Upload
shecat260471
View
9
Download
1
Embed Size (px)
Citation preview
Key Risk Indicators focusing on theright risks in todays environmentPresented by:
Kristen L. Gantt, MD and Tom Diminich, DirectorIntegrated Risk Advisory IT Risk AdvisoryRiskBusiness Americas Experis Finance
Why Invest in KRIs?Why Invest in KRIs? What do these significant loss events have in common?
UBS trade fraud (still under investigation) Societe Generale trade fraud Citibank - privacy breach AIG CDS exposure Madoff ponzi scheme LTCM sudden illiquidity in portfolio Barings concentration
HINT: Trick question.
2010-2011 RiskBusiness Americas LLC
What do these significant loss events have in common? UBS trade fraud (still under investigation) Societe Generale trade fraud Citibank - privacy breach AIG CDS exposure Madoff ponzi scheme LTCM sudden illiquidity in portfolio Barings concentration
HINT: Trick question.
ANSWER: After analyzing post-loss & causal factors, they all had a
good chance of being prevented or detected if Key Risk Indicators
(KRIs) provided closer to real time information that could be
aggregated, analyzed, and escalated .
Differences in Senior Management Approaches Affected OutcomesDifferences in Senior Management Approaches Affected Outcomesduringduring Financial MarketFinancial Market TurmoilTurmoilAccording to the Senior Supervisors Group Observations on Risk ManagementPractices during the Recent Market Turbulence March 6, 2008, these 4 thingswere done well by the financial institutions that made out OK (relativelyspeaking): IDENTIFIED RISK APPETITE & CONNECTED WITH RISK MITIGATION STRATEGY Thebalance that each firms senior management in general achieved between its desire to do
business and its appetite for risk as reflected in the tone set for developing or enforcingcontrols on the resulting risks ;
IDENTIFIED RISK AND TOOK ACTION The role that senior management in particular played inidentifying and understanding material risks and acting on that understanding to mitigateexcessive risks;
2010-2011 RiskBusiness Americas LLC
BROKE-THROUGH X-DISCIPLINARY COMMUNICATIONS BARRIERS The breadth and depthof cross-disciplinary discussions and communication of insight into relevant risks acrossthe firm.
IDENTIFIED RISK AND TOOK ACTION The role that senior management in particular played inidentifying and understanding material risks and acting on that understanding to mitigateexcessive risks;
BROKE-THROUGH UPWARD CORPORATE COMMUNICATIONS BARRIERS The efforts thatsenior management undertook to surmount organizational structures that tended to delay,divert, or distort the flow of information up the management chain of the firm; and
From Wikipedia, the free encyclopedia A Key Risk Indicator, also known as a KRI, is a measure used in management to indicatehow: risky an activity is to detect an adverse impact or prevent the possibility of future adverse impact
(Lagging , Current & Leading KRIs). give us an early warning to identify potential event that may harm continuity of theactivity/project. A KRI differs from a Key Performance Indicator (KPI) in that a KPI is a measure of howwell something is being done AMacro Indicator is an external indicator that is relevant to understanding exposure to riskbased on scenario and data leading to loss. A Common Indicator is an internal indicator relevant to everyone in the organization (e.g.,Customer Complaints, Employee Morale) A Specific Indicator is an internal indicator relevant to risk inherent in Business Unit sOperations & Processes (e.g., number of unmatched trades)
Key Risk Indicator (KRI)Key Risk Indicator (KRI) DefinitionsDefinitionsSimple Definition A KRI tracks an important exposure and does it well.
