Transcript 10_AFPLST_Slides_Chapters_15_16

Chapter 15: Operational and
Enterprise Risk Management
Outline:
 General Risk Management
 Operational Risk Management
 Payment System Risk (PSR)
 Enterprise Risk Management (ERM)
 Disaster Recovery and Business
Continuity
 Insurance Risk Management
v3.0 © 2011 Association for Financial Professionals. All rights reserved.
Session 11: Module 6, Chapter 15 - 1
Discussion Question
What is the purpose of risk management?
Answer:
 Helps managers identify future events that
create uncertainty
 Responds to negative possibilities by
balancing the negative economic/
regulatory effects of these possibilities
with costs that can be incurred to
mitigate or eliminate them
 Provides direction to guide recovery
actions when serious, negative events
occur
v3.0 © 2011 Association for Financial Professionals. All rights reserved.
Session 11: Module 6, Chapter 15 - 2
Risk Management Process
Step 1 Determining organization’s risk
tolerance
Step 2 Identifying impact/level of exposures
Step 3 Measuring impact/level of exposures
Step 4 Developing/implementing appropriate
risk management strategy
Step 5 Reporting/monitoring exposure to
evaluate and measure strategy
v3.0 © 2011 Association for Financial Professionals. All rights reserved.
Session 11: Module 6, Chapter 15 - 3
Risk Appetite Examples
Three different attitudes toward risk:
 A new company in a rapidly evolving
industry may be more aggressive in taking
significant risks in order to gain a
competitive advantage.
 An established company in a mature
industry may be more cautious about taking
risks to protect an existing competitive
advantage.
 Government entities and not-for-profit
organizations may be completely averse to
risk.
v3.0 © 2011 Association for Financial Professionals. All rights reserved.
Session 11: Module 6, Chapter 15 - 4
Risk Management Policy
The policy should:
 Contain a concise
statement of risk
management goals
 Identify the types of
exposures to be managed
 Delineate the mitigation
techniques and products
that may be used
 Outline the process for
determining specific
strategies to be employed
and exposures to be
hedged
 Summarize the process
for monitoring
performance
v3.0 © 2011 Association for Financial Professionals. All rights reserved.



Outline contingency plans
Define authorities and
responsibilities
Require periodic review
Session 11: Module 6, Chapter 15 - 5
Discussion Question
A qualitative assessment of risk exposure should
do all of the following EXCEPT
a) find where hedges may be useful in operating
procedures.
b) determine how business processes contribute
to risk and find solutions.
c) assess the materiality or level of exposure
(i.e., high, medium, low).
d) ensure that financial risk derivatives
are structured, sized and accounted for
properly.
Answer: c. This is a quantitative assessment.
v3.0 © 2011 Association for Financial Professionals. All rights reserved.
Session 11: Module 6, Chapter 15 - 6
Developing and Implementing an
Appropriate Risk Management Strategy




Inherent risks, opt
to selectively bear
Disaster recovery
and contingency


Keep
Avoid
Mitigate
Transfer
Derivatives
Balance sheet
hedges
v3.0 © 2011 Association for Financial Professionals. All rights reserved.


Not entering a line of
business
Choosing a
particular process
Insurance
Contractual
transfer
Session 11: Module 6, Chapter 15 - 7
Risk Profile
The risk profile refers to how the company’s overall value
changes as the price of financial variables change.
A risk profile analysis needs to:

Identify risks.

Classify each risk into clearly defined
categories.

Quantify the risks with respect to probability
of occurrence and cash flow impact.
v3.0 © 2011 Association for Financial Professionals. All rights reserved.
Session 11: Module 6, Chapter 15 - 8
Operational Risk Management
Internal risks



