Professional Documents
Culture Documents
Robert Serena
March 2012
About the author
Bob has over 30 years of financial services functional experience across insurance, reinsurance, commodity trading,
and commercial banking - numerous technical and leadership roles in the First Line-of-Defense (Actuarial,
Investment Management, and Capital Markets & Trading) and Second Line-of-Defense (Risk Management and
Compliance).
Bob is a native of Connecticut, and currently resides in Charlotte, North Carolina with his wife and two children.
2
Operational risk in a trading business
❑ Definition
❑ Process
❑ People
❑ Systems
❑ External Events
3
How is operational risk defined in a trading business?
❑ The risk of loss resulting from inadequate or failed internal processes, people and
systems or from external events that have a direct impact on front-to-back
transaction administration.
❑ It represents the risk profile of the front to back business processes from origination
to execution and delivery.
4
Operational risk - Processes and people
55
Operational risk - Systems and external events
6
Operational risk failures
Examples from the past 25 years
2008 Madoff Investment Securities $18B loss to investors due to a Ponzi scheme
2007-8 The Credit Crunch Mispricing of the risk involved with subprime mortgages led to a lack of
credit supply felt worldwide
2007 Societe Generale $7.2B loss due a trader creating fraudulent trading positions through
unauthorized trades
2002 Allied Irish Banks $750M loss on foreign exchange trading operations
2001 Enron and Arthur Anderson Accounting fraud led to the fall of both companies
1998 Long-Term Capital Management $4B loss after debt default by Russia
1995 Barings Bank $1.4B loss due to a rogue trader caused its collapse
7
Why we manage operational risk?
Regulatory expectations
Industry events
• Basel II
• Accounting frauds
• Local regulatory
• AIB developments
• Barings • Dodd-Frank Act
• Soc Gen
Operational risk
8
Tools used to manage operational risk
❑ Scenario Analysis
❑ Operational incident management
❑ New activity integration
❑ Enterprise risk management framework
❑ Key risk indicators
❑ Process reviews
9
Tools to manage Operational Risk
Forward-Looking
Enterprise Level Controls
Scenario
Analysis • Policies and procedures
Forward-Looking
• Risk committees
Process Reviews • Impact x likelihood • New activity integration/post
• Evaluating ability to implementation reviews
control risks Accept • Incident escalation and action item
Key Risk Indicators • Trend analysis audits
• Identifying new • Mandatory training Requirements
business risks • Delegation of authority
Mitigate • Segregation of duties
New Activity Integration
10
Operational incident management
Operational losses resulting from inadequate or failed internal processes, systems, human error, or from external
events:
Examples
❑ Front, middle or back office systems, processes or controls
❑ Trading/credit exposures, positions or risk limits
❑ Compliance with applicable legal and regulatory requirements
11
New activity integration (NAI) process
Rigorous due diligence and review process that is applied to all new commercial opportunities to ensure that
the best commercial opportunities are selected.
A structured NAI process allows for human and economic resources to be allocated to the opportunities that
deliver the highest value.
12
NAI process (continued)
❑ All functional groups are required to opine and assign a risk rating on the specific incremental risks to
their area arising from the new activity.
❑ This rating system enables the commercial sponsor and the decision maker to focus on highest risk items.
13
New activity integration process
Sample risk radar
Accounting
& Reporting
Treasury Compliance
Trade
Credit Risk
Completion
Tax &
Indirect Tax GIAAP
Regulatory HSSE
Product
Control Internal Control
Operations IT&S
Operational
Risk Legal
M arket Risk
14
Enterprise risk management (ERM)
❑ Includes the methods and processes used by organizations to manage risks and seize opportunities related to
the achievement of their objectives.
❑ ERM provides a framework for risk management, which typically involves identifying particular events or
circumstances relevant to the organization's objectives (risks and opportunities), assessing them in terms of
likelihood and magnitude of impact, determining a response strategy, and monitoring progress.
❑ By identifying and proactively addressing risks and opportunities, business enterprises protect and create value
for their stakeholders, including owners, employees, customers, regulators, and society overall.
❑ Identification: Strategic, operational and financial risks that can potentially impact profitability and the firm’s
reputation.
❑ Assessment: A look at the likelihood that a risk could happen and the impact of that risk, should it happen.
❑ Response: Develop an appropriate risk response which includes: (1) Risk acceptance or (2) Risk mitigation.
❑ Monitoring and control: Risk Managers, in partnership with Risk Owners, work to monitor the firm’s enterprise
risks on an ongoing basis, and further embed the management/monitoring of these risks into each impacted
business unit and the relevant governance meetings and committees.
15
Key Risk Indicators
❑ Support qualitative risk assessments and align to areas of risk (related to processes, people, systems)
❑ One KRI alone may not trigger a concern, but a combination of KRI signals may (e.g., new activity growth coupled
with high staff turnover in key areas could be a sign of workload pressure due to resource constraints)
16
Process Reviews – Strategic and Tactical
Periodic, risk-based reviews of critical business activities with the objective of decomposing a given activity into its
constituent operational risk elements (people, processes, systems and external events).
❑ Once this activity decomposition is completed, the inventory of controls deployed to manage the operational risk
elements is compiled.
❑ The relative effectiveness of each control is assessed, and an overall gap profile is developed.
❑ Alternatives to closing each gap with business impact profiles are reviewed, and the alternative which reduces the
residual operational risk exposure below the acceptable threshold is implemented.
