cc metric issue 02
DESCRIPTION
Monthly Newsletter from Chase CooperTRANSCRIPT
Operational Risk appetite:Time to talk some sense?European stress tests kicked offThe second round of stress tests for EU
banks were initiated in early March when
the EBA released their specified scenarios
to be used by the banks for checking
on capital and liquid assets
requirements. These scenarios will
provide both a baseline and an
adverse macroeconomic situation to
assess the solvency of the banks
involved. The adverse macro‐
economic scenario, designed by the
European Central Bank, incorporates
a significant deviation from the
baseline forecast and country‐specific
shocks on property prices, interest
rates and sovereign situations.
The EBA said that the tests were designed
to reassure investors and regulators that
banks have enough capital and liquid
assets to survive another crisis. After the
regulators receive feedback from the
industry, the scenario details will be made
public this month along with a sample of
the banks involved. The EBA will work with
national regulators on the stress test
methodology, making this public in April,
and it is expected that the banks will take
until mid May to complete the tests. The
plan is that the stress testing results will
be made public in June. The next step will
be for the EBA to advise Member EU
States and Authorities on the remedial
back stop measures needed.
Tony Blunden, Chase Cooper's Head of Consulting, addresses the confusion that revolves around operational risk appetite and proposes practical methods of definition.
A firm's appetite for operational risk has been a subject of debate and confusion ever
since the Basel Committee on Banking Supervision commented that it believed that the
rigour applied to credit risk and market risk should also be applied to operational risk.
This has led to many believing that operational risk appetite
should be treated in exactly the same way, i.e. as something
that can be reduced to a single monetary value. Whilst this is
possible using statistical theory, it denies the essential nature
of operational risk. This nature pervades a risk category that
can be fundamentally affected by the management and culture
of a firm, as well as by external macroeconomic factors.
The difficulty was implicitly
acknowledged by the Basel
Committee when it also stated
that "operational risk is typically not directly taken in return
for an expected reward, but exists in the natural course of
corporate activity". Indeed, it can be argued that there is no
such thing as an appropriate appetite for mis‐selling, system failures, internal fraud or
external fraud. Others argue that a residual level of operational loss is tolerable where,
for example, the cost of mitigating the remaining risk far outweighs the impact.
Before looking at how operational risk appetite can be stated in practice, it is a good
idea to examine the governance that should exist around operational risk appetite. This
should consider such topics as definition, ownership and accountability, scope, reporting
and record retention as well as an overview of the operational risk appetite
methodology.
Many firms recognise that a certain level of risk is inherent in any business
and it is the responsibility of the board to consider and approve the
level of risk acceptable to the firm. The risk appetite defined by a
firm should reflect the satisfactory trade‐off between the level of
risk and the likely level of returns or costs. As a consequence,
Tony Blunden, Chase Cooper
metric
2
CHASE COOPER
continued on page 2
IN THIS ISSUE OF metric
SEC on bonus restrictions
IFRS Indian setback
Ackermann warns G-20
China leverage guidance
m ISSU
E
2
www.chasecooper.com
the typical definition of operational risk appetite is the amount that
the firm is willing to risk for a given risk‐reward or cost‐benefit
ratio. This basic statement is then expanded, perhaps using Figure
1 below as a starting point.
It should be noted that there is no explicit requirement in Pillar 1
for an expression of risk appetite but such a statement forms a
natural part of Pillar 2, reflecting clear strategies and oversight by
the board and senior management and a strong risk and internal
control culture. The ownership of risk appetite therefore sits very
clearly at board level with senior management implementing risk
appetite at a day‐to‐day business level.
However, it is instructive to question whose appetite should be
reflected in the detailed implementation of the risk appetite
statement. The shareholders' appetite is naturally expressed by the
amount of capital that the firm holds and may accommodate
extreme events. In comparison, the managerial appetite will reflect
the corporate attitudes and culture of the board and management
team and is more likely to refer to a business‐as‐usual level that
includes some scenarios but is generally less extreme than
shareholders' appetite. This difference inevitably reflects the
different approaches of the two stakeholders and, in particular, the
generally longer‐term objectives of shareholders.
Figure 1: Different levels of the firm view appetite differently
Most firms have a stated appetite for operational risk which is
generally at a high level and gives little business benefit. Some,
however, are using operational risk appetite at a number of levels
within the firm and deriving significant benefit for the business
from this approach.
There are many different ways of measuring operational risk
appetite and capital modelling does not have to be used.
Operational risk appetite can be expressed very simply through the
results of a risk and control assessment ('RCA'), using the exposure
of the firm to high likelihood and high impact events to delineate
acceptable risk appetite from unacceptable levels. An alternative
simple starting point is the number or value of losses to which the
firm is subject in a period. Although the number of incidents to
which the firm is exposed may seem a trivial way of stating
appetite, this can be used effectively for incidents where a
monetary value
is hard to
establish (for
example, the
value of system
outages).
