T4 - KRIs - Focusing on the Right Risks in Today_s Environment - RiskBusiness Americas (K. Gantt) Experis Finance (T. Diminich) 10-25-11.pdf

Key Risk Indicators focusing on theright risks in todays environmentPresented by:

Kristen L. Gantt, MD and Tom Diminich, DirectorIntegrated Risk Advisory IT Risk AdvisoryRiskBusiness Americas Experis Finance

Why Invest in KRIs?Why Invest in KRIs? What do these significant loss events have in common?

UBS trade fraud (still under investigation) Societe Generale trade fraud Citibank - privacy breach AIG CDS exposure Madoff ponzi scheme LTCM sudden illiquidity in portfolio Barings concentration

HINT: Trick question.

2010-2011 RiskBusiness Americas LLC

What do these significant loss events have in common? UBS trade fraud (still under investigation) Societe Generale trade fraud Citibank - privacy breach AIG CDS exposure Madoff ponzi scheme LTCM sudden illiquidity in portfolio Barings concentration

HINT: Trick question.

ANSWER: After analyzing post-loss & causal factors, they all had a

good chance of being prevented or detected if Key Risk Indicators

(KRIs) provided closer to real time information that could be

aggregated, analyzed, and escalated .

Differences in Senior Management Approaches Affected OutcomesDifferences in Senior Management Approaches Affected Outcomesduringduring Financial MarketFinancial Market TurmoilTurmoilAccording to the Senior Supervisors Group Observations on Risk ManagementPractices during the Recent Market Turbulence March 6, 2008, these 4 thingswere done well by the financial institutions that made out OK (relativelyspeaking): IDENTIFIED RISK APPETITE & CONNECTED WITH RISK MITIGATION STRATEGY Thebalance that each firms senior management in general achieved between its desire to do

business and its appetite for risk as reflected in the tone set for developing or enforcingcontrols on the resulting risks ;

IDENTIFIED RISK AND TOOK ACTION The role that senior management in particular played inidentifying and understanding material risks and acting on that understanding to mitigateexcessive risks;


BROKE-THROUGH X-DISCIPLINARY COMMUNICATIONS BARRIERS The breadth and depthof cross-disciplinary discussions and communication of insight into relevant risks acrossthe firm.

IDENTIFIED RISK AND TOOK ACTION The role that senior management in particular played inidentifying and understanding material risks and acting on that understanding to mitigateexcessive risks;

BROKE-THROUGH UPWARD CORPORATE COMMUNICATIONS BARRIERS The efforts thatsenior management undertook to surmount organizational structures that tended to delay,divert, or distort the flow of information up the management chain of the firm; and

From Wikipedia, the free encyclopedia A Key Risk Indicator, also known as a KRI, is a measure used in management to indicatehow: risky an activity is to detect an adverse impact or prevent the possibility of future adverse impact

(Lagging , Current & Leading KRIs). give us an early warning to identify potential event that may harm continuity of theactivity/project. A KRI differs from a Key Performance Indicator (KPI) in that a KPI is a measure of howwell something is being done AMacro Indicator is an external indicator that is relevant to understanding exposure to riskbased on scenario and data leading to loss. A Common Indicator is an internal indicator relevant to everyone in the organization (e.g.,Customer Complaints, Employee Morale) A Specific Indicator is an internal indicator relevant to risk inherent in Business Unit sOperations & Processes (e.g., number of unmatched trades)

Key Risk Indicator (KRI)Key Risk Indicator (KRI) DefinitionsDefinitionsSimple Definition A KRI tracks an important exposure and does it well.


From Wikipedia, the free encyclopedia A Key Risk Indicator, also known as a KRI, is a measure used in management to indicatehow: risky an activity is to detect an adverse impact or prevent the possibility of future adverse impact

(Lagging , Current & Leading KRIs). give us an early warning to identify potential event that may harm continuity of theactivity/project. A KRI differs from a Key Performance Indicator (KPI) in that a KPI is a measure of howwell something is being done AMacro Indicator is an external indicator that is relevant to understanding exposure to riskbased on scenario and data leading to loss. A Common Indicator is an internal indicator relevant to everyone in the organization (e.g.,Customer Complaints, Employee Morale) A Specific Indicator is an internal indicator relevant to risk inherent in Business Unit sOperations & Processes (e.g., number of unmatched trades)

