Professional Documents
Culture Documents
RISK MANAGEMENT
Jaidev Iyer
May 24, 2023
SETTING THE TONE FOR OUR DISCUSSION TODAY
v “Risk” has long been equated with CREDIT RISK alone i.e. risks arising out of repayment (of loans and such
obligations) or the dependence of one party on the performance of another party.
v A later concern was in MARKET RISK, related to Values of Traded securities (stocks, bonds, FX ...) or
Liquidity (funding liquidity or trading liquidity)
v This includes Strategy, Reputation, Fraud, Theft, Information/Cyber security, Third-Party/Vendor, Disaster
Recovery/Resilience, Human Resources, People Conduct
v Note we do NOT care for the WHAT of Risk and Risk Management...
We care about the HOW and the SO-WHAT
2
WHAT IS RISK
• In social settings, Risk is the possibility of loss or injury
• the chance that an investment (such as a house, stock, commodity) will lose value
• in Business & Finance, Risk is the chance that an outcome or actual returns will differ from an expected
outcome or return ... So, risk = deviation from expected returns
A – B = C < = D
Where
5
RISKY BUSINESS
• Risk comes in many types AND FLAVOURS – although the list is finite.
• Discuss >
• One night you forget to check if your front door is locked
• You borrow money to make a stock-market investment
• You put your money in a Fixed Deposit with a bank
• The fire alarm suddenly goes off in the middle of a work-day
• In a Covid environment, you are in a crowd without a mask
• you catch a fraudster in your company – if you report him there will be a big stink and the
company will be roasted in the media and subject to police and regulator scrutiny.
• A client tells you to do something that appears very much of a “grey area” thing; this client is really
valuable to the firm, and its MD is a good friend of your boss’ boss
6
CREDIT RISK AS A MAJOR TYPE OF RISK
Risk of financial loss arising from a borrower, guarantor or counterparty failing to meet
obligations in accordance with agreed terms
• Ongoing Review: Periodic review, and update for relevant new information
Ø Five classic “Ws”: Who, Why, When, What, Where – and How
7
MARKET RISK AS ANOTHER MAJOR TYPE OF RISK
Risk of loss arising from change in market conditions, prices, or risk of illiquidity
Note that VaR is NOT “worst-case” loss. It is a statistical estimate of potential loss
8
OPERATIONAL RISK AS THE THIRD MAJOR RISK-TYPE
• Operational Risk is the risk of loss resulting from inadequate or failed internal processes,
people and systems; or from external events
9
CORPORATE RISK TAXONOMY
Level 1 Level 2 Level 3 : Examples of Risk
Primary Risk Risk Category
Business and Reputational Risk Reputation risk is inherent in all business activities, and impacted by Governance, Risk, or Control failures. It includes:-
Strategy Risk Negative media coverage and client/stakeholder attention for real or perceived misconduct
The risk to Company's brand if Brand Ambassadors do not convey Company's brand/image properly
Concentration of Allegations of improper business practices including bribery and corruption
Clients and Business Specific problems or constraints or losses in some clients, geographies or markets threaten overall business returns
Range and depth of Over-reliance on some clients, segments or product lines which become costly or unprofitable
Banking relationships Lack of adequate banking partners in size and scale in individual markets or overall
Lack of back-up and redundancy planning and establishment
Competition Increased competition through new entrants or pricing squeeze
New Technologies act as disruptors to business efficiency and pricing
M&A and New Inorganic growth through M&A creates integration issues and does not create expected synergies
Products/ Projects Merger partners may not reflect Company values and positions
New Products/business/projects may surface unanticipated or unintended risks or new levels of complexity
Recruiting/ Retention An inability to attract talent
and Succession Risk of loss of 'Key Persons'
Planning Loss of knowledge & experience, and adverse impact on Company's business operations
12
Corporate Risk Taxonomy
Level 1 Level 2 Level 3 : Examples of Risk
Primary Risk Risk Category
13
Corporate Risk Taxonomy
Level 1 Level 2 Level 3 : Examples of Risk
Primary Risk Risk Category
Financial - Credit Risk Defaults, write-downs and recovery shortfalls in Company’s placements, advances, prepayments,
Credit Risk and unsecured balances, across banking partners, accounts, and clients;
Money being blocked due to capital controls and sovereign risk events