2010-2011 RiskBusiness Americas LLC
From Wikipedia, the free encyclopedia A Key Risk Indicator, also known as a KRI, is a measure used in management to indicatehow: risky an activity is to detect an adverse impact or prevent the possibility of future adverse impact
(Lagging , Current & Leading KRIs). give us an early warning to identify potential event that may harm continuity of theactivity/project. A KRI differs from a Key Performance Indicator (KPI) in that a KPI is a measure of howwell something is being done AMacro Indicator is an external indicator that is relevant to understanding exposure to riskbased on scenario and data leading to loss. A Common Indicator is an internal indicator relevant to everyone in the organization (e.g.,Customer Complaints, Employee Morale) A Specific Indicator is an internal indicator relevant to risk inherent in Business Unit sOperations & Processes (e.g., number of unmatched trades)
IdentifyFactorsAffectingExposureTolerance
5
Conceptual: Translating Risk Appetite to Risk Tolerance to KRIsConceptual: Translating Risk Appetite to Risk Tolerance to KRIs
Corporate & BUStrategic
Objectives
Business &Tactical Strategy
Execution
Risk Tolerance /Appetite
Entity Level / Executive Committee Culture Setting Strategic Objectives & Direction Corporate Risk
Tolerance & Appetite Code of Ethics Corporate Policies
Management Level Line of Business Limits / Risk Tolerance &Thresholds Divisional Policies Risk Assessment & Response Decisioning Approval Level Setting Organizational Design
Typical Risk Management Responsibilities in theOrganization
2010-2011 RiskBusiness Americas LLC
Monitor,Aggregate,Analyze,
Report and &DetermineMitigatingAction
Define theKRI, DevelopMeasurement
Policy &Specify theThreshold
5
Corporate & BUStrategic
Objectives
Business &Tactical Strategy
Execution
Risk Tolerance /Appetite
Corporate Risk &Governance
Programs
Management Level Line of Business Limits / Risk Tolerance &Thresholds Divisional Policies Risk Assessment & Response Decisioning Approval Level Setting Organizational Design
Supervisory Level Scenario Level Risk & Control ActivitiesReview Key Risk Indicators Data Validation
Surveillance Level Quantitative Analysis (VaR, LGD, OpVar) Imbedded Testing Rules-Based or Artificial IntelligenceMonitoring
Conceptual: Beginning with Tolerance & AppetiteConceptual: Beginning with Tolerance & Appetite Determine CompanysRisk Tolerance
Within tolerance, howmuch Risk Appetite both qualitative &quantitative
Translate Tolerance /Appetite into LOBStrategic Businessobjectives
Drill down to businessprocesses
Identify Factors Affecting Exposure ToleranceGenerally, the gap that exists between the level of potential
liability (loss of $, % share loss, rating loss) as comparedto its ability to access to capital If not taking enoughrisk, may lose out on upside opportunity (look at oppty $)
Risk ToleranceHow much risk is theorganization able to pay forlosses as a result of risk relatedevents?E..g, Is a 28% loss is stock priceand simultaneous downgrade byMoodys within tolerance? Howlong to recover? Or like Barings /Lehman?
($)Risk
Accessto Capital
$Oppty
2010-2011 RiskBusiness Americas LLC
Determine CompanysRisk Tolerance
Within tolerance, howmuch Risk Appetite both qualitative &quantitative
Translate Tolerance /Appetite into LOBStrategic Businessobjectives
Drill down to businessprocesses
Risk AppetiteHow much risk is anorganization willing to accept inpursuit of creating value Flipside of performanceE.g., Only reduction in 10% stockprice, or zero tolerance fordiscrimination suits - fight orflight
Risk ToleranceHow much risk is theorganization able to pay forlosses as a result of risk relatedevents?E..g, Is a 28% loss is stock priceand simultaneous downgrade byMoodys within tolerance? Howlong to recover? Or like Barings /Lehman?Accessto Capital
Conceptual: RelatingConceptual: Relating Losses to Risk Management Frameworks to KRIsLosses to Risk Management Frameworks to KRIs
Internal /External
Loss(PotentialLiability)Analysis
1. To Develop Useful KRIthat Detects / PreventsExposure to Liability,one must assess: Loss History (Internal &
External) Causal Factors Relevant Scenarios Audit & Compliance
Issues Capital Allocation to BU
2. Develop Top-down &Bottom-up Inherent /Residual Risk Map pointing to Processes,Risks, & ControlAssessment (Using aCommon language bigadvantage to tie to #1)
