CRITICAL THINKING

RISK MANAGEMENT
Jaidev Iyer
May 24, 2023
 SETTING THE TONE FOR OUR DISCUSSION TODAY
v “Risk” has long been equated with CREDIT RISK alone i.e. risks arising out of repayment (of loans and such
obligations) or the dependence of one party on the performance of another party.

v A later concern was in MARKET RISK, related to Values of Traded securities (stocks, bonds, FX ...) or
Liquidity (funding liquidity or trading liquidity)

v Our focus today is significantly on OPERATIONAL RISK

i.e. risks related to “People, Process, Systems, and External Shocks” ....

v This includes Strategy, Reputation, Fraud, Theft, Information/Cyber security, Third-Party/Vendor, Disaster
Recovery/Resilience, Human Resources, People Conduct

v OPERATIONAL RISK is a tough discipline notwithstanding Regulatory focus... it is not transactional, it is

abstract, behavioral, difficult to quantify or extrapolate..

v BUT it is primarily what CORPORATES (you!) should/would care about...

v Note we do NOT care for the WHAT of Risk and Risk Management...
We care about the HOW and the SO-WHAT

2
 WHAT IS RISK
• In social settings, Risk is the possibility of loss or injury

• danger, hazard, peril, pitfall, threat, trouble ....

• UNEXPECTED vs. EXPECTED event

• the chance that an investment (such as a house, stock, commodity) will lose value

• In statistics, deviation is volatility

• And so risk typically equates to volatility

• it includes the downside and upside, which may be symmetrical or asymmetrical

• in Business & Finance, Risk is the chance that an outcome or actual returns will differ from an expected
outcome or return ... So, risk = deviation from expected returns

• Risk is Exposure + Uncertainty regarding the exposure.

Without “exposure”, you have no risk
4
WHAT IS RISK ?
... A FORWARD-LOOKING VIEW OF VULNERABILITY

An Enterprise Risk Management

approach continuously solves for

A – B = C < = D

Where

A = Inherent Risk due chosen business

B = Control-based Mitigation
C = Residual Risks
D = Risk Appetite

Risk vs. Boundaries

Risk vs. How taken i.e. Market / Product
Risk vs. Reward

5
 RISKY BUSINESS
• Risk comes in many types AND FLAVOURS – although the list is finite.
• Discuss >
• One night you forget to check if your front door is locked
• You borrow money to make a stock-market investment
• You put your money in a Fixed Deposit with a bank
• The fire alarm suddenly goes off in the middle of a work-day
• In a Covid environment, you are in a crowd without a mask
• you catch a fraudster in your company – if you report him there will be a big stink and the
company will be roasted in the media and subject to police and regulator scrutiny.
• A client tells you to do something that appears very much of a “grey area” thing; this client is really
valuable to the firm, and its MD is a good friend of your boss’ boss

• Risk Management is about installing and managing Controls as Responses to Risk

• Failure of a Control (locking a door) “could” be seen as a Risk but that might mean going around in
circles. Best is to understand risks purely for what they are and thereafter focus on Design,
Implementation, and Testing of Controls.

6
 CREDIT RISK AS A MAJOR TYPE OF RISK
Risk of financial loss arising from a borrower, guarantor or counterparty failing to meet
obligations in accordance with agreed terms

Sovereign risk arises when a state or country defaults on its obligations

Credit Risk Management:

• Policies and Procedures: Credit risk assessment and accounting practices

• Structured Approach: Grading system to differentiate degree of risk

• Analysis : Measuring borrower’s financial condition and paying capacity

• Ongoing Review: Periodic review, and update for relevant new information

The Three Commonly Used Mnemonics

Ø Five classic “Cs”: Character, Capacity, Capital, Collateral, Condition

Ø Five classic “Ps”: Personal, Purpose, Payment, Protection, Perspective

Ø Five classic “Ws”: Who, Why, When, What, Where – and How
7
 MARKET RISK AS ANOTHER MAJOR TYPE OF RISK
Risk of loss arising from change in market conditions, prices, or risk of illiquidity

How can you ‘know’ or measure Market Risk.

By Quantity or Volume of Exposure, and / or

• Delta: first-order change; sensitivity to change in prices
• Gamma: second-order change or Convexity: rate of change
• Vega: change in value / risk due to Volatility
• Theta: Time Decay
• Rho: Interest rate sensitivity
• Value-at-Risk (VaR), using a distribution of possible P&L outcomes for a current portfolio of
exposures. VaR for a portfolio is the worst P&L outcome at a confidence interval (say 95th
percentile) for a defined holding period

Note that VaR is NOT “worst-case” loss. It is a statistical estimate of potential loss

• Scenario Analysis and Stress-Testing

8
 OPERATIONAL RISK AS THE THIRD MAJOR RISK-TYPE

• Operational Risk is the risk of loss resulting from inadequate or failed internal processes,
people and systems; or from external events

• It specifically excludes market and credit risk judgments

Process Risks Conduct Risks External Risks

• Execution, Delivery • Clients, Products & • External Theft and

& Process Business Practices Fraud
Management • Employment • Damage to Physical
• Business Practices, Assets
Disruption and Workplace safety
Systems Failure • Internal Theft,
Fraud

9
 CORPORATE RISK TAXONOMY
Level 1 Level 2 Level 3 : Examples of Risk
Primary Risk Risk Category

Business and Reputational Risk Reputation risk is inherent in all business activities, and impacted by Governance, Risk, or Control failures. It includes:-
Strategy Risk Negative media coverage and client/stakeholder attention for real or perceived misconduct
The risk to Company's brand if Brand Ambassadors do not convey Company's brand/image properly
Concentration of Allegations of improper business practices including bribery and corruption
Clients and Business Specific problems or constraints or losses in some clients, geographies or markets threaten overall business returns
Range and depth of Over-reliance on some clients, segments or product lines which become costly or unprofitable
Banking relationships Lack of adequate banking partners in size and scale in individual markets or overall
Lack of back-up and redundancy planning and establishment
Competition Increased competition through new entrants or pricing squeeze
New Technologies act as disruptors to business efficiency and pricing