Change in the market value of outstanding FX contracts with counterparties, which may mean that if
the counterparty defaults, more money is owed to Company than originally expected (if the currency
we bought has appreciated in value)
Financial - FX Risk Company’s exposures in multiple currencies may expose it to volatility, currency depreciation or
Market Risk devaluations, inability to manage/hedge any exposures
The risk that Company is unable to satisfy its FX requirements, given lack of depth in a particular
market
Company’s Treasury operation, where balances are maintained in several currencies
Liquidity Risk The risk that Company or its banking partners will have insufficient funds to meet its financial
obligations as and when expected and due
14
Corporate Risk Taxonomy
Level 1 Level 2 Level 3 : Examples of Risk
Primary Risk Risk Category
Operational Risk Internal Theft & Fraud Unauthorized Activity, Transactions or Risk-taking by employee/s
Fraud where at least one party is internal
Theft (internal party), embezzlement, misappropriation
Forgery
Any other criminal activity by staff
External Theft & Fraud Fraud or Theft committed by third parties on Company
Forgery or other criminal activity
Credit Card theft or fraud, in issuance or usage
Attempt to physically or electronically amend payment advice to embezzle money
Physical Security Facilities are insecure and access is obtained by unauthorized person/s
Motivations can be theft of assets or data or physical harm
Data , Information & Cyber Security Unauthorized access to systems and records
Theft/leakage of data & information
Cyber-security, hacking and related issues
Unauthorized alteration of firm or client data or information corruption by internal/external actions
Accidental alteration or deletion of required client or Company data & information
15
Corporate Risk Taxonomy
Level 1 Level 2 Level 3 : Examples of Risk
Primary Risk Risk Category
Operational Employee Behavior & Relations Strikes, union issues preventing work or customer-service
Risk Racial, gender, ethnic or other allegations of discrimination in Company
Sexual or other forms of harassment or bullying in the workplace
Violations or implementation issues with respect to local laws & regulations
Formal Complaints against supervisors or management
Employee lawsuits or complaints to regulators/authorities
Employees alleging wrongful termination or unfair compensation
Contract workers claiming employment status
Business Continuity issues Natural disaster or manmade disruptions affecting maintenance of business service
Impact of earthquake, fire, flood etc.
BCP program not maintained, tested, deployed
Disaster Recovery issues
Damage to Physical Assets from sources such as disasters, terrorism, vandalism
16
Corporate Risk Taxonomy
Level 1 Level 2 Level 3 : Examples of Risk
Primary Risk Risk Category
Operational Operational Processes & Errors Errors of any type including data entry and maintenance
Risk Product fails, flaws, errors, and defects
Operational execution errors
Mismanagement of payments and settlements
Untimely, incomplete, or inaccurate card management process
Card not issued, replaced, sent, received properly
Errors in managing Card issuance and maintenance
IT Change Management Unauthorized or unplanned code changes that may impact other systems
Mismanagement in SDLC
SLA impacts misunderstood or miscommunicated
Segregation of duties and Separation of Environments not followed
Lack of Scalability of Systems Systems capacity below requirements
Infrastructure cannot cope with business volumes and complexity
Future growth not planned and executed properly
Client Services & Account Management
Client or Partner is not on-boarded in a timely and accurate manner
Complaints, and questions and other issues are not addressed promptly and properly
Client Services are mis-handled
Disputes with client regarding access, accounts, records, analysis and representation
3rd-party Vendor Management Vendor management process failures including background checks, approvals
Information Security violations by vendors
Client/customer compromise through vendor failures or incorrect service
Ineffective management of Vendor onboarding and off-boarding
Over reliance on outsourcing and vendors
Lack of planning for dependencies and back-ups
IT’S A RISKY WORLD...BUT RISKS ARE FINITE AT SOME LEVEL
18
CRITICAL THINKING
RISK MANAGEMENT
Jaidev Iyer
May 24, 2023
SECTION II
What is RISK MANAGEMENT
2
RISK MANAGEMENT GOAL & CHALLENGE
– = < Appetite
Inherent Internal Control Residual
Risk Environment Risk
4
BUILDING RISK DISCIPLINES
Risk Modern Risk Risk
Discipline History Measurement Mitigation
What ?