IdentifyFactorsAffectingExposureTolerance

5

Conceptual: Translating Risk Appetite to Risk Tolerance to KRIsConceptual: Translating Risk Appetite to Risk Tolerance to KRIs

Corporate & BUStrategic

Objectives

Business &Tactical Strategy

Execution

Risk Tolerance /Appetite

Entity Level / Executive Committee Culture Setting Strategic Objectives & Direction Corporate Risk

Tolerance & Appetite Code of Ethics Corporate Policies

Management Level Line of Business Limits / Risk Tolerance &Thresholds Divisional Policies Risk Assessment & Response Decisioning Approval Level Setting Organizational Design

Typical Risk Management Responsibilities in theOrganization


Monitor,Aggregate,Analyze,

Report and &DetermineMitigatingAction

Define theKRI, DevelopMeasurement

Policy &Specify theThreshold

5

Corporate & BUStrategic

Objectives

Business &Tactical Strategy

Execution

Risk Tolerance /Appetite

Corporate Risk &Governance

Programs

Management Level Line of Business Limits / Risk Tolerance &Thresholds Divisional Policies Risk Assessment & Response Decisioning Approval Level Setting Organizational Design

Supervisory Level Scenario Level Risk & Control ActivitiesReview Key Risk Indicators Data Validation

Surveillance Level Quantitative Analysis (VaR, LGD, OpVar) Imbedded Testing Rules-Based or Artificial IntelligenceMonitoring

Conceptual: Beginning with Tolerance & AppetiteConceptual: Beginning with Tolerance & Appetite Determine CompanysRisk Tolerance

Within tolerance, howmuch Risk Appetite both qualitative &quantitative

Translate Tolerance /Appetite into LOBStrategic Businessobjectives

Drill down to businessprocesses

Identify Factors Affecting Exposure ToleranceGenerally, the gap that exists between the level of potential

liability (loss of $, % share loss, rating loss) as comparedto its ability to access to capital If not taking enoughrisk, may lose out on upside opportunity (look at oppty $)

Risk ToleranceHow much risk is theorganization able to pay forlosses as a result of risk relatedevents?E..g, Is a 28% loss is stock priceand simultaneous downgrade byMoodys within tolerance? Howlong to recover? Or like Barings /Lehman?

($)Risk

Accessto Capital

$Oppty


Determine CompanysRisk Tolerance

Within tolerance, howmuch Risk Appetite both qualitative &quantitative

Translate Tolerance /Appetite into LOBStrategic Businessobjectives

Drill down to businessprocesses

Risk AppetiteHow much risk is anorganization willing to accept inpursuit of creating value Flipside of performanceE.g., Only reduction in 10% stockprice, or zero tolerance fordiscrimination suits - fight orflight

Risk ToleranceHow much risk is theorganization able to pay forlosses as a result of risk relatedevents?E..g, Is a 28% loss is stock priceand simultaneous downgrade byMoodys within tolerance? Howlong to recover? Or like Barings /Lehman?Accessto Capital

Conceptual: RelatingConceptual: Relating Losses to Risk Management Frameworks to KRIsLosses to Risk Management Frameworks to KRIs

Internal /External

Loss(PotentialLiability)Analysis

1. To Develop Useful KRIthat Detects / PreventsExposure to Liability,one must assess: Loss History (Internal &

External) Causal Factors Relevant Scenarios Audit & Compliance

Issues Capital Allocation to BU

2. Develop Top-down &Bottom-up Inherent /Residual Risk Map pointing to Processes,Risks, & ControlAssessment (Using aCommon language bigadvantage to tie to #1)

KRI Measurementsborne from intersectionof 1 & 2

Define KRI, Develop Measurement Policy & Specify theThreshold







Conceptual: RelatingConceptual: Relating Losses to Risk Management Frameworks to KRIsLosses to Risk Management Frameworks to KRIs

Internal /External

Loss(PotentialLiability)Analysis






Define KRI, Develop Measurement Policy & Specify theThreshold

TIPS: Determine $ Appetite Threshold for Specific Risk within ControllableBusiness Unit. Determine related processes, risks & controls (and their owners)where breakdown expected to occur AND motivational drivers. Dont underestimate the power of good causal analysis. Identify a value representing existence of measurable condition inprocess (e.g., # & $ Breaks) or In-Effectiveness of Control (e.g., DaysP&L Recs Past Due). Calibrate related Thresholds starting from Red to create AmberAmber &

Green. Clearly define specific measurement protocol. Thresholds may be set as caps, collars or floors Set these to trigger analert when either touch or exceed. Track KRIs over time to pick up on and document trends. May use scaling math or T-Values for comparability, correlation &composite KRIs. Expect to review KRIs for change as risks & processes change.