KRI Measurementsborne from intersectionof 1 & 2
Define KRI, Develop Measurement Policy & Specify theThreshold
2010-2011 RiskBusiness Americas LLC
1. To Develop Useful KRIthat Detects / PreventsExposure to Liability,one must assess: Loss History (Internal &
External) Causal Factors Relevant Scenarios Audit & Compliance
Issues Capital Allocation to BU
2. Develop Top-down &Bottom-up Inherent /Residual Risk Map pointing to Processes,Risks, & ControlAssessment (Using aCommon language bigadvantage to tie to #1)
KRI Measurementsborne from intersectionof 1 & 2
Conceptual: RelatingConceptual: Relating Losses to Risk Management Frameworks to KRIsLosses to Risk Management Frameworks to KRIs
Internal /External
Loss(PotentialLiability)Analysis
1. To Develop Useful KRIthat Detects / PreventsExposure to Liability,one must assess: Loss History (Internal &
External) Causal Factors Relevant Scenarios Audit & Compliance
Issues Capital Allocation to BU
2. Develop Top-down &Bottom-up Inherent /Residual Risk Map pointing to Processes,Risks, & ControlAssessment (Using aCommon language bigadvantage to tie to #1)
KRI Measurementsborne from intersectionof 1 & 2
Define KRI, Develop Measurement Policy & Specify theThreshold
TIPS: Determine $ Appetite Threshold for Specific Risk within ControllableBusiness Unit. Determine related processes, risks & controls (and their owners)where breakdown expected to occur AND motivational drivers. Dont underestimate the power of good causal analysis. Identify a value representing existence of measurable condition inprocess (e.g., # & $ Breaks) or In-Effectiveness of Control (e.g., DaysP&L Recs Past Due). Calibrate related Thresholds starting from Red to create AmberAmber &
Green. Clearly define specific measurement protocol. Thresholds may be set as caps, collars or floors Set these to trigger analert when either touch or exceed. Track KRIs over time to pick up on and document trends. May use scaling math or T-Values for comparability, correlation &composite KRIs. Expect to review KRIs for change as risks & processes change.
2010-2011 RiskBusiness Americas LLC
1. To Develop Useful KRIthat Detects / PreventsExposure to Liability,one must assess: Loss History (Internal &
External) Causal Factors Relevant Scenarios Audit & Compliance
Issues Capital Allocation to BU
2. Develop Top-down &Bottom-up Inherent /Residual Risk Map pointing to Processes,Risks, & ControlAssessment (Using aCommon language bigadvantage to tie to #1)
KRI Measurementsborne from intersectionof 1 & 2
TIPS: Determine $ Appetite Threshold for Specific Risk within ControllableBusiness Unit. Determine related processes, risks & controls (and their owners)where breakdown expected to occur AND motivational drivers. Dont underestimate the power of good causal analysis. Identify a value representing existence of measurable condition inprocess (e.g., # & $ Breaks) or In-Effectiveness of Control (e.g., DaysP&L Recs Past Due). Calibrate related Thresholds starting from Red to create AmberAmber &
Green. Clearly define specific measurement protocol. Thresholds may be set as caps, collars or floors Set these to trigger analert when either touch or exceed. Track KRIs over time to pick up on and document trends. May use scaling math or T-Values for comparability, correlation &composite KRIs. Expect to review KRIs for change as risks & processes change.
Core Drivers Clouds Triggers Risk Events
Workload
IndividualCapability
Aggressive Sales
Misunderstanding
Sales/ RevenueTargets
ResourcingLevels
HRPractices
OversightManagement
Conceptual: Understanding CausesConceptual: Understanding Causes inin Scenarios and Relating to KRIsScenarios and Relating to KRIs
2010-2011 RiskBusiness Americas LLC
TeamFunction
TaskDifficulty
SeismicVulnerability
Goofs
Miscommunication
Seismic Event
ProcessComplexity
Training
HRPractices
External /Seismic
ProductComplexity
ExecutionErrors
KRIs
HR
LoB
Mg
mt
Lord
Conceptual: Operationalizing KRI ProgramConceptual: Operationalizing KRI Program Start with KRI Policies,MeasurementSpecifications,Thresholds
Determine Providers& Consumers ofMetrics
Determine Tools /ResourceRequirements forAggregation &Analytics
Execute Data AnalyticsImplementation
Test Results,Usefulness & Actions
Monitor Against Threshold, Aggregate, Analyze,Report and & Determine Mitigating Action
Elements of a KRI Policy Include: Definition
