OpRisk North America

Spring 2012 conference

Operational Risk in Commodity Trading

Robert Serena
March 2012
 About the author

Robert Serena, FSA, CFA, FRM, CPCU, CRISC

Bob has over 30 years of financial services functional experience across insurance, reinsurance, commodity trading,
and commercial banking - numerous technical and leadership roles in the First Line-of-Defense (Actuarial,
Investment Management, and Capital Markets & Trading) and Second Line-of-Defense (Risk Management and
Compliance).

Bob is a native of Connecticut, and currently resides in Charlotte, North Carolina with his wife and two children.

2
 Operational risk in a trading business

❑ Definition
❑ Process

❑ People
❑ Systems
❑ External Events

Arrange & Generate or Exposure & Process Manage accts. &

Schedule Price Deal Process Invoice Report Results
Confirm Deal confirm contract Profit and Loss Receipt/payment cash flow

3
 How is operational risk defined in a trading business?

❑ The risk of loss resulting from inadequate or failed internal processes, people and
systems or from external events that have a direct impact on front-to-back
transaction administration.
❑ It represents the risk profile of the front to back business processes from origination
to execution and delivery.

4
 Operational risk - Processes and people

Risks associated with processes Risks associated with people

❑ Inadequate procedure ❑ Training/competence/

knowledge
❑ Inadequate standard/control
process ❑ Inappropriate or fraudulent
behavior
❑ Erroneous reporting
❑ Insufficient resources to
❑ Process change/ manage workflow
implementation requirements

55
 Operational risk - Systems and external events

Risks associated with systems Risks associated with external events

❑ System degradation/capability ❑ Third-party relationships

❑ Interface issues ❑ Regulatory/political

❑ Inadequate support ❑ Exchange failure

❑ System access ❑ Malicious damage

❑ Project delivery ❑ Disaster recovery

6
 Operational risk failures
Examples from the past 25 years

Year Financial Scandals Loss

2008 Madoff Investment Securities $18B loss to investors due to a Ponzi scheme

2007-8 The Credit Crunch Mispricing of the risk involved with subprime mortgages led to a lack of
credit supply felt worldwide

2007 Societe Generale $7.2B loss due a trader creating fraudulent trading positions through
unauthorized trades

2002 Allied Irish Banks $750M loss on foreign exchange trading operations

2001 Enron and Arthur Anderson Accounting fraud led to the fall of both companies

1998 Long-Term Capital Management $4B loss after debt default by Russia

1996 Sumitomo Corp $2.6B loss on unauthorized copper trades

1995 Daiwa Bank $1.1B loss from unauthorized trades

1995 Barings Bank $1.4B loss due to a rogue trader caused its collapse

7
 Why we manage operational risk?

Regulatory expectations
Industry events
• Basel II
• Accounting frauds
• Local regulatory
• AIB developments
• Barings • Dodd-Frank Act
• Soc Gen

Operational risk

Changes Market expectations

• Technology
• Rating agencies
• New product offerings (e.g., S&P, Moody’s)
• Industry consolidation
• Counterparts/
• New/ emerging markets
institutional clients
• Outsourcing

8
 Tools used to manage operational risk

❑ Scenario Analysis
❑ Operational incident management
❑ New activity integration
❑ Enterprise risk management framework
❑ Key risk indicators

❑ Process reviews

9
 Tools to manage Operational Risk

Identify Assess Respond Control

Forward-Looking
Enterprise Level Controls
Scenario
Analysis • Policies and procedures
Forward-Looking
• Risk committees
Process Reviews • Impact x likelihood • New activity integration/post
• Evaluating ability to implementation reviews
control risks Accept • Incident escalation and action item
Key Risk Indicators • Trend analysis audits
• Identifying new • Mandatory training Requirements
business risks • Delegation of authority
Mitigate • Segregation of duties
New Activity Integration

Process Level Controls

Backward-Looking Backward-Looking
• Desk procedures and process
Operational Incident • Financial Exposure documentation
Management • Trend Analysis • Reconciliations
• Root Cause analysis • KRI and KPI metrics

10
 Operational incident management

Operational losses resulting from inadequate or failed internal processes, systems, human error, or from external
events:

❑ Direct or indirect losses/gains

❑ Potential gains/losses
❑ Misstatements of income or cash flow
❑ Actual or potential breaches of legal or regulatory requirements
❑ Significant redirecting of resources or exposure to reputational issues

Examples
❑ Front, middle or back office systems, processes or controls
❑ Trading/credit exposures, positions or risk limits
❑ Compliance with applicable legal and regulatory requirements

Objectives of reporting incidents

❑ Identify and take action to address root causes
❑ Share the lessons learned
❑ Minimize re-occurrence
❑ Sustainable continuous improvement

11
 New activity integration (NAI) process

Rigorous due diligence and review process that is applied to all new commercial opportunities to ensure that
the best commercial opportunities are selected.