6
WHAT IS RISK MANAGEMENT
How?
7
WHAT IS RISK MANAGEMENT
Why?
8
THE CAUSES OF OPERATIONAL RISK .. SOME COMMON ISSUES
Process Technology People Environment
• Lack of • Lack of systems • Human error External
effective availability due to • Unauthorised • War, terrorism, disasters
procedures operational failure activities • Regulatory and tax changes
• Lack of • Lack of systems • Lack of accountability • Lack of experienced staff, high
capacity integrity for operational risk costs and use of contractors
• Volume • Inadequate control management • Change management
sensitivity functionality • Lack of integrity/ Internal
• Lack of • Poor systems honesty • Reliance on technology
effective development and • Lack of customer care • Disconnect between Capacity
controls Beta testing and Business Growth
• Skills/training deficit
• Failure to • Lack of strategic • Continuing industry
review controls approach to • Poor communication rationalisation – results in
when process systems design • Concentration of the need to integrate
changes • Lack of expertise processes, systems and
• Lack of appropriate corporate cultures
understanding of
(complex) systems supervision
The WHO of Risk Management and Control
Strategy
§ Objectives
§ Culture, language
§ Policy, Procedures
§ Capital - Economic & Reg
Risk Toolkit
10
RISK MANAGEMENT AS A PROGRAM
• Iterative exercise
• Periodic revisit with Metrics, and
• Risk Control Self Assessment
Identify • Informed by actual Issues & Events
Exec Team oversees
• Issues
Risks
• Metrics • Severity & likelihood
• Assessments
Governance Assess • Vulnerability & Speed
• Corrective Actions & Assurance Risks • Heat-map / matrix
Monthly Reporting
• Metrics trends Risk
• RCSA* results Monitor Management Install • Required Policies
• Remediation Controls • Reflect Business
Plans and Risk Policies • Include procedures
11
THE LINES OF DEFENSE IN ANY ENTERPRISE
Business Risk
Risk Owner Control Owner Risk Stewards Risk Function/s
Manager
Accountable for monitoring, testing Provide oversight, advice and risk
and managing risk in the Business insights, act on boundaries
MANAGING CORPORATE OPERATIONAL RISK
FOCUS ON
- PEOPLE
- PROCESS
- SYSTEMS
- RESILIENCE TO
EXTERNAL SHOCKS
13
SECTION III
THE RISK MANAGEMENT TOOLKIT
14
RISK ASSESSMENT (HYPOTHETICAL)
Definitely 5
Hiding Transactions
Unlikely 1 Mismarking Positions Theft by 3rd-party
Likelihood 1 2 3 4 5
15
CONTROL Acceptable use of devices
16
The derivation, treatment,and configuration of controls
Monitoring
•Monitoring
•RSCAplan and checklists
•Span of control
•Residual risk indicators
•Control effectiveness
• Is the control designed to mitigate the associated risk to a level articulated by the business and the
published risk appetite statement?
• Is the control designed according to industry standards?
• What are the potential events that could occur associated with the specific risk?
• Does the control mitigate the potential that these events can occur?
• Are there business changes that would impair the ability of the control?
• What is the history of this control associated with mitigating the risk?
• Does the control mitigate all material risks, including regulatory risks?
• Are there gaps where risks exist without any controls?
• Is the cost of implementing the control aligned with the risk it is designed to mitigate?
• What is the cost/benefit equation?
• What are the attributes for the control?
• Is the control key or non-key, preventative vs detective, automated or manual means?
• Does the control occur at the right frequency?
• Does the control occur during the right point in the process?
• Does the executor of the control have the proper knowledge and expertise?
• Do the attributes of the control, including whether it is detective or preventative, key or non-key, manual
or automated impact implementation?