TIPS: Determine $ Appetite Threshold for Specific Risk within ControllableBusiness Unit. Determine related processes, risks & controls (and their owners)where breakdown expected to occur AND motivational drivers. Dont underestimate the power of good causal analysis. Identify a value representing existence of measurable condition inprocess (e.g., # & $ Breaks) or In-Effectiveness of Control (e.g., DaysP&L Recs Past Due). Calibrate related Thresholds starting from Red to create AmberAmber &

Green. Clearly define specific measurement protocol. Thresholds may be set as caps, collars or floors Set these to trigger analert when either touch or exceed. Track KRIs over time to pick up on and document trends. May use scaling math or T-Values for comparability, correlation &composite KRIs. Expect to review KRIs for change as risks & processes change.

Core Drivers Clouds Triggers Risk Events

Workload

IndividualCapability

Aggressive Sales

Misunderstanding

Sales/ RevenueTargets

ResourcingLevels

HRPractices

OversightManagement

Conceptual: Understanding CausesConceptual: Understanding Causes inin Scenarios and Relating to KRIsScenarios and Relating to KRIs


TeamFunction

TaskDifficulty

SeismicVulnerability

Goofs

Miscommunication

Seismic Event

ProcessComplexity

Training

HRPractices

External /Seismic

ProductComplexity

ExecutionErrors

KRIs

HR

LoB

Mg

mt

Lord

Conceptual: Operationalizing KRI ProgramConceptual: Operationalizing KRI Program Start with KRI Policies,MeasurementSpecifications,Thresholds

Determine Providers& Consumers ofMetrics

Determine Tools /ResourceRequirements forAggregation &Analytics

Execute Data AnalyticsImplementation

Test Results,Usefulness & Actions

Monitor Against Threshold, Aggregate, Analyze,Report and & Determine Mitigating Action

Elements of a KRI Policy Include: Definition

KRI Name Description of What is Being Measured Type of KRI (leading, lagging, etc.) Causal Types Driving KRI Rationale Risk Being Mitigated Driving KRI Rationale Version # & Release date of KRI

Specifications Threshold Metric Definitions & Escalation Procedures Measurement Methodology / Data collection & validation procedures Data Source(s) Application / Data Provider(s)

Links to Metadata & Centralized Referential Data Libraries Organizational Unit Process, Risk & Control Type Geographic Location Product Type(s) Financial Statement Line Item Other


Start with KRI Policies,MeasurementSpecifications,Thresholds

Determine Providers& Consumers ofMetrics

Determine Tools /ResourceRequirements forAggregation &Analytics

Execute Data AnalyticsImplementation

Test Results,Usefulness & Actions

Elements of a KRI Policy Include: Definition

KRI Name Description of What is Being Measured Type of KRI (leading, lagging, etc.) Causal Types Driving KRI Rationale Risk Being Mitigated Driving KRI Rationale Version # & Release date of KRI

Specifications Threshold Metric Definitions & Escalation Procedures Measurement Methodology / Data collection & validation procedures Data Source(s) Application / Data Provider(s)

Links to Metadata & Centralized Referential Data Libraries Organizational Unit Process, Risk & Control Type Geographic Location Product Type(s) Financial Statement Line Item Other

Operationalize KRIMeasurement &

Monitoring

Evaluate existing technologyfor monitoring / workflowcapabilities & determineplatform;

Determine providers (inputs)and consumers (outputs) ofindividual KRI metrics;

Configure platform with KRIpolicies based onorganizational hierarchy linkto risk taxonomy;

Design data inputmechanisms (e.g., Manual,API);

Determine and configurereporting parameters; and

Test the process (inputs,function, outputs) vs. goals

Post ImplementationUse Test Validation

Review the programobjectives are working asintended through objectivereview;

Validate results of KRIinformation to managementactions

Track management actionsare managed throughappropriate prioritization &budget allocation