Examples of new commercial activities The NAI process determines:

that fall under the NAI framework:
❑ Operational impact
❑ Commodities
❑ Economics
❑ Instruments
❑ Risk
❑ Geography
❑ Compliance with relevant
❑ Exchange regulatory, legal and tax requirements

❑ Activity set/process or system

requirements

A structured NAI process allows for human and economic resources to be allocated to the opportunities that
deliver the highest value.

12
 NAI process (continued)

❑ All functional groups are required to opine and assign a risk rating on the specific incremental risks to
their area arising from the new activity.

❑ Risk rating values:

❑  - No material issues or risks incremental to core business
❑  - Material issues or risks, which can be mitigated or resolved
❑  - Material issues or risks, with no mitigation or resolution identified
❑  - Recommendation to not proceed, based on area of functional expertise (e.g., high probability, high
impact, no control by project team, risks are unacceptable, alternative approach is necessary)

❑ This rating system enables the commercial sponsor and the decision maker to focus on highest risk items.

13
 New activity integration process
Sample risk radar

Accounting
& Reporting

Treasury Compliance

Trade
Credit Risk
Completion

Tax &
Indirect Tax GIAAP

Regulatory HSSE

Product
Control Internal Control

Operations IT&S

Operational
Risk Legal

M arket Risk

14
 Enterprise risk management (ERM)

❑ Includes the methods and processes used by organizations to manage risks and seize opportunities related to
the achievement of their objectives.

❑ ERM provides a framework for risk management, which typically involves identifying particular events or
circumstances relevant to the organization's objectives (risks and opportunities), assessing them in terms of
likelihood and magnitude of impact, determining a response strategy, and monitoring progress.

❑ By identifying and proactively addressing risks and opportunities, business enterprises protect and create value
for their stakeholders, including owners, employees, customers, regulators, and society overall.

How does it work?

❑ Identification: Strategic, operational and financial risks that can potentially impact profitability and the firm’s
reputation.

❑ Assessment: A look at the likelihood that a risk could happen and the impact of that risk, should it happen.

❑ Response: Develop an appropriate risk response which includes: (1) Risk acceptance or (2) Risk mitigation.

❑ Monitoring and control: Risk Managers, in partnership with Risk Owners, work to monitor the firm’s enterprise
risks on an ongoing basis, and further embed the management/monitoring of these risks into each impacted
business unit and the relevant governance meetings and committees.
15
 Key Risk Indicators

❑ Reportable metrics (e.g., late/amended/cancelled deal entry data, trends)

❑ Risk indicators, not performance indicators

❑ Forward-looking but not predictive

❑ Thresholds need to be established

❑ Support qualitative risk assessments and align to areas of risk (related to processes, people, systems)

❑ Highlight areas of growing concern to management

❑ One KRI alone may not trigger a concern, but a combination of KRI signals may (e.g., new activity growth coupled
with high staff turnover in key areas could be a sign of workload pressure due to resource constraints)

16
 Process Reviews – Strategic and Tactical

Periodic, risk-based reviews of critical business activities with the objective of decomposing a given activity into its
constituent operational risk elements (people, processes, systems and external events).

❑ Once this activity decomposition is completed, the inventory of controls deployed to manage the operational risk
elements is compiled.

❑ The relative effectiveness of each control is assessed, and an overall gap profile is developed.

❑ Alternatives to closing each gap with business impact profiles are reviewed, and the alternative which reduces the
residual operational risk exposure below the acceptable threshold is implemented.

17
 Enterprise risks confronting the industry

❑ Strategic

❑ Operational

❑ Regulatory

❑ Insurable

❑ Financial (market and credit)

❑ Environmental

18
 Strategic risk

The risk associated with future business plans and strategies, including plans for entering new business lines,
expanding existing services through mergers and acquisitions, enhancing infrastructure, etc.

Examples
❑ E&P firms are confronted with increased operating costs and higher operational risk profiles to extract
reserves due to the relative inaccessibility of marginal supply (e.g., Canadian Oil Sands, Deepwater, Arctic).

❑ All energy firms are confronted with potential lower margins due to increasing trends in operating costs (e.g.,
technology, taxes, labor).

❑ Any firm that is an end-user of commodity products is confronted with increased feedstock costs when supply
shocks occur due to political and civil unrest in resource-rich countries (e.g., Middle East), or disruptions
caused by terrorist attacks on transportation infrastructure, etc.