18
RESIDUAL vs. INHERENT Risk: assess to manage
Inherent Risk
5
Frequency
Residual Risk
4
1 2 3 4 5
Severity
19
Risk Management Strategies
Control
Avoid
Reduce
Frequency
Contain/
Accept Transfer
Severity 20
Risk Control Self Assessment (RCSA)
1. To enable the organisation to capture all material risks and their associated controls
21
Paul H. O’Neill : CEO ALCOA (1987 - 2000), later US Treasury Secretary
Profits down, quality & productivity poor, morale toxic, workers burn manager-effigies
O’Neill comes in, announces goal: Choose one metric; target to manage and improve Alcoa
“Worker Injuries”
No matter what it cost, Alcoa was going to drive toward zero injuries
Organization disrupted; each injury had to be reported by unit CEO, with never-again plan
Required fast clear comms with the VPs and they with managers
Suddenly everybody had to study work processes, quality, efficiency, reporting structures …
• KRIs must be quantitative, to enable verification and scenario analysis, and forward-
looking/coincident, recognizing improvement and deterioration.
24
Examples of KRIs
25
Key Risk Indicators ... examples
Documentation gaps
Incomplete Deal Approvals
Improper Activities
26
Key Risk Indicators ... examples
27
“Deep Dives” against Large Risk Events and Losses
Identify •What could have prevented the loss?
Risk
Drivers
•What factors influenced the size of the loss?
Dimension •When and how might the loss have been significantly larger?
Size and
Frequency •Could such losses occur more frequently?
•What do external events in this space teach us?
28
Process / Control Analysis
• Control improvements?
5 Fixes • Better metrics?
Internal
Losses
RCSA Metrics
Shared Utilities
Hierarchies
Report Writer
Financials External
Scaling Losses
Audit Data
2
Special risks on radar screens today
INFORMATION SECURITY MANAGEMENT
• Clients entrust firms with a substantial amount of data and information which
reside on these systems
There are four major considerations for a firm in any BCP situation:
Business &
Climate Change Related Risks
Business
Higher Provisions, Higher RWA, Higher Capital Requirements
• Increased in • Tighter • Risk of current • Fall in the • Abrupt transition • Business models
capex due to requirements for assets becoming liquidity of will mean becoming
Transition
investment in existing high-risk obsolete fast assets due to business models unviable
upgrade of products and higher cost obsolesce failing, leading to • Management
ERM
assets and • Abrupt Index of replacing • Inability to loss of jobs, expertise and
technology reset them dispose of the failing contracts firm’s talent pool
• Higher cost of assets at • Slow transition not scaling
borrowing reasonable would call for quickly
valuation social & • Tight regulatory
governance timelines
issues
15
CLIMATE RISK STRATEGY DEVELOPMENT APPROACH
A structured approach for Climate Risk strategy development helps navigate a
complex decision-making landscape.
01 02 03 04
UNDERSTAND ESTABLISH IMPACT & GAP DATA STRATEGY, TECH
REQUIRMENTS GOVERNANCE ANALYSIS CONSIDERATIONS & ARCH
• Clearly understand the regulatory • Establish climate change program • Perform impact study across business • Define a strategy to collect
and business requirements governance model, strategy, people, policy, process, exhaustive information from internal
• Document requirements • Establish dedicated teams tasked with product, systems & application and external sources
• Create road map, project plan and defined objectives • Assess current practices and gap analysis • Establish comprehensive data
timeline • Create action plans to remove any based on questionnaire sourcing, compilation, validation
project road blocks • Analyze and document the existing gaps enrichment audit & input into
• Track project milestones and timelines in process, data , application etc. models
05 06 07
RISK MANAGEMENT & INTEGRATE WITH MAIN - METRICS & REGULATORY
SCENARIO ANALYSIS STREAM DISCLOSURES
• Identify risk factors that materially • Define a strategy to integrate climate • Create a reporting framework that is
impact Client’s portfolio factors into governance , strategy, risk flexible to address multiple regulatory
• Define & design scenarios by appetite , models' processes, and internal reporting needs
incorporating material risk factors into disclosures • Create an actionable insightful
the scenario’s • Roll out of new products and services periodic disclosure, keeping multiple
• Calculate Physical and Transition risk stake holders in mind
16
PROJECT RISK
18
PROJECT RISK MANAGEMENT
19
CONTROL Acceptable use of devices
6
LETS TALK MORE ABOUT RISK AT L AND T
1
Issues of Risk Management v Business Management
• Immature or missing foundational governance and business practices –including but not limited to
corporate policies, vendor management, strategic planning, and even a true operating budget.
