Financial Risk Management and Financial Risk Management and Business Continuity Management
Christoph StuteGuatemala 28 – 29 March 2012
Financial Risk ManagementFinancial Risk ManagementChristoph StuteGuatemala 28 – 29 March 2012
Risk Management in Banks Regulatory Framework in Germany
“Minimum Requirements for Risk Management (MaRisk)”
Regulation issued by the Federal Financial Supervis ory Authority-----------------------------------
❙ MaRisk provides a flexible, hands-on framework for risk management at institutions defined in the German Banking Act (not Bundesbank!)
❙ Within the meaning of MaRisk risk management includes the determination of ❙ Within the meaning of MaRisk risk management includes the determination of appropriate strategies, as well as the establishment of appropriate internal surveillance procedures.
❙ The internal surveillance procedures comprise the internal control system and internal audit.
❙ The internal control system covers rules regarding the organizational and operational structure and processes for identifying, assessing, treating, monitoring and communicating risks.
❙ MaRisk aims primarily to ensure the establishment of appropriate internal governance structures.
3financial risk management
Bundesbank Risk Control Office
❙ established in 1997
❙ Direct reporting to the Executive Board
❙ in analogy with banking supervision regulations (“MaRisk”) independent from markets department up to and including the board level (segregation of duties)
❙ Our mission: We identify and measure risks, advise impartially in questions of risk management and report on risks and returns.
❙ currently 21 staff members
❙ divided into 2 sectionsRisk Framework & Reporting and Analytics & IT Systems
4financial risk management
Functions of the Office for Risk Control
❙ reporting (daily, monthly, annually)
❙ advisory function for the board, e.g. strategic asset allocation.
❙ Risk component/ Limit setting of the investment guidelines
❙ proposals for the portfolio benchmarks
❙ pricing, performance measurement
❙ analysis , measurement and limitation of financial risks❙ analysis , measurement and limitation of financial risks
❙ counterparty monitoring
❙ Eurosystem : attendance at the Risk Management Committee
❙ Legal documentation
❙ Market reasonability checking
5financial risk management
In addition…
❙ In its role as fiscal agent , the Bundesbank also performs asset management services on behalf of the Federal and state governments.
❙ Asset management services cover:-several pension fund portfolios of the Federal Government-portfolio of the Monetary Stability Foundation-pension fund portfolio of the Federal Employment Agency-pension fund portfolio of the Federal Financial Supervisory Authority
-several state (regional) government pension reserves and funds
❚ All related risk management functions are performed by the Office for Risk Control.
6financial risk management
Financial Risk Management is part of Enterprise Risk Management
Reputational Risks Financial Risks
Currency Risks
InterestRateRisks
LiquidityRisks
Counter-partyRisks
EmployeeRisks
TechnicalRisks
ExternalRisks
Operational RisksBusiness Risks
7
Risks Risks Risks
Critical Infrastructure
Natural Risks
Primary Main-tenance Risks
Changes In Law
Negative PressCoverage
Dependencies On Third Parties
Legal Risks
IT Risks
Incorrect Conduct
Misallocation Of Staff
Inadequate Qualification
Of Staff
Human Failures
General Security Risks financial risk management
Enterprise Risk Management (ERM)
❙ Executive Board has the overall responsibility for the management of risks
❙ ERM: Responsibility is with the Department Controlling, Accounting and Organisation; ERM Office receives risk reports of the business areas, checks the results of risk assessment and prepares annual risk report to the board
❙❙ Management of operational risks : decentralized approach, individual business areas (heads of departments) are responsible
❙ Financial Risks : Office for Risk Control
❙ Other dedicated units are responsible for IT-security, generalsecurity, crisis management, business continuity
8financial risk management
Assets covered by Office for Risk Control
Bundesbank Eurosystem Services (fiscal agent)
Gold and currency reserves
FX-Operations
ECB-foreign reserves
Euro denominated
Foundation „Geld und Währung“
Pension fund BaFin
Pension fund
Eurosystem Refinancing Operations
Pension and reserve funds for
9
denominatedPortfolios
Pension fund Federal
employment agencyCentral bank
reserve management
services
reserve funds for the federal and
(most) state governments
~260 bn € all serviced portfolios: 15 bn €
~590 bn €
financial risk management
RiskControl
- responsible for long-term risk/ return level (Benchmark proposal and maintenance)
- defines risk control systems
- measures performance
Financial Risk Management at Deutsche Bundesbank
financial risk management
- measures performance