Conceptual: Operationalizing KRI ProgramConceptual: Operationalizing KRI Program











Del

iver

able

s

Fully functioning workflowaround measuring,monitoring, and respondingto KRI feedback loop;Accompanying firm-widepolicies & procedures D

eliv

erab

les

Management Reports &Presentation to RiskCommittees

Operationalize KRIMeasurement &

Monitoring







Post ImplementationUse Test Validation




Conceptual: Operationalizing KRI ProgramConceptual: Operationalizing KRI ProgramBefore starting, these are key To Dos:

Define Organizational Topography: Lines of Business, BusinessUnits, Cross-Functional Units Establish C-Level Buy-In Pre-Plan Communication Structures (i.e., not used forcompensation, discussed through Risk Management) Determine Appropriate Level of Resources are Available toImplement a Reliable KRI Development Process Develop an Implementation Plan e.g., Targeting a Pilot Areawith Biggest Expected Return for Time Spent

Use Test - At the end of the day, KRIs should: Prompt Timely Management Risk Response (Documented) Be Consistent Comparable with other business units/lines ofbusiness (Apples : Apples) Be Relevant Ties to risk tolerance / appetite Be Transparent Easily understood in common businesslanguage function Be Complete Data validation to ensure accurate / complete











Del

iver

able

s

Fully functioning workflowaround measuring,monitoring, and respondingto KRI feedback loop;Accompanying firm-widepolicies & procedures D

eliv

erab

les

Management Reports &Presentation to RiskCommittees

Before starting, these are key To Dos: Define Organizational Topography: Lines of Business, BusinessUnits, Cross-Functional Units Establish C-Level Buy-In Pre-Plan Communication Structures (i.e., not used forcompensation, discussed through Risk Management) Determine Appropriate Level of Resources are Available toImplement a Reliable KRI Development Process Develop an Implementation Plan e.g., Targeting a Pilot Areawith Biggest Expected Return for Time Spent

Use Test - At the end of the day, KRIs should: Prompt Timely Management Risk Response (Documented) Be Consistent Comparable with other business units/lines ofbusiness (Apples : Apples) Be Relevant Ties to risk tolerance / appetite Be Transparent Easily understood in common businesslanguage function Be Complete Data validation to ensure accurate / complete

Conceptual: TodaysConceptual: Todays KRI Reporting has Become more VisualKRI Reporting has Become more Visual


Practical Examples


1. What Are the Worst Losses/Near Misses Over the Past10 Years Caused in this Business Unit? YourCompetitors Units? (95 99% CL)

2. What Would be the Level of Loss I Could Tolerate vis--vis my Business Unit Strategic Plan? [Specify theThreshold]

3. How Often Would I Need to Monitor the RiskIndicators & To Whom Would I Escalate to TakeAction in Enough Time to Mitigate Loss? [Monitor theThreshold]

4. What Common Language & Technology Platforms canI Leverage to Build a Sustainable KRI Program?

Developing Key Risk IndicatorsDeveloping Key Risk IndicatorsIdentifyFactors

AffectingExposureTolerance

4 Key Questions - Summary


1. What Are the Worst Losses/Near Misses Over the Past10 Years Caused in this Business Unit? YourCompetitors Units? (95 99% CL)

2. What Would be the Level of Loss I Could Tolerate vis--vis my Business Unit Strategic Plan? [Specify theThreshold]

3. How Often Would I Need to Monitor the RiskIndicators & To Whom Would I Escalate to TakeAction in Enough Time to Mitigate Loss? [Monitor theThreshold]

4. What Common Language & Technology Platforms canI Leverage to Build a Sustainable KRI Program?

Specify KRI &Threshold

Monitor theKRI Threshold

Simple AnalogySimple Analogy Progression from Tolerance to KRIProgression from Tolerance to KRIPROGRESSION FROM TOLERANCE toKRI:

TOLERANCE Must achieve top 5 place to enter Worlds;otherwise, reputation risk and total loss of sponsor funding

APPETITE Must achieve 1st through 3rd place to sustainquality financial sponsorship & strong reputation

THRESHOLD History shows boat speed trumps boat toboat tactics focus on closing boat speed gap.