• Poor communication from leadership – without clear and consistent communication between executives,
managers, and employees, rumors will begin circulating, leading to even bigger headaches such as negative
workplace culture. According to a survey, risk professionals consider tone at the top to be one of Enterprise
Risk Management’s biggest hurdles.
• Constantly shifting priorities – without clear goals that remain steady, the company will struggle to focus
on execution and completion, leading to a lot of half-finished projects.
• No clear roles and responsibilities – without knowing who is responsible for what, when, where, and how,
the company will not be able to keep the right persons on track with goals with accountability (including
executives) should a particular goal fall short.
Consequences when not proactive in managing threats and opportunities
(these are deliberately mis-ranked... Or are they ?! How would you rank them?!)
Being “too proactive” and overly focused (obsessed) on managing risks
Note that Issues like these illustrate the importance of tools like risk appetite and tolerance
WHAT IS RISK MANAGEMENT AT THE BUSINESS LEVEL
• Risk management is the application of continual analysis across financial, strategic, systems,
human and organizational problems to improve business performance
• Input > Process > Output > Feedforward > Feedback > Monitoring > Governance
5
BUSINES RISK STRATEGY
• The purpose of risk management is to help the firm make better decisions, to set direction,
gain commitment, keep control, and resolve uncertainty. Key questions:
6
Role of a Business Manager in Risk Management?
1. Risk Identification: Business managers are responsible for identifying potential risks and hazards that could
impact the organization's operations, reputation, or financial stability. This involves conducting risk assessments,
reviewing historical data, and analyzing industry trends to proactively identify risks.
2. Risk Assessment: Once risks are identified, business managers assess the potential impact and likelihood of
occurrence. They evaluate the severity of risks and prioritize them based on their significance to organization's
objectives and goals.
3. Risk Mitigation: Business managers develop strategies and implement measures to mitigate identified risks.
This involves creating risk management plans, implementing internal controls and procedures, and ensuring
compliance with regulatory requirements. They may also collaborate with other departments or teams to
address specific risks effectively.
4. Risk Monitoring: Business managers continuously monitor risks and mitigation efforts. They track key risk
indicators, review incident reports, and analyze data to identify emerging risks or changes in risk profiles.
Regular monitoring helps ensure that mitigation measures remain effective and aligned with the risk landscape.
Role of a Business Manager in Risk Management?
5. Communication and Reporting: Business managers play a vital role in communicating risk-related information to
relevant stakeholders, such as senior management, board members, or regulatory bodies. They prepare risk
reports, provide updates on risk management activities, and communicate any changes in risk exposure or
mitigation strategies.
6. Risk Culture and Awareness: Business managers foster a risk-aware culture within the organization by
promoting risk awareness and education among employees. They provide training programs, establish risk
management frameworks, and encourage proactive risk identification and reporting at all levels.
7. Continuous Improvement: Business managers actively seek opportunities for continuous improvement in risk
management processes. They assess the effectiveness of existing controls and procedures, evaluate the impact of
risk management initiatives, and implement necessary adjustments or enhancements to optimize risk
management practices.
The Problem with Operational Risk
• Capital need is driven by the risk of infrequent but extremely large events
8
The Problem with OpRisk Management
9
Operational risk management:
1. What is operational risk?
a) The risk of financial losses due to market volatility
b) The risk of legal and regulatory non-compliance
c) The risk of losses resulting from inadequate or failed internal processes, people, and systems
d) The risk of damage to physical assets
c) The risk of losses resulting from inadequate or failed internal processes, people, and systems
2. Which of the following is NOT a category of operational risk?
a) Fraud and theft b) Human error c) Market risk d) Technology risk
c) Market Risk
3. True or False: Operational risk is limited to financial institutions and banks.
b) False
4. Which of the following is an example of an internal operational risk event?
a) A natural disaster b) A data breach c) A terrorist attack d) Employee fraud
d) Employee Fraud
Operational Risk Management
What is the purpose of a risk assessment in operational risk management?
