Financial Risk Management and Business Continuity ... - · PDF fileFinancial Risk Management and Business Continuity Management Christoph Stute Guatemala 28 – 29 March 2012

Financial Risk Management and Financial Risk Management and Business Continuity Management

Christoph StuteGuatemala 28 – 29 March 2012

Financial Risk ManagementFinancial Risk ManagementChristoph StuteGuatemala 28 – 29 March 2012

Risk Management in Banks Regulatory Framework in Germany

“Minimum Requirements for Risk Management (MaRisk)”

Regulation issued by the Federal Financial Supervis ory Authority-----------------------------------

❙ MaRisk provides a flexible, hands-on framework for risk management at institutions defined in the German Banking Act (not Bundesbank!)

❙ Within the meaning of MaRisk risk management includes the determination of ❙ Within the meaning of MaRisk risk management includes the determination of appropriate strategies, as well as the establishment of appropriate internal surveillance procedures.

❙ The internal surveillance procedures comprise the internal control system and internal audit.

❙ The internal control system covers rules regarding the organizational and operational structure and processes for identifying, assessing, treating, monitoring and communicating risks.

❙ MaRisk aims primarily to ensure the establishment of appropriate internal governance structures.

3financial risk management

Bundesbank Risk Control Office

❙ established in 1997

❙ Direct reporting to the Executive Board

❙ in analogy with banking supervision regulations (“MaRisk”) independent from markets department up to and including the board level (segregation of duties)

❙ Our mission: We identify and measure risks, advise impartially in questions of risk management and report on risks and returns.

❙ currently 21 staff members

❙ divided into 2 sectionsRisk Framework & Reporting and Analytics & IT Systems


Functions of the Office for Risk Control

❙ reporting (daily, monthly, annually)

❙ advisory function for the board, e.g. strategic asset allocation.

❙ Risk component/ Limit setting of the investment guidelines

❙ proposals for the portfolio benchmarks

❙ pricing, performance measurement

❙ analysis , measurement and limitation of financial risks❙ analysis , measurement and limitation of financial risks

❙ counterparty monitoring

❙ Eurosystem : attendance at the Risk Management Committee

❙ Legal documentation

❙ Market reasonability checking


In addition…

❙ In its role as fiscal agent , the Bundesbank also performs asset management services on behalf of the Federal and state governments.

❙ Asset management services cover:-several pension fund portfolios of the Federal Government-portfolio of the Monetary Stability Foundation-pension fund portfolio of the Federal Employment Agency-pension fund portfolio of the Federal Financial Supervisory Authority

-several state (regional) government pension reserves and funds

❚ All related risk management functions are performed by the Office for Risk Control.


Financial Risk Management is part of Enterprise Risk Management

Reputational Risks Financial Risks

Currency Risks

InterestRateRisks

LiquidityRisks

Counter-partyRisks

EmployeeRisks

TechnicalRisks

ExternalRisks

Operational RisksBusiness Risks

7

Risks Risks Risks

Critical Infrastructure

Natural Risks

Primary Main-tenance Risks

Changes In Law

Negative PressCoverage

Dependencies On Third Parties

Legal Risks

IT Risks

Incorrect Conduct

Misallocation Of Staff

Inadequate Qualification

Of Staff

Human Failures

General Security Risks financial risk management

Enterprise Risk Management (ERM)

❙ Executive Board has the overall responsibility for the management of risks

❙ ERM: Responsibility is with the Department Controlling, Accounting and Organisation; ERM Office receives risk reports of the business areas, checks the results of risk assessment and prepares annual risk report to the board

❙❙ Management of operational risks : decentralized approach, individual business areas (heads of departments) are responsible

❙ Financial Risks : Office for Risk Control

❙ Other dedicated units are responsible for IT-security, generalsecurity, crisis management, business continuity


Assets covered by Office for Risk Control

Bundesbank Eurosystem Services (fiscal agent)

Gold and currency reserves

FX-Operations

ECB-foreign reserves

Euro denominated

Foundation „Geld und Währung“

Pension fund BaFin

Pension fund

Eurosystem Refinancing Operations

Pension and reserve funds for

9

denominatedPortfolios

Pension fund Federal

employment agencyCentral bank

reserve management

services

reserve funds for the federal and

(most) state governments

~260 bn € all serviced portfolios: 15 bn €

~590 bn €

financial risk management

RiskControl

- responsible for long-term risk/ return level (Benchmark proposal and maintenance)

