Risk Management in Banking

and Financial Services

Lecture One: An Introduction to Risk and
Risk Management in Financial Services

1
 Key Course Aims
• How does risk management add value to
financial institutions?
• How can risk management theories support
practice within financial institutions?
• What does effective risk management look like
and how can we analyse this?

2
 Session Aims
• Introduce the course and your Course Leader
• Review key resources on the Canvas site,
including assignment information
• Provide some foundation materials to help
you understand more advanced sessions

3
WHAT IS RISK AND IS
IT ALWAYS A THREAT
TO FINANCIAL
INSTITUTIONS?
What is Risk?
 Definitions of Risk
• Risk is the combination of the probability of an event
IRM and its consequence. Consequences can range
from positive to negative

• Effect of uncertainty on objectives.

ISO31000: • Note: An effect is a deviation from the expected. It
can be positive, negative or both, and can address,
2018 create or result in opportunities or threats

COSO: • The possibility that an event will occur and affect

the achievement of strategy and business
2017 objectives – negative and positive outcomes
 What is Risk
• Can arise whenever a given decision, action,
behaviour, activity, etc. could give rise to two
or more outcomes.
• Almost everything we do involves an element
of risk. The same applies to firms,
governments, etc.
• Hence risk is everywhere!
• But it is not necessarily a bad thing:
www.youtube.com/watch?v=gIU3HrCCT2k
7
 Pure vrs Speculative Risk
Pure Risk
• This refers to risks that only
have a downside
• Hence pure risk refers to
the risk of loss only
• Most of the risks that we
insure are pure risks
• Many people, even experts,
‘frame’ the risks that they
face in pure terms….
Speculative Risk
• All a question of perspective!
• Risk with both positive and
negative outcomes
• Gambling in a casino or on
the stock market is an
example of speculative risk
• If you think about risk at an
enterprise level (e.g. profit or
share price) then almost all
risk is speculative
8
 Financial Institutions and Risk
Banks
Deposit Taking Building societies/Credit Unions
Hedge funds
Shadow banks Mutual funds
Special Purpose Vehicles
Mortgage finance
Finance Companies Personal Loans
Credit Cards
General (Property Casualty)
Insurance Life and Pensions
Stock brokers
Financial advisors
Brokers and other agents Insurance brokers
Investment firms

9
 Exercise

• What services do
financial institutions
provide?
• What are the risks
associated with these
services?
• Which of these are
speculative risks?

10
 What Is Risk Management?
• Risk management is the process by which
individuals and organisations balance risk and
opportunity
• Risk management can be used to both:
– Improve our understanding of the risks that we face
– Manipulate our exposure to risk (up or down)
• All individuals and organisations practice risk
management in some form or another, whether
consciously or not!

11
 Risk Management Defined
• Process which aims to help organisations
understand, evaluate and take action on all their
IRM risks with a view to increasing the probability of
success and reducing the likelihood of failure

ISO31000: • Coordinated activities to direct and control an

organisation with regard to risk
2018
• The culture, capabilities, and practices,
integrated with strategy-setting and its execution,
COSO that organizations rely on to manage risk in
creating, preserving and realizing value
 Source: IRM (2018) A Risk
Practitioners Guide to
ISO31000:2018, Institute of
Risk Management, London 13
 Control Identify
Exposure Risks

Assess
Monitor Level of
Exposure Exposure
14
 Risk Management Essentials
Formal and Informal
Adaptive
Effective risk
management is Risks
There is no best
about people approach. You must
(behaviours and Risk management
tailor your risk looks to maximise
engagement), as well management
as processes and opportunities and
response and minimise threats.
tools continuously Essential to
improve understand risk
appetite

Recommended: IRM ISO31000 Guide

www.theirm.org/media/6884/irm-report-iso-31000-2018-v2.pdf
 Exercise
• Review the recent financial press (Financial
Times, etc.)
• Identify a major risk event that has impacted
on a financial institution of your choice
• What were the financial and non-financial
impacts of this event?
• How could more effective risk management
have helped to prevent or mitigate this event?

16
 Conclusion
• There are many different types of financial
institution taking a wide range of risks to
generate returns
• These risks are not easy to manage!
• And the value of this risk management is not
always clear
• As we shall learn next!

17
18
 RISK APPETITE
What is the Optimum Level of Risk for Financial Institutions?

1
 Overview
• What is risk
appetite?
• Academic research
into risk appetite
• Expressing appetite
in an effective way
• Other elements of
an effective risk
appetite framework

2
3
 Exercise
Speculative Risk
• Identify one speculative risk
that can impact on a bank
• When should a bank take
this risk?
• Should there there a limit to
this risk taking?
Pure Risk
• Identify one pure risk that
can impact on a bank?
• Is it practical to eliminate
this risk?
• If not, why not?
4
Definitions of Risk Appetite

Willingness Acceptability
to take risk of risk

Risk is necessary to
generate a return
5
 Risk Appetite

The risk you take to generate a The return you require for risk
return taking
Risk Appetite: When Life is Simple!
The security market frontier: the risk (Beta) for a given
expected return (or minimum return for a given risk). The risk-
return trade off is constant, and there’s no maximum risk.

7
 Risk Appetite: Risk/Return Frontier
A non-linear risk appetite frontier: the maximum risk for a given
expected return where the risk-return trade off gets more demanding.