As the firm
develops its
operational risk
management, it
can start to use
indicators of its
exposure to key
risks and their controls as indicators of acceptable and
unacceptable levels of risk. Finally, of course, modelling will
provide a number of opportunities for a firm to consider its
operational risk appetite.
As most firms have an RCA, this is a good place to start considering
a firm's risk appetite. The likelihood scale of the RCA will give an
indication as to whether the RCA has been performed at a
management level of appetite, a board level or shareholder level.
The impact scores will give the current appetite level, although on
reflection these may be viewed as inappropriate and in need of
revision.
Alternatively, a very common first expression of appetite is through
heat maps. These are two‐dimensional with likelihood on one axis
and impact on the other axis. Heat maps can be developed with
descriptive words such as low, moderate and critical, relative values
such as a scale of 1 to 25 (see Figure 2, below) as well as monetary
values. The heat map below indicates that relative scores of 16, 20
and 25 are critical scores and therefore unacceptable to the firm, as
a residual risk level.
Figure 2: Heat map with relative scores
As noted above, when a firm has progressed to identifying
indicators of risks which are key there will be another set of risk
appetite metrics that can be used. Figure 3 overleaf shows the
ranges that might be applicable to a key risk
met
ric
continued on page 3
3
www.chasecooper.com
indicator. In this case, there are bands (red and yellow) above and
below the area within which the firm is comfortable (the green
band). The limits of these bands are naturally statements of appetite
by the firm. The green/yellow boundary is a first lower‐level
statement of appetite and the yellow/red boundary is a more
extreme level of appetite.
Figure 3: Key risk indicator as a statement of appetite
Ultimately, it is of course possible for operational risk appetite to
be expressed as a monetary value if probabilistic modelling is
applied to the operational risk data. This can also assist in cost
benefit analysis and in business process improvement if parts of the
risk profile are beyond acceptable levels.
How appetite is described therefore depends on the size, complexity
and culture of the firm. It is also important to differentiate between
the business‐as‐usual appetite of the management and the higher
ultimate appetite of the shareholders. Although there are various
ways to describe risk appetite, it is important to apply a consistent
methodology. Measuring risk appetite and benchmarking business
performance against an appetite level enables the management
team to have a clear picture of
met
ric
met
ric
SEC proposes bonus restrictions The USA's Securities and Exchange Commission (SEC) has, in a split
vote, proposed rules that restrict bonuses for broker‐dealers and
investment advisors. The proposal now goes for public comments.
New restrictions on bonuses were one of
the mandates of the Dodd‐Frank Act
which requires the SEC and six other US
federal regulatory agencies to jointly
adopt such rules. The FDIC proposed rules
similar to those of the SEC last month.
"It is simply common sense that a
financial institution ‐ and thus its
shareholders ‐ can be negatively affected
if incentives drive behavior that is not consistent with the
institution's overall interests," SEC Commissioner Elisse B. Walter
said in support of the measure.
Firms that are above a $1 billion asset threshold would be
required to file annual reports detailing their incentive‐based
compensation. The rules would "prohibit incentive‐based
compensation arrangements that encourage inappropriate risk‐
taking by providing excessive compensation, or that could lead to
material financial loss to the firm".
Financial institutions with $50 billion or more in assets face added
restrictions, including deferral of at least 50% of executive
bonuses for three years, and board approval of compensation for
those who could expose a firm to a substantial amount of risk.
SEC CommissionerElisse B. Walter
m
m
Indian implementation of IFRS set backThe path to an international
accounting standard, and
with it the reduction of
accounting risk, was set back when it appeared that the Indian
implementation of International Financial Reporting Standards (IFRS)
was in danger of being severely delayed or even abandoned by India.
IFRS was due to become a standard for all large Indian firms from
April 1st this year, but local press reports say that this will at best be
delayed and could be made optional. It was planned that IFRS would
be implemented in three phases starting with those companies
valued at over $200M. However there has been a flood of companies
asking for exemptions to this implementation date. In addition there
have been issues regarding tax liability calculations.
IFRS, developed by the International Accounting Standards Board
(IASB), is based on fair or market value accounting, has been standard
in Europe for 5 years and is adopted by over 80 countries worldwide.
The USA has not yet confirmed its adoption but the SEC is expected
to announce a schedule this year with a 2015 date anticipated. China
started to use IFRS in 2007, Canada began implementation last year
and Japan is expected to be compliant next year. m
Coming up in Issue 3 of metric Nick Gibson, Chase Cooper’s Director of Compliance Solutions discusses: The FSA’s first Retail Conduct Risk Outlook — emerging risks and potential concerns m
etric
4
EBA APPOINTS FIRST EXECUTIVE DIRECTOR
The European Banking Authority has named
Adam Farkas, former chairman of the
Hungarian Financial Supervisory Authority, as
its first executive director, subject to
confirmation by the European parliament.