- defines risk control systems

- measures performance

Financial Risk Management at Deutsche Bundesbank


- measures performance

- reports about risk/ return situation

MarketOperations

- makes and executes daily investment decision

- tries to outperform benchmark

- positions portfolio respecting the given risk framework

10

Board

Investment CommitteeRisk Control

Decision Making Process

consulting and reporting

reporting

approves investment guidelines



Committee

Traders

Risk Control reporting

controlling

decides on tactical deviations from

benchmark

11

Strategic View Tactical View

Board Front OfficeRisk Control

Risk Appetite Additional Risks

Use of strategic benchmarks


12

Optimize return

B E N C H M A R K

Return

Leeway


Risk management process (Textbook Version)


Risk management process(Central Bank Version I)


Risk management process (Central Bank Version II)


The greatest risk is the risk unseen

(the “black swan”)


Business Continuity Management (BCM)Christoph StuteGuatemala 28 – 29 March 2012

Definitions

Operational Risk Management

• ORM is the overall process for early identification , handling and monitoring of risks

• ORM includes business risks and OR

• ORM gives an overview on all risks and helps to decide which risks are acceptable and which not

(risk tolerance /risk appetite)

• ORM has preventive character

Crisis Management• CM is the ability of an organisation to

respond to any crisis situation in a predefined way

• CM includes a “tool box” with organisational and technical utilities to

support management (BCP is one of these “tools”)

• CM has mainly reactive character

Seite 18BCM at Deutsche Bundesbank

• ORM has preventive character

• Focus: risks emerging from conducting the business

• CM has mainly reactive character

Business Continuity Management• BCM identifies potential threats to an organisation and the impacts to its most critical functions

• BCM put an organisation in a position to manage per manent continuity or adequate recovery of critical functions in the event of crisis situation s in a predefined way.

• BCM has mainly reactive character; Focus: risks th at endanger the object of a company

BCM within the security strategyof the Deutsche Bundesbank

Strategic Security Framework: Definition of securit y

Security describes a situation which is free from unacceptable risks of impairment or is regarded as free of risk.

For complex systems, it is impossible to completely rule out risks.


Security Objectives

• are to be protected in accordance with the level of risk identified

� Persons� valuables � Property� information � information

• Our Policy:The protection of persons overrides the protection of valuables or property


Strategic security framework

Strategy for analysing threats to the Bundesbank

Strategy for protecting persons

Security strategy for cash-in-transport

vehicles

Property protection strategy

IT security strategy

The protection goal is achieved by security sub

strategies


Strategy for emergency and disaster protection,

civil defence

strategy

Strategy for protecting confidential information

BCP Crisis Management

Definition and objective of BCP

• In general Business continuity planning (BCP) aims at a temporary

or possibly permanent continuation of business oper ations in

emergency and disaster situations

• The objective of the Bundesbank’s BCP is the continuation of key

central bank business activities in emergency and disaster

situations, in order to avoid the central bank causing a

destabilisation of the financial system

• Consideration given to risk and cost-benefit aspect s


History of BCM at Bundesbank

❙ BCM is not a new issue for the Bundesbank; continge ncy measures have been in place since its early days

❙ But in the past BCM wasn’t a major issue, because o f❙ relying on manual procedures for performing business,

❙ the decentralised organizational structure and decentralised execution of business (most of critical functions were performed on regional level) leading to a broad protection against major incidents,

❙ technical redundancies through decentralised data centres.


History of BCM at Bundesbank

❙ For central functions a two sites concept for the d ata centre of the central office was put in place (in the mid 1980s)

❙ In the mid 1990s: the 10 data centres were replaced by a two sites/two ❙ In the mid 1990s: the 10 data centres were replaced by a two sites/two regions concept (Frankfurt and Düsseldorf)

❙ Since 2005 the two sites/two regions concept is rea lized in Frankfurt


Reasons for investigation and strengthening BCP

External events❙ Year 2000❙ Terrorism, 9/11❙ Serious power supply failures in North America and Europe in 2003❙ Computer viruses: My doom, Sober …❙ Contingency obligations (e.g. TARGET security Requi rements, KRITIS, Basel II, Act on Corporate Governance and T ransparency…)KRITIS, Basel II, Act on Corporate Governance and T ransparency…)

Internal reasons❙ In-house power supply failures❙ Structural reform renders the Bundesbank’s former de centralised crisis management organisation obsolete