Expected
Return

Minimum
Required
Return

Risk

8
 Which Project is Outside of
Appetite?
Expected
Return

Project C

Project A

Project B

Risk
9
Expressing and Reporting Appetite

= ?
Source: M Leitch (2010) Making sense of risk appetite, tolerance, and acceptance
(revised), (http://workinginuncertainty.co.uk/appetite.shtml)

10
 Commercial
Organisation
Economic
Capital Share Price

Cash flow Rating Based Example

at Risk Approach Behaviours

Risk is hard
Risk is easy to quantify
to quantify

Targets, Probability Qualitative

Loss Based Limits and & Impact Statements
Approaches Thresholds Boundary

Non- Commercial
Organisation

11
12
 Quantitative vrs Qualitative
Comparative Advantage of
Numbers
• Appetite formulated using
objective measures of risk
• Clarity regarding whether
you are in/outside your
appetite for risk
• Can express appetite using
established management
methods (RAG limits, ROI,
VaR, etc)
• Easy to integrate into risk
based capital framework
Comparative Advantage of
Words
• Appetite formulated using
narrative statements
• Not all risks can be measured
• Easier to understand – at all
levels
• Allows you to express
absolutes (e.g. zero
tolerance) where appropriate
• May be able to align to
strategic vision and values
13
 Weighing Up the Pros and Cons
“A firm’s risk appetite will contain both qualitative and quantitative
elements…… Clearly defined qualitative elements should help the
Board and senior management assess the firm’s current risk level
relative to risk appetite as adopted.” (Institute of International
Finance, Report into the Financial Crisis, 2008)

14
 Exercise

• Go to the latest annual

report of a financial
institution of your choice
• Search for the term ‘risk
appetite’
• What does this search
reveal about its appetite
for risk?
• How does your bank
express its appetite for
risk?

15
Having designed an effective risk
appetite approach, how should it
be implemented?

16
 Implementing Risk Appetite

Support strategy setting

Support risk management

Set boundaries for risk

taking
Support stakeholder value
maximisation
17
 Implementation Priorities
Risk appetite should be used to achieve
Support strategy setting a balanced risk profile that supports
strategic objectives
Risk appetite should enable an
Support risk organisation to prioritise its risk
management activities. Look for risk
management specific appetite statements and
regular risk reports
Risk appetite should be translated into
Set boundaries for risk risk tolerance metrics – both hard
(quantitative) and soft (qualitative)
taking metrics, monitored regularly

Support stakeholder Risk appetite should be clearly

reported. How much information does
value maximisation a financial institution report?

18
 Conclusions
• Risk appetite is a relatively easy concept to
articulate, but designing an effective risk appetite
framework for all types of risk is hard
• Ultimately the diversity of opinion that remains in
relation to some issues (e.g. willingness vrs
acceptability), coupled with the relatively
immaturity of the concept means that it is
difficult to be clear on good practice
• There are no easy answers when it comes to risk
appetite, but there is academic and practitioner
work that can help identify good practice
19
 Recommended Resources
CRO Forum (2013) Establishing and Embedding Risk Appetite:
Practitioner’s View, Chief Risk Officer’s Forum, Amsterdam,
https://www.thecroforum.org/2013/12/20/establishing-and-
embedding-risk-appetite-practitioners-view-2/

FSB (2013) Principles for an Effective Risk Appetite Framework,

Financial Stability Board, Basel.
https://www.financialstabilityboard.org/publications/r_131118.h
tm

20
 Session 3: Governance
Where Risk Management fits with
Corporate Governance and
Compliance (Internal Control)
 Session Outline
• The role of corporate governance and internal
control
• Three lines of defence approach – does it
work?
• What about risk management? Does
corporate governance help or hinder effective
risk management?
www.accountingtools.com/articles/internal-
control.html

www.cgi.org.uk/about-us/policy/what-is-
corporate-governance

What is
Governance?

What is Internal
Control?
The Basic Principle Agent Problem
 Underlying Theory: Moral Hazard
• Moral hazard arises where one party to a contract exploits their
access to privileged information to produce outcomes that while
beneficial to them are not beneficial to their counterparty.
• A commonly cited example of this is employee ‘shirking’, whereby
an employee attempts to provide less work than the principle has
paid for.
• Similarly a firm’s executives may seek to acquire ‘managerial
perquisites’ at the expense of its owners.
• But these are not relevant to risk management. The key risk
management problem is different risk preferences.
• Note that agency theory is effectively a special case of Moral
Hazard. Agency theory is also referred to as the ‘principle agent
problem’. This relates to the difficulties that arise under conditions
of incomplete and asymmetric information when a principal hires
an agent that does not have the same goals as them.
• For a good discussion on agency theory see: K Eisenhardt (1989)
“Agency theory: An Assessment and Review”, Academy of
Management Review, 14 (1), 57-74
 • Identify a recent bank (or other financial institution) scandal
that was the result of a failure in governance or internal
Exercise control
• Why did this scandal occur?
• Could it have been prevented?
Recent Case Study
www.bloomberg.c
om/news/articles/
2022-07-
12/trading-
scandal-roils-a-31-
billion-indian-
mutual-fund-giant
 Developing Effective Frameworks
Corporate Governance Internal Control
• An effective board that makes • Clear, communicated and
decisions in the ‘company enforced policies and
interest’ and ensures that the
interests of the ‘owners’ (and procedures.
other stakeholders) are met. • Appropriate risk culture
• Sufficient independent • Regular review of controls
directors (non executives) who
are able to challenge
and their effectiveness.
decisions. Should include a • Risk and audit committees.
separate Chairperson. • 3 Lines of Defence(?).
• Comprehensive and accurate
reporting (disclosure), plus
dialogue (AGM, etc.).
• Effective internal control….
Three Lines of Defence
Risk
Oversight

Check out:
www.pwc.com/en_GX/gx/insurance/pd
f/three_lines_of_defence.pdf
Responsibilities

Also see: www.iia.org.uk/policy-and-research/position-

papers/the-three-lines-of-defence/
 Three Lines of Defence
Strengths? Weaknesses?
Three Lines Model

https://global.theiia.org/about/about-
internal-auditing/Pages/Three-Lines-
Model.aspx
12
Relationship with Risk Management?
• Risk management offers many tools to support
effective corporate governance, internal control
and compliance.
• Weak governance, internal control and
compliance may expose a financial institution to
many different types of risk (e.g. people risk,
market risk, regulatory risk, etc.).
• But don’t think that risk management is all about
governance and control. Remember that it is a
strategic tool.
Governance
Risk and
Compliance
https://www.oceg.org/abo
ut/what-is-grc/

https://www.g2.com/categ
ories/grc-platforms
Integrating Risk, Governance and
Internal Control

