Monitoring and

communication of risk
Contents
1. Monitoring and audit
2. Communication
3. Risk metrics
4. KRI’s
5. Risk reporting
6. Management report system design
7. Balanced scorecard
8. Consistent terminology in ERM
Monitoring and audit
Monitoring requirements
 Data and Resources

 Organization must gather suitable data ( internal and external ) to base its risk analysis

 Quality of the outcome of the RM process is dependent on the quality of data

 Need to invest in appropriate systems and technology with adequate HR to support this process

 People need to have clear objectives and reporting lines

 Documentation

 RM process should be supported with thorough documentation using common templates cross business

 Things that should be properly documented

 RM decisions made and reasons

 Systems (e.g. system spec and user acceptance testing of IT systems)

 Financial models (incl. assumptions and data used)

4

 RM failures (incl. nature of failure and losses incurred)

Monitoring requirements
 Information

 Substantial amount of information is needed to operate and manage risk effectively

 Information needs to be delivered in a timely manner and reliable

 Trade off between the amount of data:

 Too much data so that processing it cannot be usefully digested

 Too little data, so that it is uninformative

5
Internal audit
 Way in which risks are identified (both on high level and day to day)
 Ways of communicating risk – from CRF to business units and other way round
 Methods of risk assessment
 Choice and effectiveness of risk responses
 Investigation of RM failures

6
Communication
Communication
 Internal (management info): About what is happening inside the business e.g. CF position, sales,
inventory levels)
 External (inwards): What is happening outside the company (e.g. competitors’ sales)
 External (outwards): Distributing information about org to interested parties (e.g. media, s/h, regulators)
 Informal: Word of mouth (or social media)
 Formal: Through corporate intranet, MIS, reports and or corporate newsletters

8
Communication
 RM process and results must be communicated effectively to stakeholders to enable them to monitor the
RM strategies and complete the necessary feedback loops

 Internal communications (e.g. to Board or relevant committees)

 So they are fully appraised on the risk being faced by the org. and how they are being dealt with

 External communications (e.g. supervisory bodies, investors, analysts)

 Need to clearly articulate its RM strategies to key stakeholders to receive the full benefit of its investment in ERM

 Need to be aware of sharing sensitive information

9
Risk metrics
Risk metrics
 Risk metrics are included in regular risk reporting

 Important part of the feedback loop so the Board can monitor the amount of risk being taken and gauge the
effectiveness of the risk policies

Purpose of risk metrics

1. Support the implementation of the risk appetite framework

 (Usually using multiple risk metrics at the same times)

2. Measure whether the company is operating within its risk tolerance limits

3. Easier to use in real business decisions

 Risk appetite and risk tolerance statements are typically probabilistic statements relating to financial and non
financial events

11
Risk metrics
 Consist of quantitative and qualitative indicators of the level of risk in a specific part of the organization
 Each level of risk appetite statement may utilize a number of risk metrics
 Risk metrics can be found at a supporting level below the detail included in the risk tolerance and limit
statements
 For e.g. IT systems downtime and staff turnover rates can be used as indicator of the level of op-risk to
which the org. is exposed to
 Quantitative or qualitative thresholds in these metrics may act as triggers to identify potential problem
areas so that actions can be taken

12
Risk metrics
 Board set limit on the level of market risk
 Identify key drivers of market risk (e.g. equity and interest rate risk)
 RM function monitor for quick and early indication of changes in risk profile leading to breach of risk
tolerance such as

 % of equity in the portfolio

 Level of duration mismatch between asset and liabilities

 These indicators are the risk metrics

13
KRI’s
KRI’s
 Risk metrics that form a key part of an organization’s risk management framework
 Range of quantitative and qualitative risk metrics that are developed to ensure the org. have a board
view of their risk exposures
 The design, implement, monitor and report of KRI is part of the EMR control cycle

Using KRIs
 Managers can use KRIs to identify when risk limits are close to being exceeded
 Prompt actions designed to keep the organization within its risk tolerances

15
KRI’s - factors
 Policies and regulations (e.g. regulatory limits)
 Strategies and objectives (e.g. volatility of results)
 Past losses and incidents (to help judge what is significant)
 Stakeholder requirements (e.g. variables monitored by credit rating agencies )
 Risk assessments (some areas maybe require closer scrutiny than others)