CAUSES Reasons for slow boat speed = crew weightplacement , sail design & trim Most variable? Weight &trim

KRI POLICY SUGGESTIONS Boat Speed?

Set up 7 KRI Tell Tails in Luff of Sail at differentheights (wind velocity & direction varies at heights).

Trimmer (Risk Mgr) Evaluates direction of streamingat different levels AGGREGATED view, will showboat is operating slower than expected or at optimalspeed

ACTION if SLOWER Trimmer immediately adjusts sailsor escalates to skipper to change point of sail Continuous communication.


PROGRESSION FROM TOLERANCE toKRI:

TOLERANCE Must achieve top 5 place to enter Worlds;otherwise, reputation risk and total loss of sponsor funding

APPETITE Must achieve 1st through 3rd place to sustainquality financial sponsorship & strong reputation

THRESHOLD History shows boat speed trumps boat toboat tactics focus on closing boat speed gap.

CAUSES Reasons for slow boat speed = crew weightplacement , sail design & trim Most variable? Weight &trim

KRI POLICY SUGGESTIONS Boat Speed?

Set up 7 KRI Tell Tails in Luff of Sail at differentheights (wind velocity & direction varies at heights).

Trimmer (Risk Mgr) Evaluates direction of streamingat different levels AGGREGATED view, will showboat is operating slower than expected or at optimalspeed

ACTION if SLOWER Trimmer immediately adjusts sailsor escalates to skipper to change point of sail Continuous communication.

Relevant CaseRelevant Case Progression from Tolerance to KRIProgression from Tolerance to KRISignificant Loss through Trader Fraud: IMPACT - $2.3 BN in losses, stock plummeted 28%

and severe company reputation damage and potentialMoodys downgrade. Arrest 2 counts accounting / 1count misuse of position

PROFILE - Single Trader at Delta-One Desk (EFT)with computer science education & experience in backoffice. Believe it started by made a bad trade in 2008and trying to make it back and covering it since.

METHOD - Significant speculative long positions inEFTs made, which were not covered leaving company100% exposed to market risk

Fictitious covered trades in DAX, Euro Stoxx, and S&P500 same trades since 2008 closed & then reopened

Was able to hide the fake hedge trades as OTCsettlement is over 3 days, or longer (systemic risk offragmentation in Euro clearing market)

Also, two-way confirmations not always sent out bycompany, or expected back by some EU banks onthese type trades

UNCOVERED: Fake trades set to roll-over,perpetrator no longer able to cover extreme losses wrote confessional email.

- IndexUniverse Sept 19, 2011

TOLERANCE to KRI: TOLERANCE Examples: 10% drop in stock

price, drop in revenue by 10% or more, capitalincreases to cover loss exposure by more than5%

APPETITE Upper limit of capacity for lossesbased on targeted forecasted revenues & capitallevels the firm seeks to attain

THRESHOLD Difference between riskexposures and risk appetite used to set limits ineach appetite category

CAUSES Both internal and external /systemic

Confirmations not set out, or expected inreturn for EFT Trades

Taking advantage of longer than usualclearing & settlement in EU

Not sure if Mgmt overseeing Grosspositions in Delta-One desk; andexpected margin requirements relatedfee postings

KRI POLICY SUGGESTIONS?


Significant Loss through Trader Fraud: IMPACT - $2.3 BN in losses, stock plummeted 28%

and severe company reputation damage and potentialMoodys downgrade. Arrest 2 counts accounting / 1count misuse of position

PROFILE - Single Trader at Delta-One Desk (EFT)with computer science education & experience in backoffice. Believe it started by made a bad trade in 2008and trying to make it back and covering it since.

METHOD - Significant speculative long positions inEFTs made, which were not covered leaving company100% exposed to market risk

Fictitious covered trades in DAX, Euro Stoxx, and S&P500 same trades since 2008 closed & then reopened

Was able to hide the fake hedge trades as OTCsettlement is over 3 days, or longer (systemic risk offragmentation in Euro clearing market)

Also, two-way confirmations not always sent out bycompany, or expected back by some EU banks onthese type trades

UNCOVERED: Fake trades set to roll-over,perpetrator no longer able to cover extreme losses wrote confessional email.