Board

Chief Risk Audit

Officer Committee

Risk Risk
Audit
Committees Framework
 • How might risk
Exercise management be
strengthened by a close
relationship with
governance and internal
control?
• How might risk
management be
weakened by these
relationships?
 Conclusions
• Good corporate governance and internal control
are seen by many as essential components of any
firm, especially financial institutions.
• History shows that poorly governed and controlled
financial institutions face many potential risks.
• But it is essential to get the balance right. Too
much governance and internal control can stifle
profitable risk taking and creative/entrepreneurial
thinking. Hence a balance must be achieved.
 Resources
A Bhimani (2009) “Risk management, corporate
governance and management accounting: emerging
interdependencies” Management Accounting Research,
Vol 20, No 1, p2-5
S Lundqvist (2015) “Why firms implement risk
governance : stepping beyond traditional risk
management to enterprise risk management” Journal of
Accounting and Public Policy, Vol 34, pp 441-446
www.law.ox.ac.uk/business-law-
blog/blog/2021/08/handbook-corporate-governance-
india
www.legalserviceindia.com/legal/article-7435-corporate-
governance-in-india.html
Session 4
Risk Models: Strengths
and Weaknesses
 Overview
• The purpose of quantitative risk
models
• A quick look at some popular
modelling approaches
• The limitations of models
• Common examples of mis-use
• Conclusions
 Control Identify
Exposure Risks

Assess
Monitor
Level of
Exposure
Exposure
3
The Purpose of Risk Models
5
6
 Exercise
• Discuss the benefits associated with using risk models in a financial
institution
• For which risks could models be used?

7
What can you Model?

8
The Essentials of Modelling in FS

Source:
http://www.fdic.gov/bank/analytical/fyi/2003/121003fyi.html
9
 Risk Quantification Tools

• Simple probability and impact estimation

• Mean-Variance type approaches (e.g. VaR)
• CAPM Beta
• Bankruptcy approaches
• More? http://people.stern.nyu.edu/ada
modar/pdfiles/valrisk/ch4.pdf

10
 Modeling Tools: Value at Risk
Value-at-Risk (VaR) is the probability that a given loss level (loss of value) could
be exceeded over a given time horizon at a specified level of confidence.

VAR was developed for

market risk, where data on
normal market activity is
plentiful, but data on
extreme events (e.g. 99.1-
100% confidence interval) is
rare. Market VAR is normally
measured at the 99%
confidence level over 1
trading day (internal risk), or
10 days (regulatory
reporting). VAR is now used
for Credit and Operational
Risks, though confidence Source: RiskMetrics
intervals vary. Technical Document, 1996

11
 VaR Example
• What do these mean:
– VaR of £10m at the 99% level
– VaR of £100m, at the 99.9% level
• VAR shows us the maximum probable loss,
can we estimate the maximum possible loss?

12
 Modelling Tools: Internal Ratings
• Commonly used to estimate the default
probabilities of debtors (e.g. mortgage
customers)
• A debtor’s probability of default is often
estimated using a credit scorecard. Scorecards
are used both at the point of application and
for the ongoing rating of ‘mature’ debtors
(behavioural)
• One famous example of a credit scorecard is
the Altman Z score (Altman 1968)
13
 Altman’s Z Score
Z=1.2C+1.4E+3.3EBIT+0.6ME+0.999S
A A A BL A
Where:
C = Working Capital
A = Total Assets
EBIT = Earnings Before Interest and Taxes
ME = Market Value of Equity
BL = Book Value of Liabilities
S = Sales

E Altman (1968) “Financial Ratios, Discriminant Analysis and the

Prediction of Corporate Bankruptcy” Journal of Finance, September,
pp589-609. 14
E Altman (1968) “Financial Ratios, Discriminant Analysis and the Prediction
15
of Corporate Bankruptcy” Journal of Finance, September, pp589-609.
 The Limitations of Models
• Models rely on assumptions (e.g. normal
distribution). Their ability to reflect the real world
is limited by the accuracy of these assumptions
• Models may be logical and rational, but what
about the people that use these models?
• Models can be complex and hard to understand
• Frequent reliance on historical data
• The availability of data, especially at the extreme
• Goodhart’s Law: C Goodhart (1974) “Public
Lecture at the Reserve Bank of Australia”
16
17
N Taleb (2007) The Black Swan, Random House, New York. Can we ever be sure
that what we observe is the truth?
18
19
 “Lies, damned lies, and statistics” - ?
“It is better to be vaguely right than exactly wrong.”
Carveth Read: Logic, deductive and inductive (1898)

20
 How Can Models Be Mis-used?
• Heavy reliance on historical data (link to Black
Swan Theory)
• Very short historical data periods
• Overly optimistic or simplistic assumptions
(e.g. asset liquidity or normal distribution)
• Ignoring risks that cannot be modelled easily
• Not updating model design often enough
• Applying them to an inappropriate
risk/context
21
 22
Source: http://www.ft.com/cms/s/0/d90bf12c-dc40-11d9-819f-00000e2511c8.html#axzz2DWfn9u1t
 “For reasons that are still unclear, shares began to move in ways that were the
opposite of those predicted by computer models. .. At the beginning of last
week, the GEO “What
fund we
washave
down to alook
fewatpercentage
more closely is the
points from the beginning
of the year. Byphenomenon
Friday it hadoflost
the more
crowdedthantrade
30 per cent of its value… “We
overwhelming
marketthat
were seeing things fundamentals,” he said.deviation
were 25-standard “It makesmoves,
you several days
in a row,” saidreassess
David how
Viniar,
bigGoldman’s
the extremechief
moves
financial
can be.”
officer. “There have
been issues in some of the other quantitative spaces. But nothing like what
we saw last week.”