❑ Electric utilities are confronted with the potential loss of revenue from industrial and retail customers due to
technological advancements allowing the deployment of more cost effective distributed generation (e.g.,
small industrial firm installs an onsite natural gas generator).

19
 Operational risk

The risk of loss resulting from inadequate or failed internal processes, people and systems, or from external
events.

Examples

1. Energy firms are confronted with:

❑ A decreased range of investment opportunities and ability to compete in the market for profitable projects
due to declines in the number of students majoring in engineering, mathematics, and the hard sciences.
Also, the imminent retirement of experienced engineers and other professionals over the next 5-10 years
without suitably trained replacements.

❑ Potential legal fines and data management/data remediation costs resulting from increased frequency of
security breaches and cyber threats.

❑ Potentially increased disability and workers compensation claims due to improperly designed workstations
and inadequate control-of-work procedures.

2. Pipelines companies, electric utilities, and nuclear plant owners are confronted with increased maintenance
costs and increased likelihood of catastrophic failure due to the aging of the energy infrastructure in the U.S.

20
 Regulatory risk

The risk that a change in laws and regulations will materially impact a security, business, sector or market. A change
in laws or regulations made by the government or a regulatory body can increase the costs of operating a business,
reduce the attractiveness of investment and/or change the competitive landscape.

Examples

❑ All firms in the energy supply chain are confronted with a reduced commercial opportunity set due to
uncertainty in the direction of U.S. energy policy.

❑ Exploration and Production firms are confronted with increased operating costs and potential legal fines due to
more stringent regulation imposed on natural gas fracturing activities.

❑ Trading firms are confronted with increased technology and labor costs to assure compliance with Dodd-Frank
and related regulation that impact trading firms.

21
 Insurable risk

A risk that meets the ideal criteria for efficient insurance. The concept underlies nearly all insurance decisions. To be
insurable, several things must be true:

❑ The insurer must be able to charge a premium high enough to cover not only claims expenses, but also to cover the
insurer's expenses. In other words, the risk cannot be catastrophic, or so large that no insurer could hope to pay for the
loss.

❑ The nature of the loss must be definite and financially measurable. That is, there should not be room for argument as to
whether or not payment is due, nor as to what amount the payment should be.

❑ The loss should be random in nature, else the insured may engage in adverse selection (anti-selection).

Examples

❑ An electric utility suffers a loss of revenue due to a flood knocking out several generators at a power plant (business
interruption).

❑ A manufacturer of electric turbines has to pay product liability claims when several of its turbines fail to operate within
specified parameters due to metal fatigue.

❑ A refiner suffers property damage and loss of revenue when a hurricane knocks one of its plants out of commission for
several weeks.

22
 Financial risk: Market

The risk that the value of a portfolio, either an investment portfolio or a trading portfolio,
will decrease due to the change in value of the market risk factors. The four standard market risk factors are stock
prices, interest rates, foreign exchange rates, and commodity prices.

Examples

❑ Refiners are confronted with increased feedstock costs and less cash flow certainty due to increased price
levels and volatility in crude oil supplies.

❑ Retailers are confronted with increased delivered prices of consumer goods due to the increased price of
gasoline and other refined products that are used as transportation fuels.

❑ Any energy firm that makes use of floating-rate debt financing is confronted with increased interest service
costs and less cash flow certainty in an increasing interest environment.

23
 Financial risk: Credit

The risk of loss when a counterparty fails to meet a payment obligation, or the risk associated with any single
exposure or group of exposures with the potential to produce large enough losses to threaten the firm’s
operations, or the risk of loss arising when a sovereign state freezes foreign currency payments
(transfer/conversion risk), or when it defaults on its obligations (sovereign risk).

Examples

❑ A trading firm suffers the loss of outstanding A/R amounts and unrealized forward MTM when a counterparty
defaults.

❑ A pension plan suffers a loss on capital invested in bonds issued by a solar panel manufacturer when that firm
becomes insolvent.

❑ An airline suffers a loss of unrealized forward MTM when an OTC counterparty with whom it had financial
hedges against increasing jet fuel prices defaults.

24
 Environmental risk

A variety of risks resulting from an organization’s activities, including release of toxic materials and other waste
products into the environment, resource depletion, and adverse impact on the climate.

Examples

❑ Electric utilities are confronted with lower expected returns and higher CAPEX costs due to caps on Greenhouse
Gas emissions (GHG).

❑ Refiners and nuclear plant owners are confronted with remediation and clean-up costs when closing or selling
technologically obsolete assets.

❑ Nuclear plant owners are confronted with catastrophic failure of spent

fuel rod containment facilities and subsequent release of radioactivity
into the atmosphere due to natural disasters.

25