M&A and New Inorganic growth through M&A creates integration issues and does not create expected synergies
Products/ Projects Merger partners may not reflect Company values and positions
New Products/business/projects may surface unanticipated or unintended risks or new levels of complexity
Recruiting/ Retention An inability to attract talent
and Succession Risk of loss of 'Key Persons'
Planning Loss of knowledge & experience, and adverse impact on Company's business operations

Macro Economic & Macroeconomic downturn/recessionary conditions globally or locally anywhere

Geopolitical Risks Disruptive outcome of elections in a country or other political disruptions
Capital controls and new restrictions to convertibility and transfers
Country Risk arising from sovereign and cross-border issues of any countries

12
Corporate Risk Taxonomy
Level 1 Level 2 Level 3 : Examples of Risk
Primary Risk Risk Category

Franchise Risk: Regulatory Risk Jurisdictional, licensing and approval needs

Legal & Process failures that pose threats of fines, regulatory censure
Regulatory Regulatory or financial reporting requirements
Violation of applicable regulations
Other business operating constraints imposed by Regulations
Compliance Risk Not recognizing applicable regulations across businesses or countries
Prevention of money laundering (AML) and terrorist financing
KYC, Client & account onboarding due-diligence
Non-compliance with Tax Regulations or allegation of tax evasion
Inadequate Financial reporting
Illegal Conduct

Legal Risk Not recognizing applicable Laws on business or country level

Any material change in a law or regulation
Litigation
Privacy laws and requirements including jurisdiction or entity specific
Missing or non-standard documentation, improper authorization of contracts, inadequate contractual
provisions

13
 Corporate Risk Taxonomy
Level 1 Level 2 Level 3 : Examples of Risk
Primary Risk Risk Category

Financial - Credit Risk Defaults, write-downs and recovery shortfalls in Company’s placements, advances, prepayments,
Credit Risk and unsecured balances, across banking partners, accounts, and clients;
Money being blocked due to capital controls and sovereign risk events
Change in the market value of outstanding FX contracts with counterparties, which may mean that if
the counterparty defaults, more money is owed to Company than originally expected (if the currency
we bought has appreciated in value)

Financial - FX Risk Company’s exposures in multiple currencies may expose it to volatility, currency depreciation or
Market Risk devaluations, inability to manage/hedge any exposures
The risk that Company is unable to satisfy its FX requirements, given lack of depth in a particular
market
Company’s Treasury operation, where balances are maintained in several currencies

Liquidity Risk The risk that Company or its banking partners will have insufficient funds to meet its financial
obligations as and when expected and due

14
 Corporate Risk Taxonomy
Level 1 Level 2 Level 3 : Examples of Risk
Primary Risk Risk Category

Operational Risk Internal Theft & Fraud
Unauthorized Activity, Transactions or Risk-taking by employee/s
Fraud where at least one party is internal
Theft (internal party), embezzlement, misappropriation
Forgery
Any other criminal activity by staff

External Theft & Fraud
Physical Security
Data , Information & Cyber Security
Fraud or Theft committed by third parties on Company
Forgery or other criminal activity
Credit Card theft or fraud, in issuance or usage
Attempt to physically or electronically amend payment advice to embezzle money
Facilities are insecure and access is obtained by unauthorized person/s
Motivations can be theft of assets or data or physical harm
Unauthorized access to systems and records
Theft/leakage of data & information
Cyber-security, hacking and related issues
Unauthorized alteration of firm or client data or information corruption by internal/external actions
Accidental alteration or deletion of required client or Company data & information

15
Corporate Risk Taxonomy
Level 1 Level 2 Level 3 : Examples of Risk
Primary Risk Risk Category

Operational Employee Behavior & Relations Strikes, union issues preventing work or customer-service
Risk Racial, gender, ethnic or other allegations of discrimination in Company
Sexual or other forms of harassment or bullying in the workplace
Violations or implementation issues with respect to local laws & regulations
Formal Complaints against supervisors or management
Employee lawsuits or complaints to regulators/authorities
Employees alleging wrongful termination or unfair compensation
Contract workers claiming employment status

Safety of Work Environment Unsafe Workplace for employees

Physical threats to staff due to natural or other causes
Safety & hygiene issues from workplace air, water and food
Violations of laws & regulations regarding health & hygiene in offices
Accidents and injuries in Company premises
Systems issues Systems outages and failures
Disabled communications
Recovery times not met
Power and internet failures
Hardware and software issues impacting work and productivity

Business Continuity issues
Natural disaster or manmade disruptions affecting maintenance of business service
Impact of earthquake, fire, flood etc.
BCP program not maintained, tested, deployed
Disaster Recovery issues
Damage to Physical Assets from sources such as disasters, terrorism, vandalism
16
Corporate Risk Taxonomy
Level 1 Level 2 Level 3 : Examples of Risk
Primary Risk Risk Category

Operational Operational Processes & Errors Errors of any type including data entry and maintenance
Risk Product fails, flaws, errors, and defects
Operational execution errors
Mismanagement of payments and settlements
Untimely, incomplete, or inaccurate card management process
Card not issued, replaced, sent, received properly
Errors in managing Card issuance and maintenance

IT Change Management Unauthorized or unplanned code changes that may impact other systems
Mismanagement in SDLC
SLA impacts misunderstood or miscommunicated
Segregation of duties and Separation of Environments not followed
Lack of Scalability of Systems Systems capacity below requirements
Infrastructure cannot cope with business volumes and complexity
Future growth not planned and executed properly
Client Services & Account Management
Client or Partner is not on-boarded in a timely and accurate manner
Complaints, and questions and other issues are not addressed promptly and properly
Client Services are mis-handled
Disputes with client regarding access, accounts, records, analysis and representation
3rd-party Vendor Management Vendor management process failures including background checks, approvals
Information Security violations by vendors
Client/customer compromise through vendor failures or incorrect service
Ineffective management of Vendor onboarding and off-boarding
Over reliance on outsourcing and vendors
Lack of planning for dependencies and back-ups
IT’S A RISKY WORLD...BUT RISKS ARE FINITE AT SOME LEVEL