KRI Name Description of What is Being Measured Type of KRI (leading, lagging, etc.) Causal Types Driving KRI Rationale Risk Being Mitigated Driving KRI Rationale Version # & Release date of KRI
Specifications Threshold Metric Definitions & Escalation Procedures Measurement Methodology / Data collection & validation procedures Data Source(s) Application / Data Provider(s)
Links to Metadata & Centralized Referential Data Libraries Organizational Unit Process, Risk & Control Type Geographic Location Product Type(s) Financial Statement Line Item Other
2010-2011 RiskBusiness Americas LLC
Start with KRI Policies,MeasurementSpecifications,Thresholds
Determine Providers& Consumers ofMetrics
Determine Tools /ResourceRequirements forAggregation &Analytics
Execute Data AnalyticsImplementation
Test Results,Usefulness & Actions
Elements of a KRI Policy Include: Definition
KRI Name Description of What is Being Measured Type of KRI (leading, lagging, etc.) Causal Types Driving KRI Rationale Risk Being Mitigated Driving KRI Rationale Version # & Release date of KRI
Specifications Threshold Metric Definitions & Escalation Procedures Measurement Methodology / Data collection & validation procedures Data Source(s) Application / Data Provider(s)
Links to Metadata & Centralized Referential Data Libraries Organizational Unit Process, Risk & Control Type Geographic Location Product Type(s) Financial Statement Line Item Other
Operationalize KRIMeasurement &
Monitoring
Evaluate existing technologyfor monitoring / workflowcapabilities & determineplatform;
Determine providers (inputs)and consumers (outputs) ofindividual KRI metrics;
Configure platform with KRIpolicies based onorganizational hierarchy linkto risk taxonomy;
Design data inputmechanisms (e.g., Manual,API);
Determine and configurereporting parameters; and
Test the process (inputs,function, outputs) vs. goals
Post ImplementationUse Test Validation
Review the programobjectives are working asintended through objectivereview;
Validate results of KRIinformation to managementactions
Track management actionsare managed throughappropriate prioritization &budget allocation
Conceptual: Operationalizing KRI ProgramConceptual: Operationalizing KRI Program
2010-2011 RiskBusiness Americas LLC
Evaluate existing technologyfor monitoring / workflowcapabilities & determineplatform;
Determine providers (inputs)and consumers (outputs) ofindividual KRI metrics;
Configure platform with KRIpolicies based onorganizational hierarchy linkto risk taxonomy;
Design data inputmechanisms (e.g., Manual,API);
Determine and configurereporting parameters; and
Test the process (inputs,function, outputs) vs. goals
Review the programobjectives are working asintended through objectivereview;
Validate results of KRIinformation to managementactions
Track management actionsare managed throughappropriate prioritization &budget allocation
Del
iver
able
s
Fully functioning workflowaround measuring,monitoring, and respondingto KRI feedback loop;Accompanying firm-widepolicies & procedures D
eliv
erab
les
Management Reports &Presentation to RiskCommittees
Operationalize KRIMeasurement &
Monitoring
Evaluate existing technologyfor monitoring / workflowcapabilities & determineplatform;
Determine providers (inputs)and consumers (outputs) ofindividual KRI metrics;
Configure platform with KRIpolicies based onorganizational hierarchy linkto risk taxonomy;
Design data inputmechanisms (e.g., Manual,API);
Determine and configurereporting parameters; and
Test the process (inputs,function, outputs) vs. goals
Post ImplementationUse Test Validation
Review the programobjectives are working asintended through objectivereview;
Validate results of KRIinformation to managementactions
Track management actionsare managed throughappropriate prioritization &budget allocation
Conceptual: Operationalizing KRI ProgramConceptual: Operationalizing KRI ProgramBefore starting, these are key To Dos:
Define Organizational Topography: Lines of Business, BusinessUnits, Cross-Functional Units Establish C-Level Buy-In Pre-Plan Communication Structures (i.e., not used forcompensation, discussed through Risk Management) Determine Appropriate Level of Resources are Available toImplement a Reliable KRI Development Process Develop an Implementation Plan e.g., Targeting a Pilot Areawith Biggest Expected Return for Time Spent