Levels of Business Continuity Planning and Crisis Management

❙ Bundesbank internal arrangements

❙ Arrangements concerning the national banking sector : Working Group Crisis Management for Payment and Clearing Systems ( �� communication infrastructure for serious crisis and contingency s cenarios in large-value payment transactions)

❙ National level of preparations:

❙❙ Emergency Management (Bundesbank is involved regarding securing supply of cash)

❙ Communication networks for managing financial crisis

❙ Federal Government initiated a working group to ana lyse security and stability of IT infrastructures, which are critical to the common good ( �� e.g. electricity, telecommunication, transport, financia l services, …)

❙ Arrangements on ESCB level


Basic approach of the Bundesbank on BCM

❙ Business Impact Analysis (BIA) to identify most cri tical business functions / processes �� definition of core business function

❙ Analysis of potential threats �� definition of scenarios to be responded to

❙ Decision which function / process has to be secured against which threat on basis of a cost/benefit analysis by the boardbasis of a cost/benefit analysis by the board

❙ Identification of organisational and technical meas ures to reach safeguarding

❙ Ongoing investigation; reason: processes and threat s change permanently❙Responsibility: business areas and IT❙Co-ordination and reporting to Executive Board via ACO (= Steering Committee)❙Regular review by Internal Audit and during Organizational Analysis


Roles and responsibilities

❙ BCP strategy �� Ex. Board (= definition of scenarios to respond to; definition of critical fun ctions)

❙ BCP (developing and implementation) �� business units on basis of predefined scenarios

❙ BCP (methodology and reporting) �� Division Organisation, Security and Crisis Management Section


Core business areas of the Deutsche Bundesbank

❙ Cash and cashless payments

❙ Operational monetary policy including collateral ma nagement

❙ Account management and accounting

❙ Foreign exchange and reserve management for the Bun desbank and on❙ Foreign exchange and reserve management for the Bun desbank and onbehalf of the ECB

❙ not statistics or research


Scenario technique

Scenario 1 Production system or communication links temporaril y unavailable; backup-system available, staff available �� contingency measures; hot secondary site

Scenario 2 Essential site(s) partially unavailable but the pro duction system and all communication links are available and functioning, staff available �� Use of remote access/teleworking; use of office spa ce at other locations

Scenario 3a Essential site(s) inaccessible; production system a nd all communication links down; backup system functioning, staff availa ble� Hot secondary site


� Hot secondary site� Use of remote access/teleworking; use of office spa ce at other locations

Scenario 3b Essential site(s) inaccessible; production system a nd all communication links down; backup system functioning, staff unavai lable� Hot secondary site� Perform critical business by split teams at differe nt locations (so that one part of the team is not affected by the inciden t)

Scenario 4 Essential site(s) inaccessible; production system a nd all communication links down; backup system not functioning; loss of competent staff, entire Rhein/Main area similarly affected, Bundesbank cust omers/partners also affected

Implementation of Business Continuity Planning (Part I)

❙ Securing availability of information technology app lications and data❙ Data backup ❙ Installation of a second data processing center (2nd site, hot-standby) ❙ Redundancy of hardware, power supply, network, …

❙ Securing ability to communicate for crisis manageme nt team and BCP ❙ Securing ability to communicate for crisis manageme nt team and BCP Teams❙ Redundancy of telecommunication infrastructure❙ Fall back solutions

❙ Implementation of fall back procedures, if IT appli cations are not available


Implementation of Business Continuity Planning (Part II)

❙ Service Level Agreements between business units and supporting units (so that everybody exactly knows, what is exp ected and what can be delivered)

❙ Installation of backup operations sites depending o n organisational issues (fully equipped sites or sites normally used for other purposes which can be used by BCP-team if necessary)


❙ Splitting of operations staff into teams at differe nt sites in normal times, so that one team can take over in a crisis

❙ Training of staff

❙ Regular testing

BCP for the core central bank business areas

– some practical experiences from the beginning

❙ A central bank is different to companies with profit maximisation; no consideration of business areas that have the most financial impact in case of an interruption but what has the biggest impact on public life


❙ At the beginning, most business units do not see the necessity for BCP �increasing of costs, unneeded activities, “disturbs” normal business;

❙ Later on, nearly every business unit liked to have a BCP, as every unit sees itself as “important” � new large discussion: which business unit / process is “critical”

Documents

Financial Risk Management and Business Continuity ... - · PDF fileFinancial Risk Management and Business Continuity Management Christoph Stute Guatemala 28 – 29 March 2012