18
CRITICAL THINKING
RISK MANAGEMENT
Jaidev Iyer
May 24, 2023
 SECTION II
What is RISK MANAGEMENT

2
RISK MANAGEMENT GOAL & CHALLENGE

Gross Hedge Net

– = < Appetite
Inherent Internal Control Residual
Risk Environment Risk

Risk Taxonomy Internal Control

• Self Assessment Quantitative
• Industry • Design
• Audit Qualitative
• Internal • Effectiveness

4
BUILDING RISK DISCIPLINES
Risk Modern Risk Risk
Discipline History Measurement Mitigation

Age > 100 years Value at Risk based on • Target market/portfolio

CREDIT Portfolio view > 30 years • Credit / approval process
RISK Quantitative > 15 years • Prob (Default) : ORR • Risk-based capital
Active mitigation > 15 years • LGD : FRR • Assignment/participation
• Credit derivatives

Age > 50 years Value at Risk based on • Boundaries

MARKET Portfolio view > 20 years • Diversification
RISK Quantitative > 15 years • Factor Sensitivity • Hedging / unwinding
Active mitigation > 15 years • Potential Loss • Risk-based capital

Age > 20 years Value at Risk based on • Business Selection

OPER. Portfolio view… TBD • Infrastructure investment
RISK Quantitative < 5 years .. ? • Loss frequency • People mgmt. & training
Mitigation = TBD …? • Loss severity • Process efficiency
• Risk-based capital
RISK MANAGEMENT

What ?

• Bringing together direct and circumstantial evidence to identify,

dimension, manage, monitor

• Financial Risks: Credit, Market, and Liquidity exposures

• Process Risks: Execution, Business Disruption, and Systems failures
• Conduct Risks: Business Practices, Employee Environment, Internal Fraud
• External risks: Threats to people, assets, and infrastructure, External Fraud

6
WHAT IS RISK MANAGEMENT

How?

1. Analysis of errors, issues, incidents, losses: firm, industry, market

2. Self-Assessments & Audit Reviews: business, product, process, risk, control
3. Boundaries, Limits, Metrics and Risk & Control indicators
4. Scenario Analysis and Stress-Testing
5. Computing and allocating/charging Economic Risk Capital

7
 WHAT IS RISK MANAGEMENT

Why?

• Educated holistic business ownership and management

• Enterprise-level performance assessment, and allocation of risk-appetite
• Identify risks, Assess and Dimension risks,
• Install Controls
• test effectiveness of controls,
• maintain risk-cost-benefit analysis
• Understand overall vulnerabilities and scenarios net of controls
• Appropriate management action and correction plans

8
THE CAUSES OF OPERATIONAL RISK .. SOME COMMON ISSUES
Process Technology People Environment
• Lack of • Lack of systems • Human error External
effective availability due to • Unauthorised • War, terrorism, disasters
procedures operational failure activities • Regulatory and tax changes
• Lack of • Lack of systems • Lack of accountability • Lack of experienced staff, high
capacity integrity for operational risk costs and use of contractors
• Volume • Inadequate control management • Change management
sensitivity functionality • Lack of integrity/ Internal
• Lack of • Poor systems honesty • Reliance on technology
effective development and • Lack of customer care • Disconnect between Capacity
controls Beta testing and Business Growth
• Skills/training deficit
• Failure to • Lack of strategic • Continuing industry
review controls approach to • Poor communication rationalisation – results in
when process systems design • Concentration of the need to integrate
changes • Lack of expertise processes, systems and
• Lack of appropriate corporate cultures
understanding of
(complex) systems supervision
The WHO of Risk Management and Control
Strategy

§ Objectives
§ Culture, language
§ Policy, Procedures
§ Capital - Economic & Reg

Infrastructure Business Lines of Defence

Risk
§ Loss, Issue, Incident data § 1st Line: Business coordinators
§ Assessment input/output § 2nd Line: Risk, Control, Legal
§ Reporting infra Compliance § Risk Committees
§ Remediation resources Finance § 3rd Line: Internal Audit

Risk Toolkit

§ Event Data Analysis

§ Risk Control Self Assessment
§ Metrics (Key Risk Indicators)
§ Capital Stress
§ Scenario Analysis

10
RISK MANAGEMENT AS A PROGRAM
• Iterative exercise
• Periodic revisit with Metrics, and
• Risk Control Self Assessment
Identify • Informed by actual Issues & Events
Exec Team oversees
• Issues
Risks
• Metrics • Severity & likelihood
• Assessments
Governance Assess • Vulnerability & Speed
• Corrective Actions & Assurance Risks • Heat-map / matrix

Monthly Reporting
• Metrics trends Risk
• RCSA* results Monitor Management Install • Required Policies
• Remediation Controls • Reflect Business
Plans and Risk Policies • Include procedures

Metrics (Key Risk Indicators) • Chosen “responses” to risks

• Indicators of good health Metrics & Implement • Policy implementation
• Smoke detectors RCSA* Controls • Reporting
Risk-Control Self-Assessment *

11
THE LINES OF DEFENSE IN ANY ENTERPRISE

First Line of Defence Second Line of Defence

Collaborate to embed risk management into day-to-day Collaborate to drive effective enterprise-wide
decision making operational risk management

Business Risk
Risk Owner Control Owner Risk Stewards Risk Function/s
Manager
Accountable for monitoring, testing Provide oversight, advice and risk
and managing risk in the Business insights, act on boundaries
MANAGING CORPORATE OPERATIONAL RISK

FOCUS ON
- PEOPLE
- PROCESS
- SYSTEMS
- RESILIENCE TO
EXTERNAL SHOCKS

13
 SECTION III
THE RISK MANAGEMENT TOOLKIT

14
 RISK ASSESSMENT (HYPOTHETICAL)

Definitely 5

Systems Hacking- Data Theft

Likely 4 Inaccurate Reporting Business Continuity Client Suitability
Product defects
Business Practices
Insider Theft Regulatory censure
Possibly 3 Employee Relations AML issues
Fraud Transaction errors
Client Account Mgt

Unauthorized Acts Workplace Mgt

Seldom 2 Compensation Issues Physical Assets Staff Health
Vendor Mgmt.