23
Source: http://www.ft.com/cms/s/0/d2121cb6-49cb-11dc-9ffe-0000779fd2ac.html#axzz2DWfn9u1t
 Exercise: The London Whale
• How did the mis-use of risk models contribute
to the London Whale scandal?
www.bloombergview.com/quicktake/the-
london-whale
https://elischolar.library.yale.edu/cgi/viewconte
nt.cgi?article=1016&context=journal-of-
financial-crises

24
 Reflection
• Rank these risks in order of the ease at which
they can be modelled: operational risk, credit
risk and market risk
• Will this be the same for all banks?
• What are they key requirements for effective
risk modelling?
• What tools can be used to enhance risk
modelling?

25
What Banks Say About Risk Models
• Look in Annual Report and Pillar 3
• Confirm that they use risk models for your
chosen area of risk
• See which models they use (probably VaR)
• Check their ‘model validation’ approach and
any discussion on ‘model risk’
• How do they overcome any model
weaknesses? Look especially for tools like
scenario analysis and stress testing
26
 Example Information

Taking steps to enhance

models

Use of models and

disadvantages
27
Data quality

Scenario and
stress testing to
complement
VaR

28
 Pillar Three Document?

Using and monitoring

model risk

Information specific to risk

categories

29
 Conclusions
• Almost all financial institutions make use of
risk models
• This is to be expected as models are extremely
valuable tools
• However they are only one tool in the box

30
“If formal models of markets have
displaced human intelligence, one
reason might be that they appear more
scientific than they are.”

House of Lords Select Committee on

Economic Affairs (2009) Banking
Supervision and Regulation, 2nd Report
of Session 2008-09 (HL 101-I), The
Stationary Office Ltd, London.
31
 Recommended Resources
P Jorion (2009) “Risk Management Lessons from the Credit
Crisis”, European Financial Management, Vol 15, No 5, pp923-
933.
R Stultz (2009) “6 Ways Companies Mis-Manage Risk” Harvard
Business Review, March, pp86-94.

32
 Risk Management
Reporting
How to Understand the Risk Management Reports of Banks and other
Financial Institutions
Why do financial institutions produce
such large risk reports?
Would financial institutions do this voluntarily?
 Loss Gain

Asymmetric
Payoffs

3
A Nexus of Unequal Contracts
External
Regulators
Environment

Creditors

Internal
Environment
Employees

Owners/
Suppliers Organisation Shareholders

Directors
Rating
Agencies

General
Public

Customers

4
The Basel
III Accord
International Standards for the
Regulation and Supervision of
Financial Institutions

6
 The Three Pillars

Minimum Supervisory
Disclosure
Capital Review
Minimum capital Own risk
Annual Report
requirements assessment

Liquidity and Supplementary

Pillar 3 Report
Leverage Ratios capital
Tasks!
What is the CET 1
ratio for ING
Group?
Now Find the
Following:
• Leverage Ratio
• Net Stable Funding Ratio (NSFR)
• Liquidity Coverage Ratio (LCR)
Group Exercise

• Look for information on the risk

exposures of ING Group
• Look for both quantitative
(numbers) and qualitative
(words) information
• How risky is this financial
organisation?
• Deliver a short report (5 minutes
maximum)
Risk Appetite
How would
you describe
ING’s risk
appetite?
Managing Risk
Appetite
Exercise: Tools
to Assess and
Control Risk
How many tools can you
identify that ING uses to
assess and control risk?
Conclusion

• Based on the available evidence,

what is your opinion on:
• The adequacy of its risk
capital and leverage/funding
ratios?
• The appropriateness of
ING’s risk appetite and risk
profile?
• The effectiveness of its risk
management tools?
Session 7: Credit Risk
 • What is Credit Risk?
• Potential credit risk events
Overview • Advantages and disadvantages of credit risk models
• Managing credit risk
What is Credit Risk?
www.bis.org/publ/bcbs75.htm
Credit Risk Means Profit!
 Elements of Credit Risk Exposure
The probability (between 0 and
Probability of Default 1) that an obligor will default
(over a given time horizon).
The loss that a creditor incurs
Loss Given Default in the event that an obligor
defaults today.
The potential exposure of a
Exposure at Default creditor to default at some
point in the future.

These are often assessed using risk models

An Example of Exposure Reported
 Loss Given Default?
• Whether a loan is secured or not a financial
institution might not get back all that it is owed.
• Consider mortgages – for example a £100,000
loan on a house worth £105,000.
• Would you expect a financial institution to get
back 100% of the debt in a falling housing
market?
• So loss given default refers to how much you
expect to lose in the event of default.
CREDIT RISK MODELS: ADVANTAGES
AND DISADVANTAGES
Assessing Credit Risk Exposures
External Credit Rating Agencies
Personal Corporate

Internal Risk Rating System (Scorecards)

Personal Corporate

Credit Risk Modelling

Single name and overall portfolio

www.bankofengland.co.uk/-
/media/boe/files/ccbs/resources/modelling-credit-risk.pdf
 Credit Risk Scorecards
• Commonly used to estimate the default probabilities
of obligors and the loss given default
• An obligor’s probability of default is often estimated
using a credit scorecard. Scorecards are used both at
the point of application and for the ongoing rating of
‘mature’ obligors (these are called behavioural score
cards)

www.dnb.co.uk/content/dam/english/b
usiness-trends/business-credit-
scorecard-ebook-uk.pdf
 Exercise: Credit Scorecards
What are the advantages and limitations of using credit scorecards?
Credit Modelling
Evidence from Banks

This means the

bank is using
quantitative risk
models for credit
risk. Almost all
banks do.
Look for section on
Model Risk to find
information on the
limitations of a
bank’s credit risk
models and how it
manages these
Practical Limitations
Question: For how
long will a credit
model remain valid?
What is Stress
Testing?
 Managing Credit Risk

Treat Transfer

Strategies

Tolerate
Terminate
(Finance)
Treating Credit Risk
How?
CreditC Risk Transfer
r
e
d
i
t
Securitisation
Exercise: What are the risks associated
with the securitisation of credit risk?