Use Test - At the end of the day, KRIs should: Prompt Timely Management Risk Response (Documented) Be Consistent Comparable with other business units/lines ofbusiness (Apples : Apples) Be Relevant Ties to risk tolerance / appetite Be Transparent Easily understood in common businesslanguage function Be Complete Data validation to ensure accurate / complete
2010-2011 RiskBusiness Americas LLC
Evaluate existing technologyfor monitoring / workflowcapabilities & determineplatform;
Determine providers (inputs)and consumers (outputs) ofindividual KRI metrics;
Configure platform with KRIpolicies based onorganizational hierarchy linkto risk taxonomy;
Design data inputmechanisms (e.g., Manual,API);
Determine and configurereporting parameters; and
Test the process (inputs,function, outputs) vs. goals
Review the programobjectives are working asintended through objectivereview;
Validate results of KRIinformation to managementactions
Track management actionsare managed throughappropriate prioritization &budget allocation
Del
iver
able
s
Fully functioning workflowaround measuring,monitoring, and respondingto KRI feedback loop;Accompanying firm-widepolicies & procedures D
eliv
erab
les
Management Reports &Presentation to RiskCommittees
Before starting, these are key To Dos: Define Organizational Topography: Lines of Business, BusinessUnits, Cross-Functional Units Establish C-Level Buy-In Pre-Plan Communication Structures (i.e., not used forcompensation, discussed through Risk Management) Determine Appropriate Level of Resources are Available toImplement a Reliable KRI Development Process Develop an Implementation Plan e.g., Targeting a Pilot Areawith Biggest Expected Return for Time Spent
Use Test - At the end of the day, KRIs should: Prompt Timely Management Risk Response (Documented) Be Consistent Comparable with other business units/lines ofbusiness (Apples : Apples) Be Relevant Ties to risk tolerance / appetite Be Transparent Easily understood in common businesslanguage function Be Complete Data validation to ensure accurate / complete
Conceptual: TodaysConceptual: Todays KRI Reporting has Become more VisualKRI Reporting has Become more Visual
2010-2011 RiskBusiness Americas LLC
Practical Examples
2010-2011 RiskBusiness Americas LLC
1. What Are the Worst Losses/Near Misses Over the Past10 Years Caused in this Business Unit? YourCompetitors Units? (95 99% CL)
2. What Would be the Level of Loss I Could Tolerate vis--vis my Business Unit Strategic Plan? [Specify theThreshold]
3. How Often Would I Need to Monitor the RiskIndicators & To Whom Would I Escalate to TakeAction in Enough Time to Mitigate Loss? [Monitor theThreshold]
4. What Common Language & Technology Platforms canI Leverage to Build a Sustainable KRI Program?
Developing Key Risk IndicatorsDeveloping Key Risk IndicatorsIdentifyFactors
AffectingExposureTolerance
4 Key Questions - Summary
2010-2011 RiskBusiness Americas LLC
1. What Are the Worst Losses/Near Misses Over the Past10 Years Caused in this Business Unit? YourCompetitors Units? (95 99% CL)
2. What Would be the Level of Loss I Could Tolerate vis--vis my Business Unit Strategic Plan? [Specify theThreshold]
3. How Often Would I Need to Monitor the RiskIndicators & To Whom Would I Escalate to TakeAction in Enough Time to Mitigate Loss? [Monitor theThreshold]
4. What Common Language & Technology Platforms canI Leverage to Build a Sustainable KRI Program?
Specify KRI &Threshold
Monitor theKRI Threshold
Simple AnalogySimple Analogy Progression from Tolerance to KRIProgression from Tolerance to KRIPROGRESSION FROM TOLERANCE toKRI:
TOLERANCE Must achieve top 5 place to enter Worlds;otherwise, reputation risk and total loss of sponsor funding
APPETITE Must achieve 1st through 3rd place to sustainquality financial sponsorship & strong reputation
THRESHOLD History shows boat speed trumps boat toboat tactics focus on closing boat speed gap.
CAUSES Reasons for slow boat speed = crew weightplacement , sail design & trim Most variable? Weight &trim
KRI POLICY SUGGESTIONS Boat Speed?
Set up 7 KRI Tell Tails in Luff of Sail at differentheights (wind velocity & direction varies at heights).
Trimmer (Risk Mgr) Evaluates direction of streamingat different levels AGGREGATED view, will showboat is operating slower than expected or at optimalspeed
ACTION if SLOWER Trimmer immediately adjusts sailsor escalates to skipper to change point of sail Continuous communication.