- IndexUniverse Sept 19, 2011

TOLERANCE to KRI: TOLERANCE Examples: 10% drop in stock

price, drop in revenue by 10% or more, capitalincreases to cover loss exposure by more than5%

APPETITE Upper limit of capacity for lossesbased on targeted forecasted revenues & capitallevels the firm seeks to attain

THRESHOLD Difference between riskexposures and risk appetite used to set limits ineach appetite category

CAUSES Both internal and external /systemic

Confirmations not set out, or expected inreturn for EFT Trades

Taking advantage of longer than usualclearing & settlement in EU

Not sure if Mgmt overseeing Grosspositions in Delta-One desk; andexpected margin requirements relatedfee postings

KRI POLICY SUGGESTIONS?

CAUSALDRIVERS

BreakdownDue to:

LOSS EVENTTYPES:

InternalFraud

ExternalFraud

EmploymentPractice &WorkplaceSafety

Clients,Products andBusinessPractices

BusinessDisruption &Failure

Damage toPhysicalAssets

Execution,Delivery &ProcessMgmt.

Strategy n/a n/a Loss of KeyPeople w/oSuccessionPlanning

Product DesignTied toInadequateMarket Liquidity

Dept. BCP PlanDoes not Workw/Firm-WidePlan

Selection ofBusinesslocation proneto damage

AggregateTrading LimitsAre Exceeded /Trade PartnerSelection Risky

Management Abuse ofSigningAuthority

n/a Under-DocumentedTerminationProcess

Poor OversightOverApplication ofComplianceRules

Not ProvidingEmployees withBCP Training

n/a Trade orMargin Feesnot Collected orAccounted for /Gross Positionsnot Monitored

KRIs In Action: Risk Mapping to Causal Factors (the old Due toKRIs In Action: Risk Mapping to Causal Factors (the old Due toStatements)Statements)Business Unit #1 Inherent Risk Analysis: Equities Derivatives



Trade orMargin Feesnot Collected orAccounted for /Gross Positionsnot Monitored

Conduct EmployeeCover-upPoorPerformanceor Error

n/a SexualHarassment /Comp PlanEncouragesRisky Conduct

Traderelationshipestablished w aninappropriatecounterparty notin interest of thefirm

Unintentionallack ofknowledge tocarry out BCP

Intentionaldestruction ortheft ofcompanyproperty

Negligence inEmployeePerformance inCarrying OutDuties

Processes ConflictingDuties s/u inOrganization

FraudulentTrade PartnerDocuments

n/a CustomerIdentification /KYC Notproperlyperformed

Procedures forBCP not Clearly/ AccuratelyCommunicated

n/a TradePolicies/Procedures Unclear /Confirms notReceived

Technology LogicalAccessSecurityBreach

FirewallSecurity Lax

n/a Corporate CreditApplicationUnder-Functions

Systems will notRecover withinRequired Time

Data isCorrupted

System toSystemtransmissionerror

ExternalFactors

n/a DamagingViruses beingIntroduced inCyber Attacks

n/a MassiveDefaults inCorporateCredits in US

OutsourceVendors Fail inthe event of aDisaster

Fire, Flood Clearing FirmParties DeferSettlement

CAUSALDRIVERS

BreakdownDue to:

LOSS EVENTTYPES:

InternalFraud

ExternalFraud

EmploymentPractice &WorkplaceSafety

Clients,Products andBusinessPractices

BusinessDisruption &Failure

Damage toPhysicalAssets

Execution,Delivery &ProcessMgmt.

Strategy n/a n/a Loss of KeyPeople w/oSuccessionPlanning

Product DesignTied toInadequateMarket Liquidity

Dept. BCP PlanDoes not Workw/Firm-WidePlan

Selection ofBusinesslocation proneto damage

AggregateTrading LimitsAre Exceeded /Trade PartnerSelection Risky

Management Abuse ofSigningAuthority

n/a Under-DocumentedTerminationProcess


Not ProvidingEmployees withBCP Training

n/a Trade orMargin Feesnot Collected orAccounted for /Gross Positionsnot Monitored

KRIs In Action: Risk Mapping to Causal Factors (the old Due toKRIs In Action: Risk Mapping to Causal Factors (the old Due toStatements)Statements)Business Unit #1 Inherent Risk Analysis: Equities Derivatives