Consider both counterparties

https://corporatefinanceinstitute.com/resources/knowledge/finance/credi
t-default-swap-cds/
Financing Credit Risk
Factors to Consider Assessing Capital
• Good CET 1 buffer over regulatory minimum
(a key factor)
• Risk exposure changing?
• Effectiveness of risk models
• Strategic objectives (looking to grow loans in
certain markets? Then may need more capital)
Information on Credit Risk Capital
Strengthening or Weakening?
 Conclusion
• All financial institutions are exposed to credit
risk, for many it is their largest risk
• Taking credit risk can be a very profitable
strategy, providing it is managed properly
• However it is all to easy to get things wrong!
• Taking too much credit risk can cause
insolvency and bankruptcy – as illustrated by
the global financial crisis
 Resources
• E Altman & A Saunders, (1997) “Credit Risk
Measurement: Developments Over the Last 20
Years” Journal of Banking & Finance, Vol. 21,
No. 11, pp1721-1742
• Basel (2000) “Principles for the Management
of Credit Risk”, Bank for International
Settlements, Basel, Switzerland.
(http://www.bis.org/publ/bcbs75.htm)
Session 8: Market and Liquidity Risk
 Contents

• What is Market Risk?

• Potential market risk
events
• Managing Market risk
• Market risk capital
• Managing liquidity risk
Race
 Equity Price General
Risk Market Risk
Trading Risk
Interest Rate
Specific Risk
Risk
Market Risk Gap Risk
Foreign
Exchange Risk

Commodity
Price Risk
Counterparty
Transaction Risk
Financial Risks Risk

Credit Risk
Issue Risk
Portfolio
concentration
Issuer Risk

Funding Risk
Liquidity Risk
Asset Risk
 Current Sources of Risk

What are current sources of Think global and local

market and liquidity risk
DISCUSSION
QUESTION
Which types of financial
institution choose to take
relatively high levels of
market risk?
Managing Market Risk

Control Assess
Assessing Market Risk
What are the main
options?
 Value at Risk

For market risk VaR is

normally measured at
the 99% confidence
level of 1 trading days
(internal risk), or 10
days (regulatory
reporting).
 Value at Risk Example
If a fixed portfolio of stocks has a one-day 5% VaR of £10
million, there is a 0.05 probability that the portfolio will fall
in value by more than £10 million over a one-day period.
This means that a loss of £10 million or more on this
portfolio is expected on 1 day out of 20 days (because of the
5% probability).

Remember that in this example VAR says nothing about how

large a loss might be which exceeds the one day 5% VaR of
£10 million.
 VaR Estimation Techniques
• Parametric method
• Historical simulation
• Monte Carlo Simulation

Exercise: Identify the strengths and weaknesses

of each method

www.cfainstitute.org/en/membership/professi
onal-development/refresher-
readings/measuring-managing-market-risk
Banks Talking About VaR
Another Bank
 www.bankofengland.co.uk/stress-testing
https://rbidocs.rbi.org.in/rdocs/content/pdfs/FC021212ST_1.pdf
Source:
http://www.actuaries.org/CTTEES_SOLV/Documents/StressTestingPaper.pdf
 Comparing Scenario and Stress
Stress Testing
• Usually involves adjusting
one parameter at a time
• Idea is to see how
gains/losses might change
‘in extremis’
• Example Stress Tests:
Oil +/-5%, Interest Rates +/-
100 bps, Equities +/-10%, etc.
Scenario Analysis
• Usually involves looking at
multiple parameters
• May be less extreme
• May be linked to a specific
event (e.g. a new
government or pandemic)
• May involve an element of
judgement
Another Bank
 Reverse Stress Testing

What could cause

this failure?

Estimate Consider
Begin with Determine
magnitude of potential
failure mitigations
impact scenarios

What would it take What can we do

for our organisation about this?
to fail?
 Common Reverse Stress Severe
Impacts
• Solvency threatening loss of asset value
• The organisation runs out of cash, or
otherwise experiences cashflow issues which
mean that it cannot settle its liabilities as they
fall due
• A sole or principal source of funding is lost

www.icaew.com/technical/audit-and-
assurance/professional-scepticism/stress-testing
 Controlling Market Risk
Group Exercise: Identify as many market risk
control strategies as possible
Remember that the goal is to take market risk to
generate a positive return
But what is the right level of risk and how can a
bank maintain this?
 Trading Risk: The 3 Offices

Front Middle Back

• Spot • Risk analysis • Clearing and

opportunities • Compliance settlement
• Make trades and control • Accounts, HR,
IT, etc.

www.allaboutfinancecareers.co.uk/industry/in
vestment-banking/front-office-middle-office-
and-back-office-explained
Interest Rate Gap Management
https://corporatefinanceinstitute.com/resourc
es/knowledge/finance/negative-gap/
Futures, Swaps and
Options?
 Market Risk Capital: What is
the Optimum Amount?
• Regulatory requirements
• Market risk profile relative to risk appetite
• Effectiveness of market risk models
• Effectiveness of other market risk management tools
• More??
Evidence from Barclays

CET1 Ratio has

increased, but
Market Risk
RWAs have
fallen – a good
combination!
 HSBC

Coping well
with stress
Liquidity Risk
Banks borrow short And lend long
www.businesstoday.in/industry/banks/story/6-reasons-why-
yes-bank-collapsed-251442-2020-03-05
 Funding Gap
Duration 0-3 Months 3-6 Months
Asset (Loan 6m) 300 300
Liability (Deposit 3m) 300 0
Liquidity Gap 0 -300

What will
this cost?
How do
banks fund
this gap?
 Group Exercise

What sources of funds can financial institutions Consider the availability, reliability and speed of
use to help manage a liquidity gap? funding
 Conclusion

Market and liquidity risks must be taken to Beware over-reliance on mathematical models
generate returns. But take too much and solvency and be prepared for the unexpected!
is threatened
 Resources
P Jorion (2009) “Risk Management Lessons from the
Credit Crisis” European Financial Management, Vol 15,
No. 5, pp923–933 (good on limitations of VaR models)

Basel rules:
www.bis.org/bcbs/publ/d352.htm (capital
requirements)
www.bis.org/bcbs/publ/d521.htm (Covid and
market/liquidity risk)
Session 9: Operational Risk
 Contents

• What is
operational risk?
• Types of
operational risk
• Anticipation
• Resilience
• Risk culture
 Standard Definition
“Operational risk is defined as the risk of loss resulting
from inadequate or failed internal processes, people
and systems or from external events. This definition
includes legal risk, but excludes strategic and
reputational risk.”
See Basel (2006) “International Convergence of Capital
Measurement and Capital Standards: A Revised
Framework” Bank for International Settlements,
Paragraph 644.