Employee
Process
Technology
External risks








v3.0 © 2011 Association for Financial Professionals. All rights reserved.
Financial institution
Counterparty
Legal and regulatory/
compliance
Supplier
External theft/fraud
Physical and
electronic security
Natural disaster
Terrorism
Session 11: Module 6, Chapter 15 - 9
Discussion Question
Which of the following employee risks is a
more significant source of risk than the
others?
a) Defalcation risk
b) Fidelity risk
c) Employee errors in data entry/
reentry, including transposition or
deletion of numbers
Answer: c
v3.0 © 2011 Association for Financial Professionals. All rights reserved.
Session 11: Module 6, Chapter 15 - 10
Process Risk
Lack of controls/failure to follow
procedures in any functional area
Products unsuitable for intended
use (unsupported claims)
Accounting/financial
reporting errors
Clearing/
settlement errors
Excess/insufficient capacity
Inability to meet terms of contracts
Manual process data entry errors
Lack of timely bank account reconciliation
v3.0 © 2011 Association for Financial Professionals. All rights reserved.
Session 11: Module 6, Chapter 15 - 11
Technology Risks
Risks associated with:
 Choice of a particular
technological platform
or vendor—issues such
as after-sale installation
and support or that a
vendor may go out of
business
 Potential failure of
vendor-acquired
hardware, software
and/or communications
devices
 Capabilities, capacity,
compatibility
v3.0 © 2011 Association for Financial Professionals. All rights reserved.


Security breaches from
either internal sources
or external hackers
Computer-based
spreadsheet use
Session 11: Module 6, Chapter 15 - 12
Legal and Regulatory
Compliance Risks




Lawsuits or other legal actions
Compliance requirements with
federal, state and local regulatory
agency regulations (e.g., USA
PATRIOT Act)
Foreign assets—expropriation, loss of
foreign asset value and/or tax risks
Operational risk component to tax risk
v3.0 © 2011 Association for Financial Professionals. All rights reserved.
Session 11: Module 6, Chapter 15 - 13
External Theft/Fraud Risk
Risk
Response
Payment process (e.g.,
false invoices)
A/P controls: positive pay, debit
blocks/filters, authorization process,
segregation of duties
Check fraud
Replacing paper-based payments with
electronic payments
ACH network fraud
Debit blocks/filters, daily ACH
reconciliation, timely ACH returns
Breach or compromise of
databases
Physical and electronic security
Malfeasance (e.g.,
embezzlement, falsifying
accounting data)
Corporate culture, ethical directives,
strict code of conduct
Robbery or theft
Armored car services, automated safes
v3.0 © 2011 Association for Financial Professionals. All rights reserved.
Session 11: Module 6, Chapter 15 - 14
Discussion Question
What sort of organizational culture do most
risk management experts feel will help control
operational risk?
Answer:
 Culture that promotes individual responsibility
and is supportive of educated risk taking
 Questioning approach to decision making
 Willingness of senior management to
admit a lack of sufficient information
where applicable
 Written policies for ethics at every
organizational level
v3.0 © 2011 Association for Financial Professionals. All rights reserved.
Session 11: Module 6, Chapter 15 - 15
Fundamental Factors for Operational
Risk Management Strategy
Organizational culture
Technology


Necessary to gather
and analyze
information
Monitor operational
controls and
procedures
Guidelines for
board of directors







v3.0 © 2011 Association for Financial Professionals. All rights reserved.
Travel restrictions
Conflicts of interest
Number of internal board
members
Personal responsibility
Conflict resolution
Clear lines of reporting
Board behavior procedures
Session 11: Module 6, Chapter 15 - 16
Payment System Risk

Systemic risk—risk of collapse of an entire financial
system or entire market, as opposed to risk associated
with a single entity.

Settlement risk—the party funding a transaction
defaults on its settlement obligation.


Wire transfer credit—accountholder daylight
overdrafts.

ACH origination—ODFI has credit exposure from ACH
file release until settlement.

Return item—return items exceed funds in account.
Fraud risk—altered transactions or false items may
cause a loss for the disbursing party.
v3.0 © 2011 Association for Financial Professionals. All rights reserved.
Session 11: Module 6, Chapter 15 - 17
Discussion Question
What are some of the requirements set forth
by FIs to reduce ACH origination credit risk?
Answer:
 Requiring financial information, credit
approval, limit monitoring and/or prefunding for ACH originations.
 Because the exposure related to ACH
transactions may be as long as two days,
large-value originations result in exposure
that a bank may view as a short-term credit
extension.
v3.0 © 2011 Association for Financial Professionals. All rights reserved.
Session 11: Module 6, Chapter 15 - 18
Fraud Risk Related to Payments

Check fraud
Counterfeit
checks
 Forged checks
 Altered checks



Kiting
Electronic debit
risk
v3.0 © 2011 Association for Financial Professionals. All rights reserved.

Payment card risk
Address
verification service
(AVS)
 Card verification
value or code
(CVV/CVC)
 Merchants can
avoid liability by
obtaining
authorization, an
authentic signature
or an electronic
imprint of the card.