2010-2011 RiskBusiness Americas LLC
PROGRESSION FROM TOLERANCE toKRI:
TOLERANCE Must achieve top 5 place to enter Worlds;otherwise, reputation risk and total loss of sponsor funding
APPETITE Must achieve 1st through 3rd place to sustainquality financial sponsorship & strong reputation
THRESHOLD History shows boat speed trumps boat toboat tactics focus on closing boat speed gap.
CAUSES Reasons for slow boat speed = crew weightplacement , sail design & trim Most variable? Weight &trim
KRI POLICY SUGGESTIONS Boat Speed?
Set up 7 KRI Tell Tails in Luff of Sail at differentheights (wind velocity & direction varies at heights).
Trimmer (Risk Mgr) Evaluates direction of streamingat different levels AGGREGATED view, will showboat is operating slower than expected or at optimalspeed
ACTION if SLOWER Trimmer immediately adjusts sailsor escalates to skipper to change point of sail Continuous communication.
Relevant CaseRelevant Case Progression from Tolerance to KRIProgression from Tolerance to KRISignificant Loss through Trader Fraud: IMPACT - $2.3 BN in losses, stock plummeted 28%
and severe company reputation damage and potentialMoodys downgrade. Arrest 2 counts accounting / 1count misuse of position
PROFILE - Single Trader at Delta-One Desk (EFT)with computer science education & experience in backoffice. Believe it started by made a bad trade in 2008and trying to make it back and covering it since.
METHOD - Significant speculative long positions inEFTs made, which were not covered leaving company100% exposed to market risk
Fictitious covered trades in DAX, Euro Stoxx, and S&P500 same trades since 2008 closed & then reopened
Was able to hide the fake hedge trades as OTCsettlement is over 3 days, or longer (systemic risk offragmentation in Euro clearing market)
Also, two-way confirmations not always sent out bycompany, or expected back by some EU banks onthese type trades
UNCOVERED: Fake trades set to roll-over,perpetrator no longer able to cover extreme losses wrote confessional email.
- IndexUniverse Sept 19, 2011
TOLERANCE to KRI: TOLERANCE Examples: 10% drop in stock
price, drop in revenue by 10% or more, capitalincreases to cover loss exposure by more than5%
APPETITE Upper limit of capacity for lossesbased on targeted forecasted revenues & capitallevels the firm seeks to attain
THRESHOLD Difference between riskexposures and risk appetite used to set limits ineach appetite category
CAUSES Both internal and external /systemic
Confirmations not set out, or expected inreturn for EFT Trades
Taking advantage of longer than usualclearing & settlement in EU
Not sure if Mgmt overseeing Grosspositions in Delta-One desk; andexpected margin requirements relatedfee postings
KRI POLICY SUGGESTIONS?
2010-2011 RiskBusiness Americas LLC
Significant Loss through Trader Fraud: IMPACT - $2.3 BN in losses, stock plummeted 28%
and severe company reputation damage and potentialMoodys downgrade. Arrest 2 counts accounting / 1count misuse of position
PROFILE - Single Trader at Delta-One Desk (EFT)with computer science education & experience in backoffice. Believe it started by made a bad trade in 2008and trying to make it back and covering it since.
METHOD - Significant speculative long positions inEFTs made, which were not covered leaving company100% exposed to market risk
Fictitious covered trades in DAX, Euro Stoxx, and S&P500 same trades since 2008 closed & then reopened
Was able to hide the fake hedge trades as OTCsettlement is over 3 days, or longer (systemic risk offragmentation in Euro clearing market)
Also, two-way confirmations not always sent out bycompany, or expected back by some EU banks onthese type trades
UNCOVERED: Fake trades set to roll-over,perpetrator no longer able to cover extreme losses wrote confessional email.
- IndexUniverse Sept 19, 2011
TOLERANCE to KRI: TOLERANCE Examples: 10% drop in stock
price, drop in revenue by 10% or more, capitalincreases to cover loss exposure by more than5%
APPETITE Upper limit of capacity for lossesbased on targeted forecasted revenues & capitallevels the firm seeks to attain
THRESHOLD Difference between riskexposures and risk appetite used to set limits ineach appetite category
CAUSES Both internal and external /systemic
Confirmations not set out, or expected inreturn for EFT Trades
Taking advantage of longer than usualclearing & settlement in EU
Not sure if Mgmt overseeing Grosspositions in Delta-One desk; andexpected margin requirements relatedfee postings
KRI POLICY SUGGESTIONS?