17
Enterprise risks confronting the industry
❑ Strategic
❑ Operational
❑ Regulatory
❑ Insurable
❑ Environmental
18
Strategic risk
The risk associated with future business plans and strategies, including plans for entering new business lines,
expanding existing services through mergers and acquisitions, enhancing infrastructure, etc.
Examples
❑ E&P firms are confronted with increased operating costs and higher operational risk profiles to extract
reserves due to the relative inaccessibility of marginal supply (e.g., Canadian Oil Sands, Deepwater, Arctic).
❑ All energy firms are confronted with potential lower margins due to increasing trends in operating costs (e.g.,
technology, taxes, labor).
❑ Any firm that is an end-user of commodity products is confronted with increased feedstock costs when supply
shocks occur due to political and civil unrest in resource-rich countries (e.g., Middle East), or disruptions
caused by terrorist attacks on transportation infrastructure, etc.
❑ Electric utilities are confronted with the potential loss of revenue from industrial and retail customers due to
technological advancements allowing the deployment of more cost effective distributed generation (e.g.,
small industrial firm installs an onsite natural gas generator).
19
Operational risk
The risk of loss resulting from inadequate or failed internal processes, people and systems, or from external
events.
Examples
❑ A decreased range of investment opportunities and ability to compete in the market for profitable projects
due to declines in the number of students majoring in engineering, mathematics, and the hard sciences.
Also, the imminent retirement of experienced engineers and other professionals over the next 5-10 years
without suitably trained replacements.
❑ Potential legal fines and data management/data remediation costs resulting from increased frequency of
security breaches and cyber threats.
❑ Potentially increased disability and workers compensation claims due to improperly designed workstations
and inadequate control-of-work procedures.
2. Pipelines companies, electric utilities, and nuclear plant owners are confronted with increased maintenance
costs and increased likelihood of catastrophic failure due to the aging of the energy infrastructure in the U.S.
20
Regulatory risk
The risk that a change in laws and regulations will materially impact a security, business, sector or market. A change
in laws or regulations made by the government or a regulatory body can increase the costs of operating a business,
reduce the attractiveness of investment and/or change the competitive landscape.
Examples
❑ All firms in the energy supply chain are confronted with a reduced commercial opportunity set due to
uncertainty in the direction of U.S. energy policy.
❑ Exploration and Production firms are confronted with increased operating costs and potential legal fines due to
more stringent regulation imposed on natural gas fracturing activities.
❑ Trading firms are confronted with increased technology and labor costs to assure compliance with Dodd-Frank
and related regulation that impact trading firms.
21
Insurable risk
A risk that meets the ideal criteria for efficient insurance. The concept underlies nearly all insurance decisions. To be
insurable, several things must be true:
❑ The insurer must be able to charge a premium high enough to cover not only claims expenses, but also to cover the
insurer's expenses. In other words, the risk cannot be catastrophic, or so large that no insurer could hope to pay for the
loss.
❑ The nature of the loss must be definite and financially measurable. That is, there should not be room for argument as to
whether or not payment is due, nor as to what amount the payment should be.
❑ The loss should be random in nature, else the insured may engage in adverse selection (anti-selection).
Examples
❑ An electric utility suffers a loss of revenue due to a flood knocking out several generators at a power plant (business
interruption).
❑ A manufacturer of electric turbines has to pay product liability claims when several of its turbines fail to operate within
specified parameters due to metal fatigue.
❑ A refiner suffers property damage and loss of revenue when a hurricane knocks one of its plants out of commission for
several weeks.
22
Financial risk: Market
The risk that the value of a portfolio, either an investment portfolio or a trading portfolio,
will decrease due to the change in value of the market risk factors. The four standard market risk factors are stock
prices, interest rates, foreign exchange rates, and commodity prices.
Examples
❑ Refiners are confronted with increased feedstock costs and less cash flow certainty due to increased price
levels and volatility in crude oil supplies.
❑ Retailers are confronted with increased delivered prices of consumer goods due to the increased price of
gasoline and other refined products that are used as transportation fuels.
❑ Any energy firm that makes use of floating-rate debt financing is confronted with increased interest service
costs and less cash flow certainty in an increasing interest environment.
23
Financial risk: Credit
The risk of loss when a counterparty fails to meet a payment obligation, or the risk associated with any single
exposure or group of exposures with the potential to produce large enough losses to threaten the firm’s
operations, or the risk of loss arising when a sovereign state freezes foreign currency payments
(transfer/conversion risk), or when it defaults on its obligations (sovereign risk).
Examples
❑ A trading firm suffers the loss of outstanding A/R amounts and unrealized forward MTM when a counterparty
defaults.
❑ A pension plan suffers a loss on capital invested in bonds issued by a solar panel manufacturer when that firm
becomes insolvent.
❑ An airline suffers a loss of unrealized forward MTM when an OTC counterparty with whom it had financial
hedges against increasing jet fuel prices defaults.
24
Environmental risk
A variety of risks resulting from an organization’s activities, including release of toxic materials and other waste
products into the environment, resource depletion, and adverse impact on the climate.
Examples
❑ Electric utilities are confronted with lower expected returns and higher CAPEX costs due to caps on Greenhouse
Gas emissions (GHG).
❑ Refiners and nuclear plant owners are confronted with remediation and clean-up costs when closing or selling
technologically obsolete assets.
25