Hiding Transactions
Unlikely 1 Mismarking Positions Theft by 3rd-party

Likelihood 1 2 3 4 5

Severity Insignificant Minor Moderate Major Extreme

15
CONTROL
FRAMEWORK
• Contextualize vs. objectives …
Ø client satisfaction
Ø P/L performance
Ø no-surprises
Ø full compliance
Ø Information flow
• Controls-framework must work for
all stakeholders, for real &
perceived risks
• Cost of Control must be clear
Acceptable use of devices
Access Control - Physical
Access Control - Systems, Applications, Networks
Accurate and Complete Transaction Capture and Execution
Business Continuity (BCP) and Disaster Recovery Management
Business Supervision, Legal & Regulatory Compliance
Client Onboarding, Servicing, Account Oversight
Data & Information Security
Documentation
Employee Onboarding & Management
Employee Performance Monitoring & Corrective Action
Fraud Prevention and Detection
IT Change Management
Management Information and Reporting
Reconciliations, Valuations, and Records Management
Third Party / Vendor Management
16
The derivation, treatment,and configuration of controls

Monitoring
•Monitoring
•RSCAplan and checklists
•Span of control
•Residual risk indicators
•Control effectiveness

Control Objectives Control Procedures

Basel Classification KeyRiskMetrics
Process Outcome Compensating Control
Business Rules Cost of Control

Pre Event Post Event

•Design Control Configuration •Incident Management

Supervisory Review
•Process Vulnerability •Detection
Escalation Paths
•Compensating Control •Mitigation
Assessment Checklists
•Control Environment •Escalation
•People & Technology •Prevention
16
CONTROL DESIGN & EFFECTIVENESS

• Is the control designed to mitigate the associated risk to a level articulated by the business and the
published risk appetite statement?
• Is the control designed according to industry standards?
• What are the potential events that could occur associated with the specific risk?
• Does the control mitigate the potential that these events can occur?
• Are there business changes that would impair the ability of the control?
• What is the history of this control associated with mitigating the risk?
• Does the control mitigate all material risks, including regulatory risks?
• Are there gaps where risks exist without any controls?
• Is the cost of implementing the control aligned with the risk it is designed to mitigate?
• What is the cost/benefit equation?
• What are the attributes for the control?
• Is the control key or non-key, preventative vs detective, automated or manual means?
• Does the control occur at the right frequency?
• Does the control occur during the right point in the process?
• Does the executor of the control have the proper knowledge and expertise?
• Do the attributes of the control, including whether it is detective or preventative, key or non-key, manual
or automated impact implementation?

18
RESIDUAL vs. INHERENT Risk: assess to manage

Inherent Risk
5
Frequency
Residual Risk
4

1 2 3 4 5
Severity

19
Risk Management Strategies

Control
Avoid

Reduce

Frequency

Contain/
Accept Transfer

Severity 20
Risk Control Self Assessment (RCSA)

1. To enable the organisation to capture all material risks and their associated controls

2. To compare the level of risks against the organisation’s risk appetite

3. To review and assess the effectiveness of inherent control systems

4. To prioritise the organisation’s risks for control improvement

5. To form a basis for scenario analysis of key risks

6. To promote cultural awareness of risk throughout the organisation

21
Paul H. O’Neill : CEO ALCOA (1987 - 2000), later US Treasury Secretary

Profits down, quality & productivity poor, morale toxic, workers burn manager-effigies
O’Neill comes in, announces goal: Choose one metric; target to manage and improve Alcoa

“Worker Injuries”
No matter what it cost, Alcoa was going to drive toward zero injuries

Within a year, the company’s profits reached a record high

When O’Neill retired 12 years later, net income & market cap had quintupled
From one accident/branch/week, ALCOA worker injury now at 5% of U.S. average… How?

Organization disrupted; each injury had to be reported by unit CEO, with never-again plan
Required fast clear comms with the VPs and they with managers
Suddenly everybody had to study work processes, quality, efficiency, reporting structures …

Changed how they ran business, adopted root-cause-and problem solving

The single Safety metric destroyed pervasive bad habits and poor process management

So ….. WHAT IS YOUR KEYSTONE METRIC ? 23

Key Risk Indicators: what are they?

• KRIs are metrics to monitor the main drivers of OpRisk exposure.

• KRIs complete the OR toolkit … Losses, RCSA, Scenario Analysis, Capital

• KRIs identify weakness, enhance process efficiency, reduce Loss frequency/severity

•
• KRIs will usually be a combination of
• Indicators of well being (vital signs)
• Views of risk, as smoke detectors
• Metrics of Control design and effectiveness

• KRI may measure environment/inherent exposure (e.g. # of customers or volumes) or the

effectiveness of controls (e.g. # of failed trades).