16
KRI’s – desirable features
 Quantifiable (i.e. %, $, numbers)
 Based on consistent methodologies and standards
 Incorporate key risk drivers (e.g. exposure , probability , severity and correlation )
 Tracked over time
 Tied to objectives
 Linked to an accountable individual
 Useful in decision making
 Able to be bench-marked externally
 Timely
 Cost effective to measure
 Simple (not simplistic)
17

 Balance of leading and lagging indicators

Risk reporting
Risk reporting
Feedback loop:
 Process by which management and other stakeholders are informed of any significant issues or changes
in the business and/or the environment
 Information about changes may come from sources that provide information about past events , the
presents or expectations for the future
 Incorporating feedback loops is one way in which an org. can ensure that its ERM framework is able to
identify and respond appropriately to such changes

19
Risk reporting
Importance of effective reporting
 Ensure stakeholder have the risk information required
 Ensure RM framework is embedded within an org.
 Reflect risk in management decisions
 Effective monitoring of risk levels
 BAM need info & feedback to assess effectiveness of the RM policies &identify areas for improvement

20
Risk reporting
Answer five key questions

1. Are our business objectives at risk?

2. Are we in compliance with policies , laws and regulations ?

3. What risk incidents have been escalated and require attention?

4. What KPIs or KRIs need attention?

5. What risk assessments need to be reviewed?

21
Risk reporting
Good Risk reporting
 Clear and relevant
 Closely linked to the management of the org.’s risk appetite and risk tolerances
 Link clearly to decisions that the org. needs to make
 Include KRIs to provide sufficient information to allow clear and timely decision making
 Balance between the need to include all relevant information vs need for clarity and simplicity
 Important that it includes information at appropriate level of detail for the intended audience

22
Risk reporting
Components
 Qualitative and quantitative information
 Summary of losses and incidents
 Summary of business risks and the key discussions and decisions required from the Board
 Narrative from management on important data and trends
 KPIs against KRIs with important deviations and trends highlighted
 Important events / milestones (e.g. regulatory visit)
 Risk reports to business managers can be more detailed with an emphasis on quantitative rather than
qualitative analysis

23
Management reporting
system design
Management reporting system design
Top down approach
 Best way to do it
 For a given audience, think about the information they need to make decisions
 Once identified, the information needs to be presented in a way that is easily understood

25
Management reporting system design
Good system
 Forward looking , dynamic , decisions-driven , online
 Single point of access to critical risk information collated from various risk systems and data sources
 Role-based summary of risk to decision makers with drill-down capabilities to more detail info
 Prioritized just-in-time information (e.g. from real-time alerts to quarterly summaries)
 Mixture of qualitative vs quantitative , internal vs external data
 Opportunity for users to provide commentary , explanation or analysis of the information

26
Management reporting system design
Bad system
 Historically focused , silo-based , data driven , manually prepared , paper based , static
 Simply collating data from silos
 Overwhelming users with too much information
 Providing too much qualitative data that does not aid decision making
 Focusing on quantity rather than quality of information

27
Balanced Scorecard /
Dashboard report
Balanced Scorecard / Dashboard report
Balanced scorecard
 Command reporting approach
 Integrates business and financial reporting
 Risk assessment in the form of KRIs is usually incorporated (on top of KPIs)
 Similar to Lam’s dashboard reporting

Common area of assessment for balanced scorecard

1. Finance

2. Stakeholders (e.g. customers or clients)

3. Growth and learning

4. Internal business processes

29
Balanced Scorecard / Dashboard report
Balance scorecard for effectiveness of the ERM function
 Is the cost of risk minimized? (e.g. losses and mitigation/ management cost)
 No surprises on regulatory/ policy violations?
 Performance based feedback loops (e.g. RA (ex-ante) vs actual losses / events (ex-post))
 ERM development milestones met?

30
Consistent terminology
Advantages of consistent terminology in ERM
 Promotes consistent and common understanding of risk; reduces confusion
 More important in large organizations and multi-nationals
 Common risk language-

 Ensures ERM is accessible to all an becomes rooted in org’s culture

 Increases speed with which ERM is embedded in the organization

 Helps prevent inefficient use of K and resources

 Helps with tying up excess capital and consolidation of the funds

 Produces more productive discussions on RM and measurement

 Helps company to comply with legislation

32
Advantages of consistent terminology in ERM
 Consistent documentation -

 Helps to prevent double counting of risks or overlooking of risks

 Allows for concentration of risk to be assessed, as all parts of business will classify same risk in same way

 Enables setting and monitoring of risk tolerances at enterprise level, as the total risk from each resource is
correctly appreciated

 Staff can change roles within organization without needing to learn new ERM terms and processes.

33