What are the problems with this

definition?
 Alternative Definition
Operational Risk
The effect of unpredictable outcomes on
the efficiency and effectiveness of
operations
Op Risk Management
The management of unpredictable
outcomes on the efficiency and
effectiveness of operations
 The Basel Op Risk Event Types
Level 1
Internal Fraud
External Fraud
Employment Practices and Workplace Safety
Clients Products and Business Practices
Damage to Physical Assets
Business Disruption and System Failure
Execution Delivery and Process Management
Exercise: How could these events impact on efficiency and
effectiveness?
Level 2
Unauthorised activity; Theft and fraud
Theft and Fraud; Systems Security
Employee Relations; Safe Environment;
Diversity and Discrimination
Suitability, Disclosure and Fiduciary;
Improper Business or Market Practices;
Etc.
Disasters and Other Events
Systems
Transaction Capture, Execution and
Maintenance, Monitoring and Reporting,
Etc.
 Source: Basel (2009) Results from the 2008 Loss Data Collection
Exercise for Operational Risk, Basel Committee on Banking
Supervision, Switzerland.

For more up to date data see: www.orx.org/pages/ORXData.aspx. This reports

85,585 op risk events for banks in 2021 costing €20.3bn.
 https://edition.cnn.com/2021/02/16/business/citibank-revlon-lawsuit-ruling/index.html

• “Operational error”: incorrect inputs to payment software

• Paid the entire principle and outstanding interest on Revlon
Case example: loan to lenders
• Paid $900m, should have paid $8m
Citi Group • $500m remains outstanding, NY courts have ruled the money
does not have to be repaid (as no deception involved).
• Loss hit 4th quarter earnings by $323m
• Plus, lots of negative press
Managing Operational Risk
Environment External and Internal

Drivers Business Strategy and Objectives

Framework
Risk Governance
Infrastructure Culture
Appetite/Tolerance
/ Risk Categorisation

Loss Events Loss Events

Toolkit RCA KRI Scenarios
Internal External

Processes Identification – Assessment – Monitoring - Reporting

Enablers Documentation People Technology

Can All Operational Risks be Predicted?
 Two Strategies

Anticipation Resilience

• Focus is on predicting • Focus is on generating

and preventing events systems, process or
• Risk management human resilience
strategy is often • Act to mitigate or
tailored to specific exploit events as they
events emerge
• Relies on risks being • Works well in a world
identified and assessed of high uncertainty
 QUANTITATIVE QUALITATIVE
What are the strengths and weaknesses of the
above assessment approaches in relation to
the management of operational risks?
Quantitative Modelling
 Scenario Analysis?

Exercise: Use the above bow-tie template to complete the analysis of a scenario of
your choice. Choose one of the Basel level 1 event types as the starting point for
your work.
 People Resources

Processes
Human

Causes Event Outcomes

Systems

External Reputation
Events
 Recommended Data Fields
Essential Fields Description
Scenario Describe the scenario (e.g. a fire, etc.)
Causes These may be failures in people, processes and
systems and or external events
Outcomes Financial, reputational and human effects
Management What actions could management take to mitigate the
actions effects of the scenario
Net Effects Consider base case, best case and worst case (note
that duration will be a factor here)
Prevention Actions to prevent the scenario from occurring
Opportunities Can management exploit the scenario?
Qualitative OR Management
Assessing Risk Culture

Source:
www.ey.com/Public
ation/vwLUAssets/Ri
sk_culture_-
_How_can_you_cre
ate_a_sound_risk_c
ulture/$FILE/EY-risk-
culture-model-
brochure.pdf
Risk Culture?
 Case Study
www.thebalance.com/lehman-brothers-collapse-causes-impact-4842338

• What could Lehman’s have done to enhance

its culture and prevent failure?
What Banks Say

From Pillar 2
Risk Culture
Challenge: Describe the Orange Code
Managing Resilience
 The World
is Changing
 Exercise

Using the PESTLE factors identify How easy is it to anticipate the causes
potential sources of new operational and effects of these risks?
risks
Can You Name this
Volcano?
What Distinguishes a
Transboundary
Crisis?
 Common Features of
Transboundary Crises

• Crosses domains
• Rapid escalation
• High uncertainty
• No easy solutions
 Three Phases of Resilience

Plan Adapt Learn

www.apra.gov.au/covid-19-a-real-world-
test-of-operational-resilience
Remember Formal and Informal
Formal

Preparedness Responsiveness
(e.g. scenarios, (communication,
and risk competency and
appetite) coordination)

During/After
Before

Develop Leadership
Situation
Awareness (Risk) Culture

Informal
Think the Unthinkable
 Reverse Stress Testing

What could cause

this failure?