• KRIs must be quantitative, to enable verification and scenario analysis, and forward-
looking/coincident, recognizing improvement and deterioration.
24
Examples of KRIs

External Events – Key Risks

Conflicts
Suitability Issues Complaints from clients and counterparties
Improper Business Practices Critical System Outages – number, duration
Fraud
Confirmations – total number unconfirmed > 30 Days
Audit Issues Front-Office to BackOffice breaks - gross value, net
Price Verification
Staff - # not completed mandated training
Settlement Process
System Back Up/Security Number of transaction capture errors
Price Verification - verified vs. unverified prices
Limit Breaches – Market & Credit Risk, Price, Liquidity
Risk Report Themes
Unconfirmed Trades Regulatory Reporting – late submissions
Model Control
Supervisory Procedures

25
Key Risk Indicators ... examples
External Events – Key Risks
Conflicts
Suitability
Improper Practices
Fraud
Audit Issues
Information Security
Inappropriate access
System entitlements
Risk Reports
Documentation gaps
Incomplete Deal Approvals
Improper Activities
Missed Approvals - Conflicts, legal, documentation …
Policy Exceptions - Approved & unapproved
Due Diligence - Completions, lead time given
Employee Personal Investment Policy Failures
Documentation Exceptions - detected exceptions
Staff Turnover- by function and division
Employee Lawsuits - ageing, volume, amounts
Staff Training – hours per employee, training days
Assessment Exceptions - detections / open issues
Info Security – hacking, password fails or breaches
26
Key Risk Indicators ... examples
External Events – Key Risks
Regulatory Reporting
KYC / Suitability
Improper Practices
Fraud
Audit Issues
Information Security
Processing Controls
Inadequate COB Plans
Risk Reports
AML Compliance
Tax Withholding
Untimely Regulatory Reports
KYC Documentation exceptions
Employee Compliance Failures
Unauthorized Transactions - # and amount
Events & losses due to external fraud or theft
Information Security Incidents
Transaction Processing errors, delays
BCP Testing failures
Transactions unsuitable for customer profile
Inadequate customer documentation
Staff training issues
Tax withholding, remittance & reporting issues
27
“Deep Dives” against Large Risk Events and Losses
Identify •What could have prevented the loss?
Risk
Drivers
•What factors influenced the size of the loss?

Assess •What controls failed / didn’t exist?

Controls •Covered in RCSA/Audits of the Entity that caused the loss?
•Where else could such a control failure occur?
•Could existing metrics have warned of trouble?
Identify
Metrics •What new metrics should track risk drivers/control weakness?
•What set of metrics would best capture the end-to-end risks?

Dimension •When and how might the loss have been significantly larger?
Size and
Frequency •Could such losses occur more frequently?
•What do external events in this space teach us?

Test •Does capital adequately cover stresses?

Capital •What about the “perfect storm”?
Adequacy

28
Process / Control Analysis

Who • Who would like to see this problem fixed?

1
Cares?
• Loss data, KRIs, exception reports, assessment data…
Relevant • Where else are these problems seen?
2 Data • Where are similar problems prevented?

End-to-End • Who does what?

3
Process • What assumptions are made but not tested?

• What steps in the process can be simplified, eliminated?

4 Inefficiencies
• Can automation help?

Weak Points • Are controls missing or sloppy?

5
• Would better MIS help?

6 Fixes • Agreement end-to-end on solutions

• Where else could such solutions make a difference?
29
Scenario Analysis
1 Could it • Do we face a previously unrecognized risk?
Happen? • In which businesses, regions?

2 Who • Who would be most hurt?

Cares?
• What controls can prevent an event?
3 Would it • Do they exist and work well?
Happen? • Would existing metrics warn of trouble?

• What data is available about past frequency and scale?

4 How big?
• What factors drive the size of the impact?

• Control improvements?
5 Fixes • Better metrics?

• Would it happen HERE?

6 Capital Impact
• If so, how big could it be HERE?
• Is capital sufficient? 30
Integrated Risk data analysis towards understanding vulnerabilities

Internal
Losses
RCSA Metrics

Shared Utilities
Hierarchies
Report Writer
Financials External
Scaling Losses
Audit Data

Scenarios Controls Capital

CRITICAL THINKING
RISK MANAGEMENT
Jaidev Iyer
May 24, 2023
SECTION III
FLAVOURS OF RISK

2
Special risks on radar screens today
 INFORMATION SECURITY MANAGEMENT

• Computer information systems and networks are an integral part of business.

• Firms make substantial investments in human, financial, and technological

resources to create these systems, networks, and applications

• Clients entrust firms with a substantial amount of data and information which
reside on these systems

• Clear policies and procedures are essential

• to protect these investments,

• safeguard proprietary and client information within the systems,
• reduce business and legal risk, and
• protect reputations
 INFORMATION SECURITY POLICIES & PRACTICES
Key elements of Information Security policy and practice:

o Acceptable use, Unacceptable use

o Access Control, User Entitlements
o Confidential Data, data security in storage and transit, encryption protocols
o Codes and passwords, Networks, Internet, Email, Websites
o Downloads, Copyrights
o Vulnerability, virus, malware
o Clean Desk requirements
o Hardware, Hardware Purchasing, Hardware standards
o Outside equipment, removable devices, media, Wifi ….
o Software, Software Standards, Software Purchasing /Installation, Licensing
o Administration, Employee, Supervisor, “Security Officer” Responsibilities
o Security maintenance, testing, incident reporting & management
BUSINESS CONTINUITY & DISASTER RECOVERY (‘BCP’)
• Business Continuity speaks to keeping the firm running during a period of
displacement, interruption, or disruption
• Disaster Recovery is the process of effectively rebuilding the operation or
infrastructure after the event
• A ‘Business Continuity Plan’ is the set of information & procedures for use in the event
of an emergency or disaster

Situations that should be envisaged in a BCP include:

a) Equipment & technology fail, telecomms, systems, network outage or failure

b) Sustained disruption of power, making it infeasible to conduct business
c) Application failure or significant corruption of databases
d) Human error, sabotage or related significant disruption
e) Discovery of malicious software such as viruses, worms, Trojan horses
f) Hacking or other Internet attacks
g) Social unrest or terrorist attacks
h) Fire and Natural disasters such as Flood, Earthquake, Hurricanes
i) Pandemic
BUSINESS CONTINUITY & DISASTER RECOVERY (‘BCP’)

There are four major considerations for a firm in any BCP situation:

- Safety & Health of all employees

- Client and firm data safety
- Ability to rally the team/s that will help manage operations and weather
the crisis
- Ability to restore normal operations, focused on people safety, client
service, data protection, reputation, and full business

Ergo, key drivers of a BCP program are:

- Employee evacuations and protection

- Crisis Communications across all stakeholders
- Back-up Locations & Facilities
- BCP Training and Testing
- Disaster Recovery Planning and execution
 VENDOR MANAGEMENT
An effective Vendor (all third-party relationships) management process includes:
o Identification of inherent risks: selection, due-diligence, oversight of vendors
o Documentation that outlines the rights and responsibilities of all parties
o Roles & responsibilities in monitoring vendor activities and performance
o Contingency plans for terminating any relationship in an effective manner

The following should be covered in Vendor Due-Diligence AND monitoring:

o Financial Condition, Strategies and Goals
o Legal and Regulatory Compliance
o Business Experience and Reputation
o Qualifications, Backgrounds, and Reputations of Company Principals
o Risk Management
o Information Security; Management of Information Systems;
o Business Continuity, Disaster Recovery, Resilience
o Incident-Reporting and Management Programs
o Physical Security
o Reliance on Subcontractors
o Insurance Coverage
 CLIMATE CHANGE MANIFESTS INTO BUSINESS RISKS
Financial & Non-
Financial Risks

Business &
Climate Change Related Risks

Credit Market Operational Liquidity Legal & Conduct Reputational

• Increase in • Higher volatility • Damage to • Margin calls • Lawsuits due • Insolvency

inability to pay • Price shocks physical assets, • Unexpected to not • Regulatory
resulting in • Credit spread people and withdrawals following fines

Risk Appetite Strategy

Physical

increase in in increase processes • Systemic guidelines • Loss of

PD, LGD, EAD • Markets • Invoking of DR liquidity crunch • Mis selling customers
• Reduction in mispricing and BCP due to Market, • Personal
collateral value Credit and Ops liability of
risks senior
management

Business
Higher Provisions, Higher RWA, Higher Capital Requirements

• Increased in • Tighter • Risk of current • Fall in the • Abrupt transition • Business models
capex due to requirements for assets becoming liquidity of will mean becoming
Transition

investment in existing high-risk obsolete fast assets due to business models unviable
upgrade of products and higher cost obsolesce failing, leading to • Management

ERM
assets and • Abrupt Index of replacing • Inability to loss of jobs, expertise and
technology reset them dispose of the failing contracts firm’s talent pool
• Higher cost of assets at • Slow transition not scaling
borrowing reasonable would call for quickly
valuation social & • Tight regulatory
governance timelines
issues

15
CLIMATE RISK STRATEGY DEVELOPMENT APPROACH
A structured approach for Climate Risk strategy development helps navigate a
complex decision-making landscape.

01 02 03 04
UNDERSTAND ESTABLISH IMPACT & GAP DATA STRATEGY, TECH
REQUIRMENTS GOVERNANCE ANALYSIS CONSIDERATIONS & ARCH
• Clearly understand the regulatory • Establish climate change program • Perform impact study across business • Define a strategy to collect
and business requirements governance model, strategy, people, policy, process, exhaustive information from internal
• Document requirements • Establish dedicated teams tasked with product, systems & application and external sources
• Create road map, project plan and defined objectives • Assess current practices and gap analysis • Establish comprehensive data
timeline • Create action plans to remove any based on questionnaire sourcing, compilation, validation
project road blocks • Analyze and document the existing gaps enrichment audit & input into
• Track project milestones and timelines in process, data , application etc. models

05 06 07
RISK MANAGEMENT & INTEGRATE WITH MAIN - METRICS & REGULATORY
SCENARIO ANALYSIS STREAM DISCLOSURES

• Identify risk factors that materially
impact Client’s portfolio
• Define & design scenarios by
incorporating material risk factors into
the scenario’s
• Calculate Physical and Transition risk
• Define a strategy to integrate climate
factors into governance , strategy, risk
appetite , models' processes,
disclosures
• Roll out of new products and services
• Create a reporting framework that is
flexible to address multiple regulatory
and internal reporting needs
• Create an actionable insightful
periodic disclosure, keeping multiple
stake holders in mind

16
PROJECT RISK

Risk Principles for Project Risk Management

• Define the Scope of Work for a Project. Including: ...

• Identify Risks as Early as Possible. ...
• Identify Opportunities ...
• Assign Importance to the Risk. ...
• Figure Out How to Respond to the Risk. ...
• Maintain a Risk Log. ...
• Regularly Review Project Risks

Types of Project Risks

• Financial Risks: Financial risks involve a project's monetary factors. ...
• Strategic Risks: Strategic risks involve the strategies chosen
• Performance Risks: Performance risks involve overall project performance.

18
PROJECT RISK MANAGEMENT

Project Risk Management: Golden Rules

• Have a Risk Management Strategy. ...

• Keep an Eye Out For Risks from the Start. ...
• Involve Team Members. ...
• Do a SWOT Analysis. ...
• Appoint Risk Owners. ...
• Prioritize Risks. ...
• Conduct Detailed Risk Analysis. ...
• Implement Risk Response.

19
CONTROL
FRAMEWORK
• Contextualize vs. objectives …
Ø client satisfaction
Ø P/L performance
Ø no-surprises
Ø full compliance
Ø Information flow
• Controls-framework must work for
all stakeholders, for real &
perceived risks
• Cost of Control must be clear
Acceptable use of devices
Access Control - Physical
Access Control - Systems, Applications, Networks
Accurate and Complete Transaction Capture and Execution
Business Continuity (BCP) and Disaster Recovery Management
Business Supervision, Legal & Regulatory Compliance
Client Onboarding, Servicing, Account Oversight
Data & Information Security
Documentation
Employee Onboarding & Management
Employee Performance Monitoring & Corrective Action
Fraud Prevention and Detection
IT Change Management
Management Information and Reporting
Reconciliations, Valuations, and Records Management
Third Party / Vendor Management
6
 LETS TALK MORE ABOUT RISK AT L AND T

BRIEF PAPER ON BUSINESS CHALLENGE

• Everyone individually reads for say 15 minutes

• Open Class discussion: 60 minutes
• Please open up the discussion to all Q & A

1
Issues of Risk Management v Business Management

Leaving some big picture issues unresolved leads to devastating results.