CAUSALDRIVERS
BreakdownDue to:
LOSS EVENTTYPES:
InternalFraud
ExternalFraud
EmploymentPractice &WorkplaceSafety
Clients,Products andBusinessPractices
BusinessDisruption &Failure
Damage toPhysicalAssets
Execution,Delivery &ProcessMgmt.
Strategy n/a n/a Loss of KeyPeople w/oSuccessionPlanning
Product DesignTied toInadequateMarket Liquidity
Dept. BCP PlanDoes not Workw/Firm-WidePlan
Selection ofBusinesslocation proneto damage
AggregateTrading LimitsAre Exceeded /Trade PartnerSelection Risky
Management Abuse ofSigningAuthority
n/a Under-DocumentedTerminationProcess
Poor OversightOverApplication ofComplianceRules
Not ProvidingEmployees withBCP Training
n/a Trade orMargin Feesnot Collected orAccounted for /Gross Positionsnot Monitored
KRIs In Action: Risk Mapping to Causal Factors (the old Due toKRIs In Action: Risk Mapping to Causal Factors (the old Due toStatements)Statements)Business Unit #1 Inherent Risk Analysis: Equities Derivatives
2010-2011 RiskBusiness Americas LLC
Poor OversightOverApplication ofComplianceRules
Trade orMargin Feesnot Collected orAccounted for /Gross Positionsnot Monitored
Conduct EmployeeCover-upPoorPerformanceor Error
n/a SexualHarassment /Comp PlanEncouragesRisky Conduct
Traderelationshipestablished w aninappropriatecounterparty notin interest of thefirm
Unintentionallack ofknowledge tocarry out BCP
Intentionaldestruction ortheft ofcompanyproperty
Negligence inEmployeePerformance inCarrying OutDuties
Processes ConflictingDuties s/u inOrganization
FraudulentTrade PartnerDocuments
n/a CustomerIdentification /KYC Notproperlyperformed
Procedures forBCP not Clearly/ AccuratelyCommunicated
n/a TradePolicies/Procedures Unclear /Confirms notReceived
Technology LogicalAccessSecurityBreach
FirewallSecurity Lax
n/a Corporate CreditApplicationUnder-Functions
Systems will notRecover withinRequired Time
Data isCorrupted
System toSystemtransmissionerror
ExternalFactors
n/a DamagingViruses beingIntroduced inCyber Attacks
n/a MassiveDefaults inCorporateCredits in US
OutsourceVendors Fail inthe event of aDisaster
Fire, Flood Clearing FirmParties DeferSettlement
CAUSALDRIVERS
BreakdownDue to:
LOSS EVENTTYPES:
InternalFraud
ExternalFraud
EmploymentPractice &WorkplaceSafety
Clients,Products andBusinessPractices
BusinessDisruption &Failure
Damage toPhysicalAssets
Execution,Delivery &ProcessMgmt.
Strategy n/a n/a Loss of KeyPeople w/oSuccessionPlanning
Product DesignTied toInadequateMarket Liquidity
Dept. BCP PlanDoes not Workw/Firm-WidePlan
Selection ofBusinesslocation proneto damage
AggregateTrading LimitsAre Exceeded /Trade PartnerSelection Risky
Management Abuse ofSigningAuthority
n/a Under-DocumentedTerminationProcess
Poor OversightOverApplication ofComplianceRules
Not ProvidingEmployees withBCP Training
n/a Trade orMargin Feesnot Collected orAccounted for /Gross Positionsnot Monitored
KRIs In Action: Risk Mapping to Causal Factors (the old Due toKRIs In Action: Risk Mapping to Causal Factors (the old Due toStatements)Statements)Business Unit #1 Inherent Risk Analysis: Equities Derivatives
KRIMeasurement: # Gross
TradesExceedingSetThreshold
Daily Trade
Supervisor /Risk Mgr
2010-2011 RiskBusiness Americas LLC
Poor OversightOverApplication ofComplianceRules
Trade orMargin Feesnot Collected orAccounted for /Gross Positionsnot Monitored
Conduct EmployeeCover-upPoorPerformanceor Error
n/a SexualHarassment /Comp PlanEncouragesRisky Conduct
Bad IB dealmade not ininterest of thefirm
Unintentionallack ofknowledge tocarry out BCP
Intentionaldestruction ortheft ofcompanyproperty
Negligence inEmployeePerformance inCarrying OutDuties
Process ConflictingDuties s/u inOrganization
FraudulentTrade PartnerDocuments
n/a CustomerIdentification /KYC Notproperlyperformed
Procedures forBCP not Clearly/ AccuratelyCommunicated
n/a TradePolicies/Procedures Unclear /Confirms notReceived byTrade Partner
Technology LogicalAccessSecurityBreach
FirewallSecurity Lax
n/a Corporate CreditApplicationUnder-Functions
Systems will notRecover withinRequired Time
Data isCorrupted
System toSystemtransmissionerror
ExternalFactors
n/a DamagingViruses beingIntroduced inCyber Attacks
n/a MassiveDefaults inCorporateCredits in US
OutsourceVendors Fail inthe event of aDisaster
Fire, Flood Clearing FirmPartiesDeferredSettlement
KRIMeasurement:
# DisabledUserIDs /passwordresets
Periodic(daily?)