Estimate Consider
Begin with Determine
magnitude of potential
failure mitigations
impact scenarios

What would it take What can we do

for our organisation about this?
to fail?
 Common Reverse Stress Severe
Impacts
• The organisation runs out of cash, or otherwise
experiences cashflow issues which mean that it
cannot settle its liabilities as they fall due
• Operating cash outflows exceed cash inflows
• There is a demand for immediate repayment of a
loan or loans
• Loan covenants are breached, and the lender
does not waive these covenants
• A sole or principal source of funding is lost
www.icaew.com/technical/audit-and-
assurance/professional-scepticism/stress-testing
 Improve Responsiveness

https://www.hse.gov.uk/construction/lwit/ass
ets/downloads/situational-awareness.pdf
Case Example

Discussion
What were the critical success
factors that helped HEB to adapt
to the COVID-19 pandemic?

www.texasmonthly.com/food/heb
-prepared-coronavirus-pandemic/
 • Operational risk is:
– Diverse
Conclusions – Dynamic
– Dangerous
• But effective management is essential!
 Recommended Resources
• Kaplan, R.S. and Mikes, A. (2016) “Risk
Management – The Revealing Hand” Journal
of Applied Corporate Finance, Vol. 28, No. 1,
pp.8-18
• Institute of Operational Risk: www.ior-
institute.org/
• Information on scenario planning:
www.planning.org/knowledgebase/scenariopl
anning/
© Vlerick Business School
 Case Study: Embedding Operational Risk Management

Read the case below and look for information on the tools that this bank uses to manage risk. Then
look for information on the risk culture of the organisation and the relationship that the risk
management team has with the wider business.

Once you have done this reflect on the questions below. We will discuss your thoughts during the
first day of the training course:

1. Reflect on the potential benefits and costs associated with this bank’s operational risk
management framework.
2. How did the culture of the organisation influence attitudes towards the new risk
management framework?
3. What could the risk function do to improve acceptance of the new risk management
framework?

Sector and A medium sized retail bank, operating in the UK.

Size
Economic The organisation is going through a period of significant growth, both in terms of
Context its customer base and the development of new products. This growth is
profitable but creates resourcing challenges and puts pressure on existing
management systems and associated processes and controls. These pressures
were described as “growing pains”.

To help manage these pains the organisation recently implemented a brand new
ERM framework and accompanying IT system.
The The ‘tone from the top’ emphasises informal and relaxed human relations with
Organisation’s an emphasis on being yourself, following the ‘bring yourself to work’ philosophy
Culture and evidenced by the fact that people wear casual clothes.

Senior management rely on verbal rather than written communication and

informal ‘huddles’: “…that’s the culture in here. There’s less written updates or
documents. It’s not the way our chief exec works, it’s the way the organisation
works and we’re trying to move more and more to our agile approach as well.
So, less people, less documentation, more doing. More face-to-face comms
messages”.

Most of the staff are in a single building. This helps to reinforce personal
relationships/communication and build trust. The strong personal relationships
and high levels of trust mean that decisions can be taken quickly. The new risk
approach, for example was designed and implemented in less than a year. But
might decisions be made too quickly?

The period of significant growth that the organisation is enjoying has influenced
its culture. Growth has helped to create an optimistic team spirit that reinforces
the feeling of trust between staff. In addition, staff are generally very customer
focused and want to do what is best for the customer and the wider
organisation: “I had ten years of a shrinking culture, where redundancies is all I
did. Spent all my time making people redundant and I found it at the start there
was a lot of fear in that… And what I found was when you were dealing with
people they tended to be very politically minded so there were, their reactions
or the decisions were based on, how can I protect myself and get what I want
 out of this? ….Whereas I come in here and it’s completely different. It’s a
growth business, is the first thing and people genuinely want to do the right
thing for the customer and the right thing for the bank. You know I had to do a
double take in the first month in some of these meetings. I’d come away
thinking, really? I don’t have to fight and argue and shout and bang the desk. No,
no, because that’s the best for the customer and everyone recognises it. It’s
quite remarkable, almost like a family, family business type of feel about it”.

Risk Culture High levels of trust mean that staff members tend to accept the word of others
and are reluctant to challenge. However, as the organisation grows its
management systems and associated operational processes and controls are
being put under pressure. There has been much change to accommodate this
pressure on processes and controls, this includes a new risk framework and
system.

The Board, CRO and risk function are working to improve the effectiveness of
the organisation’s risk controls both to prevent significant risks and to improve
the efficiency of operational processes. As part of this the risk function is
becoming more challenging, an approach that is encountering resistance from
staff, especially at more junior levels of management, who are not used to
challenge. There is a new emphasis on control testing and documentary
evidence, which some are uncomfortable with, as it is seen as doubting the word
of others. The tensions between maintaining trust and effective risk governance
were explained as follows: “I don’t have to fight and argue and shout and bang
the desk. No, no, because that’s the best for the customer and everyone
recognises it. It’s quite remarkable, almost like a family, family business type of
feel about it. Now there’s a downside to that as well because we are a bank and
we’re regulated and we have got to do things right. So you’ve got to have
governance in place and it’s got to be strict etc., etc. So you’ve got to balance
the two…”

Building on the above there is evidence of a non-accountability culture, where

managers are reluctant to take responsibility for certain risks or areas of control.
One factor that has influenced this is the extensive use of outsource service
providers (these providers are incorrectly assumed to have responsibility). Use
of 1st line risk specialists may also be a factor (see risk governance below),
business managers assume that it is the role of 1st line risk specialists to manage
risk. In addition, the resource pressures mentioned above mean that managers
do not want to admit or take responsibility for risk and control problems
because this can mean more work. “I have seen the behaviours in the first line
that people don’t like to be open when things aren’t working well. People don’t
the colour red, they don’t like having events. And they don’t like raising events
because A, it acknowledges that something’s gone wrong and B, it means
they’ve got admin work to do. So, there’s a real culture of people trying to avoid
managing risk or identifying risk”.

There is evidence of risk sub-cultures and a diversity of risk management

practice and communication effectiveness across the organisation. Some
divisions and functions have welcomed the new risk framework and system
(accepting that the benefits are worth the costs), others are more resistant
(believing that the costs outweigh the benefits). The personalities, skills,
 experience and professional background of managers in some areas are a factor:
“So, if you look at the finance culture versus somewhere like customer, pick the
marketing team as an example. You’ve got completely different blend of
individuals with a completely different blend of backgrounds”. The differing
level of resourcing pressures felt by divisions and functions, as the organisation
grows, may also be a factor in explaining their reactions to the new framework
and system.