• Immature or missing foundational governance and business practices –including but not limited to
corporate policies, vendor management, strategic planning, and even a true operating budget.

• Poor communication from leadership – without clear and consistent communication between executives,
managers, and employees, rumors will begin circulating, leading to even bigger headaches such as negative
workplace culture. According to a survey, risk professionals consider tone at the top to be one of Enterprise
Risk Management’s biggest hurdles.

• Constantly shifting priorities – without clear goals that remain steady, the company will struggle to focus
on execution and completion, leading to a lot of half-finished projects.

• No clear roles and responsibilities – without knowing who is responsible for what, when, where, and how,
the company will not be able to keep the right persons on track with goals with accountability (including
executives) should a particular goal fall short.
Consequences when not proactive in managing threats and opportunities

• Fines and other regulatory or legal action

• Elevated employee turnover
• Product or project failure
• Business failure
• Missed Opportunities
• Customer Dissatisfaction
• Decreased market share, profit, and financial loss
• Negative or damaged reputation

(these are deliberately mis-ranked... Or are they ?! How would you rank them?!)
Being “too proactive” and overly focused (obsessed) on managing risks

What does it mean and what are the consequences

• Everyone is focused on getting every risk “green”.

• Management and/or the Board is extremely risk averse

• Transferring too much risk to other companies

Note that Issues like these illustrate the importance of tools like risk appetite and tolerance
WHAT IS RISK MANAGEMENT AT THE BUSINESS LEVEL

• Risk management is the application of continual analysis across financial, strategic, systems,
human and organizational problems to improve business performance

• Objectives of Risk Management Process:

• Attempts to identify, assess, and manage corporate risks
• Supports the strategic plan, defining capacity and appetite for risk
• Assigns clear responsibilities for MANAGING, MONITORING, OPTIMIZING risks
• Monitors individual, departmental, and corporate progress to manage risk

• Input > Process > Output > Feedforward > Feedback > Monitoring > Governance

5
BUSINES RISK STRATEGY
• The purpose of risk management is to help the firm make better decisions, to set direction,
gain commitment, keep control, and resolve uncertainty. Key questions:

o Where were we – an analysis of the firm’s trending historic position

o How did we get here – a critical examination of good and bad elements
o Where are we now – an assessment of the current environment
o Where are we going – setting directions and targets
o How are we going to get there – tools and technique for decision-making

• Forward-looking risk processes include budgeting resources, developing necessary skillsets

to assess risks across new businesses, products, changes etc.
• Feedback processes assess outputs in terms of economy (least amount of input), efficiency
(outputs/inputs) and effectiveness (meeting goals).
• The true measure of performance is in whether the organization believes that risk is being
managed better than unmanaged, or managed in a radically different way

6
Role of a Business Manager in Risk Management?

1. Risk Identification: Business managers are responsible for identifying potential risks and hazards that could
impact the organization's operations, reputation, or financial stability. This involves conducting risk assessments,
reviewing historical data, and analyzing industry trends to proactively identify risks.

2. Risk Assessment: Once risks are identified, business managers assess the potential impact and likelihood of
occurrence. They evaluate the severity of risks and prioritize them based on their significance to organization's
objectives and goals.

3. Risk Mitigation: Business managers develop strategies and implement measures to mitigate identified risks.
This involves creating risk management plans, implementing internal controls and procedures, and ensuring
compliance with regulatory requirements. They may also collaborate with other departments or teams to
address specific risks effectively.

4. Risk Monitoring: Business managers continuously monitor risks and mitigation efforts. They track key risk
indicators, review incident reports, and analyze data to identify emerging risks or changes in risk profiles.
Regular monitoring helps ensure that mitigation measures remain effective and aligned with the risk landscape.
Role of a Business Manager in Risk Management?

5. Communication and Reporting: Business managers play a vital role in communicating risk-related information to
relevant stakeholders, such as senior management, board members, or regulatory bodies. They prepare risk
reports, provide updates on risk management activities, and communicate any changes in risk exposure or
mitigation strategies.

6. Risk Culture and Awareness: Business managers foster a risk-aware culture within the organization by
promoting risk awareness and education among employees. They provide training programs, establish risk
management frameworks, and encourage proactive risk identification and reporting at all levels.

7. Continuous Improvement: Business managers actively seek opportunities for continuous improvement in risk
management processes. They assess the effectiveness of existing controls and procedures, evaluate the impact of
risk management initiatives, and implement necessary adjustments or enhancements to optimize risk
management practices.
The Problem with Operational Risk

• Potential losses are practically unbounded

• Exposure is undefined and undimensioned
• Losses are not capped, e.g by Credit Risk Limits or Market Risk Stop Losses
• Observed loss amounts are not simply related to firm size, although there is evidence of
deep-pocket-premiums e.g lawsuits and regulatory settlements
• Loss severity distributions are fat-tailed
• The payoff profile is asymmetric

• Risks are not easily controlled in the short term

• Limited ability to ‘trade down’or close positions’
• Risks often only recognized‘ after the fact’
• Often significant lags between cause and effect
• Management and Measurement of Risk follow diverse paths

• Capital need is driven by the risk of infrequent but extremely large events

8
The Problem with OpRisk Management

• Ex-Ante vs Ex-Post: Historical, rear-view mirror …

• “What” are we Managing, and Who owns the“So-What”
• Tool-kit Elements disparate, outmoded:the dots are un-join-able
• Same brush applied to High-Severity and High-Frequency risks
• Focus on Measurement v. Management - achievement of Neither
• Stakeholders tired of Assessments, Form-filling, Bean-Counting
• Regulators, Auditors, Media .... seen to focus on form, not substance.
• So Management says stay away from us, just keep the Regulators happy
• All in all, Default approach is therefore Compliance and Audit, not Risk Management