Session 11: Module 6, Chapter 15 - 19
Enterprise Risk Management
(ERM)





Market risk
(including
financial risk)
Credit risk
Liquidity risk
Operational risk
Legal and
regulatory risk
v3.0 © 2011 Association for Financial Professionals. All rights reserved.



Business risk
Strategic risk
Reputation risk
Session 11: Module 6, Chapter 15 - 20
Discussion Question
Each of the following is generally considered
to be a component of financial risk EXCEPT
a) equity price risk.
b) interest rate risk.
c) FX risk.
d) commodity price risk.
Answer: a. Another view of financial risk is its
impact on the value of the firm or a portfolio
of investment assets.
v3.0 © 2011 Association for Financial Professionals. All rights reserved.
Session 11: Module 6, Chapter 15 - 21
Credit Risk

Impact of a change in credit quality of a
company on the value of a security or
portfolio
Default
 Downgrading


Amount of value recovered after default
Recovery value or rate
 Loss given default (%)


Lack of portfolio diversification
Industry
 Type of security

v3.0 © 2011 Association for Financial Professionals. All rights reserved.
Session 11: Module 6, Chapter 15 - 22
Disaster Recovery and Business
Continuity
Disaster recovery:
Restoration of systems and
communications after outage
Business continuity: Crisis
management actions,
alternative operating
procedures, and
communications to staff and
customers

Contingency plans usually
cover supply chain but not
always cash and information
flows.
v3.0 © 2011 Association for Financial Professionals. All rights reserved.
Financial supply chain key
parties:

Internal resources:
Treasury staff, computer
systems, policies, procedures,
processes, office facilities

External financial
counterparties: Financial
institutions, market
information providers,
financial markets

Infrastructure:
Computers, servers,
telecommunications, utilities,
vendor support services
Session 11: Module 6, Chapter 15 - 23
Insurance Risk Management
Process

Goals of insurance
risk management

Insure against
catastrophic loss.


Insured losses may
still result in lost
profits.
Types of losses

Decide when and
what to insure.



Manage the purchase
and use of
insurance.


Obtain efficient
pricing for insurance
needs.
v3.0 © 2011 Association for Financial Professionals. All rights reserved.



Property loss
Business interruption
or net income loss
Surety or breach of
contract loss
Liability loss including
lawsuits from injured
customers
Personnel loss
Workers’ compensation
Session 11: Module 6, Chapter 15 - 24
Basic Types of Business Insurance







Liability
Difference in
conditions (DIC)
Excess or umbrella
Property
Casualty
Workers’
compensation
Business
interruption
v3.0 © 2011 Association for Financial Professionals. All rights reserved.



Directors’ and
officers’
Fidelity and
crime
Other types


Ocean/marine
Fiduciary
Session 11: Module 6, Chapter 15 - 25
Criteria for Selecting an Insurer


Long-term solvency of the insurer
Rating for the insurer





A.M. Best ratings
Best’s Financial Strength Ratings
Best’s Debt Ratings
Service provided
Cost versus exposure
v3.0 © 2011 Association for Financial Professionals. All rights reserved.
Session 11: Module 6, Chapter 15 - 26
Discussion Question
Match each insurance option with its description.
Aggregate basis a) Way of setting what
companies can use to obtain a
Claims-made
significantly lower premium
basis
when compared to first-dollar
coverage
Per-occurrence
b) Must consider catastrophic
basis
event exposure, other
catastrophic exposure,
Liability limit
cost vs. limits and cost vs.
exposure
Basic
c) Way insurance payouts can
occurrence
determine eligibility
basis
v3.0 © 2011 Association for Financial Professionals. All rights reserved.
Session 11: Module 6, Chapter 15 - 27
Risk Financing Techniques:
Risk Retention






Non-insurance
Self-insurance
Single parent
captive
Group captive
Risk retention
group
Claims
management
v3.0 © 2011 Association for Financial Professionals. All rights reserved.
Session 11: Module 6, Chapter 15 - 28
Risk Financing Techniques:
Risk Transfer
A contract between transferor and transferee,
who agrees to pay for certain losses in
exchange for fee or business contract



Contractual transfer (hold harmless)
Guaranteed cost insurance program
Retrospectively (retro) rated
insurance program
v3.0 © 2011 Association for Financial Professionals. All rights reserved.
Session 11: Module 6, Chapter 15 - 29