ACKERMANN WARNS G‐20
Dr. Josef Ackermann, Chairman
of the Institute of International
Finance (IIF), also Chairman of
Deutsche Bank, has called on
the G‐20 to control the
fragmented implementation of
Basel III and to prevent
fragmenting the global
financial system. He also stated
that the current liquidity
proposals could damage
banks' abilities to provide
credit lines to business.
FSA FINE MORTGAGE FAILURES
The FSA has fined DB Mortgages, part of the
Deutsche Bank Group, £840,000 for irresponsible
lending practices and unfair treatment of
customers in arrears, and has obtained rebates
for DB Mortgages' customers estimated at £1.5
million. The FSA said that DB Mortgages failed to
check that customers could still afford mortgages
on their retirement, failed to ensure that self‐
certified mortgages produced the best prices, and
did not ask customers how they would live if they
had to sell to pay off an interest‐only mortgage.
CHINA ISSUES GUIDELINES ON LEVERAGE
China's banking regulator, the CBRC, has issued
guidelines on the leverage rates of commercial
banks which will require banks to keep a
maximum of 4%. These will apply to
systemically important banks from the end of
2013 and for other commercial banks in 2016.
SEC PURSUES INSIDER TRADER
The SEC has announced it will proceed with
insider trading charges against Rajat Gupta, a
Goldman Sachs and Procter & Gamble board
member. Gupta, allegedly provided Raj
Rajaratnam, the founder of hedge fund Galleon
Management with inside information about the
quarterly earnings at both these firms as well as
an US$5 billion investment that Berkshire
Hathaway was planning to make in Goldmans.
ASYMmetricAL
A legacy that Victorian Britain left us was the board structure used to govern commercial institutions: single tier boards of directors, elected by the shareholders in the case of publically quoted companies, and consisting of executive and non‐executive directors under a board chairman*. Executive directors ran the company on a day‐to‐day basis, whilst non‐executive directors were external appointments of experienced individuals who took a high level view and advised the executive directors. These "non‐execs" were selected on their experience and knowledge of the markets. Many were retired and many held multiple non‐exec roles. The
effort involved was not huge ‐ reading board reports, asking questions and sitting in on board meetings. Typically non‐execs put in 2 days of their time a month and their value was in their advice.
All this started to change in the 1980s. The Polly Peck insolvency, which involved falsification of accounts, led to the Cadbury Review being set up to look at the governance of companies. Its remit, following the BCCI and Maxwell scandals, was expanded to cover sign‐off of companies' accounts and non‐exec involvement. This evolved into the Combined Code of Corporate Governance which, after a series of reviews, all named after their chairmen ‐ Greenbury, Hampel, Turnbull, Higgs, Myners, etc ‐ was established as boardroom governance best practices guidance (note guidance in the UK, not regulation) managed by the Financial Reporting Council. Also around this time non‐executives found themselves in the firing line as investors, and, in the case of Equitable Life, depositors, would sue for losses attributed to poor corporate governance.
In 2009, following the collapse of Northern Rock, the Walker Review was commissioned by the UK Treasury, specifically for the governance of financial institutions, and for the first time risk management was mentioned. Walker recommended that the governance of risk was a specific responsibility of the board, including non‐execs, and made many recommendations including:
A board risk committee be established to advise the board on risk appetite, tolerance and strategy,
That the board be served by a chief risk officer who would have a reporting line to the board
risk committee ‐ and that there should be a level of protection for this role (the FSA subsequently made CRO an "approved person" role),
A separate risk report by the board risk committee to be included in the annual corporate report.
The role of non‐execs was also defined with the requirements that non‐execs should "satisfy themselves on the integrity of financial information and that financial controls and systems of risk management are robust and defensible".
So the role of a non‐exec has gone from that of an avuncular figure advising the executive directors on the basis of years of experience, to a high profile individual who must sign off the accounts, the financial controls and the risk management processes ‐ and who may be sued if he gets it wrong. The skills required have increased as has the amount of effort that will have to be put in. This is no longer a couple of days a month effort.
The question now is how will non‐execs acquire this risk management expertise? Risk managers go through years of developing skills and many of the issues are not obvious to a corporate businessman. Most experienced non‐execs understand corporate accounts and financial reporting, some have experience in financial controls, but there are few who have a risk management background. Risk management is a qualitative and procedural discipline, with a large amount of complex mathematical processing, particularly in the credit and market risk areas. How will non‐execs acquire and demonstrate these skills?
It could be that risk managers will become non‐execs, but the profession is young and there are few approaching retirement age. This acquisition of risk management skills by the board, and particularly by non‐execs, is probably the major issue to be resolved if we are to avoid another crisis.
(* Note most European countries have a two tier board system with a management board of full‐timers running the company, and a supervisory board on non‐executives in an advisory role. Moving to this structure was investigated but rejected by the Hempel Report.)
The back page, sometimes critical view from the Editor
RegulatoryNEWS
m
Dr. Josef Ackermann, Chairman of the Institute of International Finance (IIF)(Photo courtesy World Economic Forum)
metric is published byChase Cooper. web: www.chasecooper.comemail: [email protected]