9
 Operational risk management:
1. What is operational risk?
a) The risk of financial losses due to market volatility
b) The risk of legal and regulatory non-compliance
c) The risk of losses resulting from inadequate or failed internal processes, people, and systems
d) The risk of damage to physical assets
c) The risk of losses resulting from inadequate or failed internal processes, people, and systems
2. Which of the following is NOT a category of operational risk?
a) Fraud and theft b) Human error c) Market risk d) Technology risk
c) Market Risk
3. True or False: Operational risk is limited to financial institutions and banks.
b) False
4. Which of the following is an example of an internal operational risk event?
a) A natural disaster b) A data breach c) A terrorist attack d) Employee fraud
d) Employee Fraud
Operational Risk Management
What is the purpose of a risk assessment in operational risk management?
a) To eliminate all operational risks
b) To transfer operational risks to insurance companies
c) To identify, assess, and prioritize operational risks
d) To outsource operational risks to third-party vendors
c) To identify, assess, and prioritize operational risks
Which of the following is an example of a key risk indicator (KRI)?
a) Number of customer complaints
b) Stock market index fluctuations
c) GDP growth rate
d) Interest rate changes
a) Number of customer complaints
True or False: Risk mitigation measures should be implemented before identifying operational risks.
b) False
What is the purpose of a business continuity plan (BCP)?
a) To prevent all operational risks from occurring
b) To transfer operational risks to external parties
c) To ensure the continuation of critical business operations in the event of disruptions
d) To shift operational risks to different departments within the organization
c) To ensure the continuation of critical business operations in the event of disruptions
 OpRisk Scenarios
Scenario 1: A company's finance department discovers that an employee has been embezzling funds over a period of several years.
The employee manipulated financial records to cover up the theft. This incident leads to significant financial losses for the company
and reputational damage. What type of operational risk event occurred in this scenario?

Scenario 2: A manufacturing company heavily relies on a single supplier for a critical component in their production process. Due to a
sudden disruption in the supplier's operations, they are unable to deliver the component for several weeks. As a result, the
manufacturing company faces production delays, customer order cancellations, and increased costs to find an alternative supplier.
Question: What type of operational risk is evident in this scenario?

Scenario 3: An online retail company experiences a cybersecurity breach where customer data, including credit card information, is
compromised. The breach occurs due to a vulnerability in the company's website security, allowing hackers to gain unauthorized
access to sensitive information. The company faces legal penalties, customer backlash, and a loss of trust. What is the primary risk in
this scenario?

Scenario 4: A multinational corporation operates in a country where frequent political unrest and protests occur. During one such
protest, the company's manufacturing facility is vandalized, resulting in damage to equipment, inventory, and disruption of
operations. The company did not have a contingency plan in place for such events. Which type of risk was not adequately addressed
in this scenario?

Scenario 5: A software company launches a new product without conducting thorough testing and quality assurance. Shortly after
release, customers start reporting critical bugs and system crashes, leading to widespread dissatisfaction and negative reviews. The
company experiences financial losses and damage to its brand reputation. What risk management failure occurred in this scenario?
 Key Risk Indicators (KRIs)?

What are Key Risk Indicators (KRIs)?

a) Metrics that measure the likelihood or impact of risks occurring
b) Indicators that measure the effectiveness of risk management controls
c) Metrics that measure the financial impact of risks on an organization
d) Indicators that measure the level of compliance with regulatory requirements
a) Metrics that measure the likelihood or impact of risks occurring

Which of the following is an example of a leading KRI?

a) Number of workplace injuries
b) Number of customer complaints
c) Number of cybersecurity incidents
d) Number of days to complete a project
c) Number of cybersecurity incidents

Which of the following is an example of a lagging KRI?

a) Revenue growth rate b) Customer satisfaction score c) Inventory turnover rate d) Employee turnover rate
d) Employee turnover rate
Key Risk Indicators (KRIs)?

Why are KRIs important for effective risk management?

a) They provide an early warning of potential risks before they materialize
b) They help to prioritize risk management efforts and resources
c) They help to measure the effectiveness of risk management controls
d) All of the above
d) All of the above

What is the difference between KRIs and Key Performance Indicators (KPIs)?
a) KRIs measure risks while KPIs measure performance
b) KRIs are leading indicators while KPIs are lagging indicators
c) KRIs focus on negative outcomes while KPIs focus on positive outcomes
d) KRIs and KPIs are the same thing
a) KRIs measure risks while KPIs measure performance
FINAL THOUGHTS

• Risk is rarely “absolute” ... It is always “relative” to Capacity, Appetite, and Returns
• Risk is about problem and opportunity
• Risk-Management = Business-Management. Embed it
• Understand and manage your Unusual, Unintended, Unacceptable
• Find and nurture join-the-dots intelligence for your firm … silos kill
• Metrics and Assessments are key, as indicators of Well-Being and Smoke-Detection
• The ‘What’ is interesting, but the ‘So-What’ is vital
• Financial risks are easy to dimension; not so behavior, reputation, franchise,
credibility .... survival ... goal is to maximize not {current $}, but NPV($, $..... $)

17
FINAL FINAL THOUGHTS ….
v Avoiding the Monday, Tuesday, Wednesday syndrome ..

v Models don’t kill markets, people do … and their fears, greed, ego, biases

v Culture means how we do business, to optimize cost-benefit-risk tradeoffs

v Plan, hire, train, and manage People as your greatest assets, and greatest liabilities. Trust but Verify.

v Transfer lessons learnt to institutional memory, never be coy about publicizing …

v When in a hole, stop digging. Risk can become near-fatal based on your response

v Silos are fatal: the way risk manifests is irrelevant, labels are redundant

v Join-the-dots intelligence is a critical and worthwhile investment

v Okay, final question .... Is crossing a road risky ?

What information allows the answer? How should the question be posed ?

18
THANK YOU ….. QUESTIONS?

Jaidev Iyer

JAIDEV@J-
RISKADVISORS.COM

+91-63749-67019

19