nee
the firms risk culture, inluding how to build structures within the frm
that balance the need for aggressive short-term goals against the need
to stay inline with long-term rk appetite,
During the global financial crisis of 2007-2009, many firms
ound themselves with concentrations of mortgage risk in both
specific geographies and risky product types (e.g., negative
amortizing mortgages).
Firms cannot always avoid concentrations. For example, insurers
‘and bankers have been wary of concentrating their key systems,
Infrastructure, and data with cloud computing providers. However,
large security investments made by cloud providers mean that
{going to the cloud could offer one way to manage cyber rsk and
strategic technology risk. Fitms must manage such risk tradeoffs
Ultimately, ERM includes the recognition and management of
concentration risks according to a firm’ rick appetite.
Thinking Beyond Silos
Conversely, there are major diversification benefits that can only be
understood at the enterprise level, particularly in terms of risk type.
Acknowledging risktype diversification reduces the aggre-
{gate risk capital a firm needs to hold. It algo helps to transform
“badly behaved" risk portfolios, including many kinds of opera-
tional risk, into loss distributions closer to that of a normal distri-
bution (Figure 8.2),
‘At the same time, thinking beyond silo-based risk management
helps firms to understand how risk types can interact to worsen
enterprise threats. For example, enhanced consumer protection
in the United States since the global financial crisis has created
significant cross-over risks between credit risk, legal risk, and,
reputational isk, As a result, banks are under growing pressure
to make sure they are not deceiving or misleading customers or
engaging in abusive acts
Likewise, ERM can help firms understand how risk can cross over
between risk types durina times of stress (as noted in Box 8.1).
Risk Retention Decisions: Self-Insurance
and Captive Insurance
Consumers are nearly always right to turn down offers of insur-
‘ance for inexpensive goods, For example, ifa kettle catches fire,
it ie the hema ineranen thay raed te wiry ahenit ane ant the
replacement cost of the kettle.
Firms have been applying the same logic at the enterprise level
since the 1960s by using mechanisms such as self-insurance and
captive insurance’? to retain portions of property, lability, and
12 captive incuranea campany (or sly captive insured) ican
insurance company thats wholly owned and controlled by its insureds,
‘hich is/are one or more non-nsurance firms. Captive insurance isan
‘alternative to selfnsurence,
108 m Financial Risk Manager Exam Part I: Foundations of Risk Management
Market Risk e.g., Equity
Probability
Operational Risk~e.g., Cyber
_
other risks. Note that around 20% of firms with between USD
‘billion and USD 5 billion in revenue have a captive insurance
unit; that percentage rises to over 50% for firms with at least
USD 10 billion in revenue.’? Risk retention decisions are best
made at the enterprise level, where the aggregate level of risk
‘exposure can be understood,
“The process of understanding an enterprise rk and then manag-
ing portion oft in-house is happening again today with cyber
‘isk. Sofa, only around 12% of firms using captives employ them
to provide cyber coverage. However, 23% of them plan to do so by
£2020." This growth will be driven by firms improving their under
standing of eyber risk, such as through enterprise rk assessments
‘of eyber dependencies and vulnerabilities, and then applying quan-
titative metrics to a2ze29 the financial impact of eyber events
This demonstrates a general truth: firms that understand enter
prise risk can translate this understanding into dollar savings
(Figure 8.3). The process is most abviaus in the case of insurable
risks,'® but itis true for financial risks as well. As firms
° on Risk Solutions, Global Risk Menagement Survey 2017, p. 92.
Captives also help firms to centrally gather information about thelr sks,
chack thee risk taking against theirak appetite, and t build more
‘alfeclie oh aogier cts
Aon Rsk Solutions, Global Risk Menagement Survey 2017, p. 89.
8 An insurable ris ia rsk where the ineurer can calculate the potential
future losses or claims. risk where the insurer cannot calculate the
potential losses or claims i a non-insurable sk
Diversification/Correlation Effects
EJ The enterprise risk portfolio generates diversification benefits.
understand their true exposures (Le., considering enterprise
netting and diversification effects) they can retain the right
level of exposure and target resources towards the real,
centerprise-threatening risks,
8.5 THE CRITICAL IMPORTANCE
OF RISK CULTURE
Risk culture can be thought of asthe set of goals, values, beliefs,
procedures, customs, and corwentons Uist influence How staff ere
ate, identify, manage, and think about rsk within an enterprise,
including implicit and explicit belies. Another well-known detini-
tion is that “risk culture can be defined as the norms and traditions
Cf behavior of individuals and of groups within an organization that
determine the way in which they identity. understand. discuss. and
act on the rsks the organization confronts and the risks it takes.""®
Risk culture sounds intangible, but a strong risk culture
is a firm's surest handle on ERM" in the same way that
16 Sue Retorm inthe Financial Services Induct: Strengthening Prac
tices for a More Stable System, December 2009, Appendix Il. Various