a) To eliminate all operational risks
b) To transfer operational risks to insurance companies
c) To identify, assess, and prioritize operational risks
d) To outsource operational risks to third-party vendors
c) To identify, assess, and prioritize operational risks
Which of the following is an example of a key risk indicator (KRI)?
a) Number of customer complaints
b) Stock market index fluctuations
c) GDP growth rate
d) Interest rate changes
a) Number of customer complaints
True or False: Risk mitigation measures should be implemented before identifying operational risks.
b) False
What is the purpose of a business continuity plan (BCP)?
a) To prevent all operational risks from occurring
b) To transfer operational risks to external parties
c) To ensure the continuation of critical business operations in the event of disruptions
d) To shift operational risks to different departments within the organization
c) To ensure the continuation of critical business operations in the event of disruptions
OpRisk Scenarios
Scenario 1: A company's finance department discovers that an employee has been embezzling funds over a period of several years.
The employee manipulated financial records to cover up the theft. This incident leads to significant financial losses for the company
and reputational damage. What type of operational risk event occurred in this scenario?
Scenario 2: A manufacturing company heavily relies on a single supplier for a critical component in their production process. Due to a
sudden disruption in the supplier's operations, they are unable to deliver the component for several weeks. As a result, the
manufacturing company faces production delays, customer order cancellations, and increased costs to find an alternative supplier.
Question: What type of operational risk is evident in this scenario?
Scenario 3: An online retail company experiences a cybersecurity breach where customer data, including credit card information, is
compromised. The breach occurs due to a vulnerability in the company's website security, allowing hackers to gain unauthorized
access to sensitive information. The company faces legal penalties, customer backlash, and a loss of trust. What is the primary risk in
this scenario?
Scenario 4: A multinational corporation operates in a country where frequent political unrest and protests occur. During one such
protest, the company's manufacturing facility is vandalized, resulting in damage to equipment, inventory, and disruption of
operations. The company did not have a contingency plan in place for such events. Which type of risk was not adequately addressed
in this scenario?
Scenario 5: A software company launches a new product without conducting thorough testing and quality assurance. Shortly after
release, customers start reporting critical bugs and system crashes, leading to widespread dissatisfaction and negative reviews. The
company experiences financial losses and damage to its brand reputation. What risk management failure occurred in this scenario?
Key Risk Indicators (KRIs)?
What is the difference between KRIs and Key Performance Indicators (KPIs)?
a) KRIs measure risks while KPIs measure performance
b) KRIs are leading indicators while KPIs are lagging indicators
c) KRIs focus on negative outcomes while KPIs focus on positive outcomes
d) KRIs and KPIs are the same thing
a) KRIs measure risks while KPIs measure performance
FINAL THOUGHTS
• Risk is rarely “absolute” ... It is always “relative” to Capacity, Appetite, and Returns
• Risk is about problem and opportunity
• Risk-Management = Business-Management. Embed it
• Understand and manage your Unusual, Unintended, Unacceptable
• Find and nurture join-the-dots intelligence for your firm … silos kill
• Metrics and Assessments are key, as indicators of Well-Being and Smoke-Detection
• The ‘What’ is interesting, but the ‘So-What’ is vital
• Financial risks are easy to dimension; not so behavior, reputation, franchise,
credibility .... survival ... goal is to maximize not {current $}, but NPV($, $..... $)
17
FINAL FINAL THOUGHTS ….
v Avoiding the Monday, Tuesday, Wednesday syndrome ..
v Models don’t kill markets, people do … and their fears, greed, ego, biases
v Plan, hire, train, and manage People as your greatest assets, and greatest liabilities. Trust but Verify.
v When in a hole, stop digging. Risk can become near-fatal based on your response
v Silos are fatal: the way risk manifests is irrelevant, labels are redundant
18
THANK YOU ….. QUESTIONS?
Jaidev Iyer
JAIDEV@J-
RISKADVISORS.COM
+91-63749-67019
19