InformationSecurity Officer
KRIMeasurement: # Gross
TradesExceedingSetThreshold
Daily Trade
Supervisor /Risk Mgr
KRIMeasurement: # / $ Open
3pty OTCConfirms w-no Cash Flow
Weekly Report to
Desk RiskMgr
Aggregating KRIsAggregating KRIsPrivate Wealth Mgmt (LOB)
Securities Operations(Back Office)
EquityDerivatives
(FrontOffice)
Fixed Income (FrontOffice)
Requires Common Language for Process, Risk Event Types, ControlTypes, and Causal Factors / Drivers & Data Aggregation Platform
Institutional Securities (LOB)
2010-2011 RiskBusiness Americas LLC
EquityDerivatives
(FrontOffice)
If youre looking for the Top10 Best Firm-Wide KRIs, Save Your Energy ! Risk / exposures change continually What may be best are risk scores (CustomerSatisfaction/Technology Service/Employee Satisfaction) Strive for Consistency Across Organization (e.g., Scalability, etc.) overQuantity It takes time to think about the comparability of the KRIs Calculating Correlation of KRIs with Actual Losses to Validate is a goodexercise but dont expect results will justify doing KRIs - Time better spentmay be correlation to other KRIs. Once implemented, KRIs work immediately so loss historycollected may not be robust enough to Think about joining KRI Exchange or otherConsortium. Ensuring KRIs tie directly to Risk Event / Loss Categories Focus on the pivottable concept that all roads lead back to measuring / monitoring against defined losscategories Dont make it too difficult/costly to obtain the information or to validate theinformation gathered It will soon be dropped.
Any Lessons Learned?Any Lessons Learned?
2010-2011 RiskBusiness Americas LLC
If youre looking for the Top10 Best Firm-Wide KRIs, Save Your Energy ! Risk / exposures change continually What may be best are risk scores (CustomerSatisfaction/Technology Service/Employee Satisfaction) Strive for Consistency Across Organization (e.g., Scalability, etc.) overQuantity It takes time to think about the comparability of the KRIs Calculating Correlation of KRIs with Actual Losses to Validate is a goodexercise but dont expect results will justify doing KRIs - Time better spentmay be correlation to other KRIs. Once implemented, KRIs work immediately so loss historycollected may not be robust enough to Think about joining KRI Exchange or otherConsortium. Ensuring KRIs tie directly to Risk Event / Loss Categories Focus on the pivottable concept that all roads lead back to measuring / monitoring against defined losscategories Dont make it too difficult/costly to obtain the information or to validate theinformation gathered It will soon be dropped.
Thank You!
Contact:Tom DiminichDirector, IT Risk Advisory ServicesExperis Finance
Direct: (212) [email protected]
Kristen L. Gantt CPAManaging DirectorRiskBusiness Americas(a Madison-Davis & RiskBusiness International Company)
Direct: (212) [email protected]
2010-2011 RiskBusiness Americas LLC
Thank You!
Contact:Tom DiminichDirector, IT Risk Advisory ServicesExperis Finance
Direct: (212) [email protected]
Kristen L. Gantt CPAManaging DirectorRiskBusiness Americas(a Madison-Davis & RiskBusiness International Company)
Direct: (212) [email protected]