KRIMeasurement: # Gross

TradesExceedingSetThreshold

Daily Trade

Supervisor /Risk Mgr



Trade orMargin Feesnot Collected orAccounted for /Gross Positionsnot Monitored

Conduct EmployeeCover-upPoorPerformanceor Error

n/a SexualHarassment /Comp PlanEncouragesRisky Conduct

Bad IB dealmade not ininterest of thefirm

Unintentionallack ofknowledge tocarry out BCP

Intentionaldestruction ortheft ofcompanyproperty

Negligence inEmployeePerformance inCarrying OutDuties

Process ConflictingDuties s/u inOrganization

FraudulentTrade PartnerDocuments

n/a CustomerIdentification /KYC Notproperlyperformed

Procedures forBCP not Clearly/ AccuratelyCommunicated

n/a TradePolicies/Procedures Unclear /Confirms notReceived byTrade Partner

Technology LogicalAccessSecurityBreach

FirewallSecurity Lax

n/a Corporate CreditApplicationUnder-Functions

Systems will notRecover withinRequired Time

Data isCorrupted

System toSystemtransmissionerror

ExternalFactors

n/a DamagingViruses beingIntroduced inCyber Attacks

n/a MassiveDefaults inCorporateCredits in US

OutsourceVendors Fail inthe event of aDisaster

Fire, Flood Clearing FirmPartiesDeferredSettlement

KRIMeasurement:

# DisabledUserIDs /passwordresets

Periodic(daily?)

InformationSecurity Officer

KRIMeasurement: # Gross

TradesExceedingSetThreshold

Daily Trade

Supervisor /Risk Mgr

KRIMeasurement: # / $ Open

3pty OTCConfirms w-no Cash Flow

Weekly Report to

Desk RiskMgr

Aggregating KRIsAggregating KRIsPrivate Wealth Mgmt (LOB)

Securities Operations(Back Office)

EquityDerivatives

(FrontOffice)

Fixed Income (FrontOffice)

Requires Common Language for Process, Risk Event Types, ControlTypes, and Causal Factors / Drivers & Data Aggregation Platform

Institutional Securities (LOB)


EquityDerivatives

(FrontOffice)

If youre looking for the Top10 Best Firm-Wide KRIs, Save Your Energy ! Risk / exposures change continually What may be best are risk scores (CustomerSatisfaction/Technology Service/Employee Satisfaction) Strive for Consistency Across Organization (e.g., Scalability, etc.) overQuantity It takes time to think about the comparability of the KRIs Calculating Correlation of KRIs with Actual Losses to Validate is a goodexercise but dont expect results will justify doing KRIs - Time better spentmay be correlation to other KRIs. Once implemented, KRIs work immediately so loss historycollected may not be robust enough to Think about joining KRI Exchange or otherConsortium. Ensuring KRIs tie directly to Risk Event / Loss Categories Focus on the pivottable concept that all roads lead back to measuring / monitoring against defined losscategories Dont make it too difficult/costly to obtain the information or to validate theinformation gathered It will soon be dropped.

Any Lessons Learned?Any Lessons Learned?


If youre looking for the Top10 Best Firm-Wide KRIs, Save Your Energy ! Risk / exposures change continually What may be best are risk scores (CustomerSatisfaction/Technology Service/Employee Satisfaction) Strive for Consistency Across Organization (e.g., Scalability, etc.) overQuantity It takes time to think about the comparability of the KRIs Calculating Correlation of KRIs with Actual Losses to Validate is a goodexercise but dont expect results will justify doing KRIs - Time better spentmay be correlation to other KRIs. Once implemented, KRIs work immediately so loss historycollected may not be robust enough to Think about joining KRI Exchange or otherConsortium. Ensuring KRIs tie directly to Risk Event / Loss Categories Focus on the pivottable concept that all roads lead back to measuring / monitoring against defined losscategories Dont make it too difficult/costly to obtain the information or to validate theinformation gathered It will soon be dropped.

Thank You!

Contact:Tom DiminichDirector, IT Risk Advisory ServicesExperis Finance

Direct: (212) [email protected]

Kristen L. Gantt CPAManaging DirectorRiskBusiness Americas(a Madison-Davis & RiskBusiness International Company)



Thank You!

Contact:Tom DiminichDirector, IT Risk Advisory ServicesExperis Finance


Kristen L. Gantt CPAManaging DirectorRiskBusiness Americas(a Madison-Davis & RiskBusiness International Company)