Risk The organisation has 1st line risk specialists and a 2nd line risk function. 1st line
Governance specialists work to support business management in making risk and control
decisions and in conducting risk and control assessments. The 2nd line function
provides oversight and challenge. The 2nd line must sign off the new process
assessments and control testing for accuracy and completeness. These two lines,
along with internal audit in the 3rd line form a three lines of defence approach to
risk governance.

The organisation’s resource constraints mean that responsibilities across the

three lines can be blurred. The 2nd line have had to support the 1st line risk
specialists and business managers in using the new risk framework and system.
This has involved them helping the 1st line in the completion of risk and control
assessments: “I just want people to think we’re not against each other we’re all
in the same company” (Head of Risk). Who went onto say:

“I don’t think we’re traditionally doing oversight as you would describe it just
now. So, oversight to me would be if I think about our business in a mature
state, really understand what they do, how they do it and where the risks are
and the control system that they operate within”.

The risk governance framework is supported by several risk committees. This

includes a board risk committee, sub-committees looking at specific areas of risk
(operational, credit, etc.), and divisional risk committees. Meeting frequency
varies according to need and may be quarterly, every 2 months or monthly.
Beneath these a variety of thematic forums exist looking at specific issues (e.g.,
data protection) or to facilitate coordination between groups of individuals (e.g.,
1st line risk specialists). There are concerns that the complex committee
structure can slow down communication, meaning that it can take 6-8 weeks to
move risk and control information up or down the hierarchy of committees due
to the timing differences of the meetings.

This risk governance framework is due to be supported by a new risk

management bonus scheme, that uses a range of metrics to assess risk
management performance. However, this scheme is light touch and will not
affect the level of bonus significantly. The hope is that the scheme will raise
awareness of risk and staff responsibilities for risk and control management.

Risk A new risk framework and accompanying IT system were implemented in 2018:
Management
Framework 1. The new framework relies on business managers mapping their own
organisational processes and identifying the points of failure (risks) within
these processes. The aim is to align the approach with what managers do –
 business managers across the organisation are used to managing
operational processes.
2. Control assessments must be supported by rigorous control testing and
documentation of controls. The aim is to have more effective controls,
especially more preventive (probability reducing) controls with less reliance
on detective controls (which have no impact on probability).
3. Only key risks are required to be identified and documented and only key
controls must be tested and documented. Key risks are those that can have a
significant effect on the whole organisation, key controls are those most
relied upon to ensure the efficient operation of processes. Aim is to focus
attention on what matters most to save resource and improve the
effectiveness of risk management.
4. The new framework/system is designed to be automated as much as
possible (e.g. automated controls testing). But to achieve this high level of
automation significant upfront investment was required to ensure that
processes are mapped accurately, and control tests are robust.

Key The implementation of the new risk management framework signals a step
Embedding change in the formality of the organisation’s risk management activities. The
Challenges goal is to create a risk management approach that is significantly automated
(e.g., the automatic testing of controls). This will help to save staff time and
allow them to concentrate on growing the business while maintaining efficient
and safe processes. This automation goal and the other benefits of the new
approach and system were communicated by the CRO pre-launch. Some
divisions have bought into these benefits, others are less convinced (see risk
culture above).

One concern expressed about the new framework is the increased level of
formality (e.g., detailed process mapping and controls testing), which is not
consistent with the organisations informal/high-trust culture and risk culture.
Other concerns include 1st line resource constraints and related change fatigue.
The implementation of the new risk framework is requiring significant levels of
resource. This includes time spent on training, learning how to use the new tools
and system, mapping processes, documenting key risks and controls and testing
key controls:

“There’s some who really throw themselves into it and will probably have much
better input, and there’s others who just, they got so many other things on. It’s
the prioritisation piece, and again we were just talking about that in terms of
audit committee in terms of these things. How do people prioritise? What is the
biggest pull? And if it’s something that doesn’t float your boat and you don’t see
the benefit of it, which a lot of first lines, who are not risk professionals, struggle
with sometimes.”

“And I still think there’s a challenge as to what it’s going to deliver. It’s better. I
think it’s going to be better, but it is taking a very long time…. I think the time
taken, with everything else at the bank’s got going on, is the big challenge.”

To help improve buy-in for the new risk assessment approach, system and
handbook there was extensive and multi-faceted consultation and
communication during the design and launch phases. Including: a competition to
 name the new IT system; system demonstrations; face-to-face training;
webinars; drop-in support sessions and poster campaigns. This all helped to
reinforce the benefits of the new risk framework and system to business
managers. It also helped to train staff on how to use the new mix and system in
an effective manner. A very significant proportion of 2nd line risk function
resource has been devoted to these promotional activities.

The Role of The CRO is an influential figure in the organisation. They have driven the new
the CRO and process risk and control assessment approach to risk management. Business
Risk Function managers are expected to meet with the CRO for “challenge sessions”. These
sessions focus on the evidence that they must prove the effectiveness of their
key controls. These challenge sessions help to motivate business managers to
complete their risk and control assessments, they also reinforce the tone from
the top regarding the importance of risk management and control testing.

The 2nd line risk function has regular contact with the 1st line risk specialists,
business management and 3rd line internal audit. This contact occurs in formal
meetings (e.g., committees) and on a one-to-one or small group basis. Relations
are generally good and there is “open and honest debate” plus cross line
working helps to create synergies between the different skill sets and
responsibilities: “I think sometimes, it’s a genuine discovery on both sides, so the
risk team don’t necessarily know what they’re trying to ask, but we’ll apply our
[business line] expertise and come up with what we think the right answer is”.

One negative is that the 2nd line risk and 3rd line audit functions are located on
separate levels from the first line in the building. This hinders informal
relationship building: “Nobody comes to second line, even the first-line risk and
control teams. Nobody comes up there and it’s like being summoned to the
head teacher’s area or something. So, there is a bit of a them and us culture that
then has materialised again with audit who sit on the third floor, way away from
everybody else which again could be a good thing but…”