- reports about risk/ return situation
MarketOperations
- makes and executes daily investment decision
- tries to outperform benchmark
- positions portfolio respecting the given risk framework
10
Board
Investment CommitteeRisk Control
Decision Making Process
consulting and reporting
reporting
approves investment guidelines
Financial Risk Management at Deutsche Bundesbank
financial risk management
Committee
Traders
Risk Control reporting
controlling
decides on tactical deviations from
benchmark
11
Strategic View Tactical View
Board Front OfficeRisk Control
Risk Appetite Additional Risks
Use of strategic benchmarks
Financial Risk Management at Deutsche Bundesbank
12
Optimize return
B E N C H M A R K
Return
Leeway
financial risk management
Risk management process (Textbook Version)
13financial risk management
Risk management process(Central Bank Version I)
14financial risk management
Risk management process (Central Bank Version II)
15financial risk management
The greatest risk is the risk unseen
(the “black swan”)
16financial risk management
Business Continuity Management (BCM)Christoph StuteGuatemala 28 – 29 March 2012
Definitions
Operational Risk Management
• ORM is the overall process for early identification , handling and monitoring of risks
• ORM includes business risks and OR
• ORM gives an overview on all risks and helps to decide which risks are acceptable and which not
(risk tolerance /risk appetite)
• ORM has preventive character
Crisis Management• CM is the ability of an organisation to
respond to any crisis situation in a predefined way
• CM includes a “tool box” with organisational and technical utilities to
support management (BCP is one of these “tools”)
• CM has mainly reactive character
Seite 18BCM at Deutsche Bundesbank
• ORM has preventive character
• Focus: risks emerging from conducting the business
• CM has mainly reactive character
Business Continuity Management• BCM identifies potential threats to an organisation and the impacts to its most critical functions
• BCM put an organisation in a position to manage per manent continuity or adequate recovery of critical functions in the event of crisis situation s in a predefined way.
• BCM has mainly reactive character; Focus: risks th at endanger the object of a company
BCM within the security strategyof the Deutsche Bundesbank
Strategic Security Framework: Definition of securit y
Security describes a situation which is free from unacceptable risks of impairment or is regarded as free of risk.
For complex systems, it is impossible to completely rule out risks.
Seite 19BCM at Deutsche Bundesbank
Security Objectives
• are to be protected in accordance with the level of risk identified
� Persons� valuables � Property� information � information
• Our Policy:The protection of persons overrides the protection of valuables or property
Seite 20BCM at Deutsche Bundesbank
Strategic security framework
Strategy for analysing threats to the Bundesbank
Strategy for protecting persons
Security strategy for cash-in-transport
vehicles
Property protection strategy
IT security strategy
The protection goal is achieved by security sub
strategies
Seite 21BCM at Deutsche Bundesbank
Strategy for emergency and disaster protection,
civil defence
strategy
Strategy for protecting confidential information
BCP Crisis Management
Definition and objective of BCP
• In general Business continuity planning (BCP) aims at a temporary
or possibly permanent continuation of business oper ations in
emergency and disaster situations
• The objective of the Bundesbank’s BCP is the continuation of key
central bank business activities in emergency and disaster
situations, in order to avoid the central bank causing a
destabilisation of the financial system
• Consideration given to risk and cost-benefit aspect s
Seite 22BCM at Deutsche Bundesbank
History of BCM at Bundesbank
❙ BCM is not a new issue for the Bundesbank; continge ncy measures have been in place since its early days
❙ But in the past BCM wasn’t a major issue, because o f❙ relying on manual procedures for performing business,
❙ the decentralised organizational structure and decentralised execution of business (most of critical functions were performed on regional level) leading to a broad protection against major incidents,
❙ technical redundancies through decentralised data centres.
Seite 23BCM at Deutsche Bundesbank
History of BCM at Bundesbank
❙ For central functions a two sites concept for the d ata centre of the central office was put in place (in the mid 1980s)
❙ In the mid 1990s: the 10 data centres were replaced by a two sites/two ❙ In the mid 1990s: the 10 data centres were replaced by a two sites/two regions concept (Frankfurt and Düsseldorf)
❙ Since 2005 the two sites/two regions concept is rea lized in Frankfurt
Seite 24BCM at Deutsche Bundesbank
Reasons for investigation and strengthening BCP
External events❙ Year 2000❙ Terrorism, 9/11❙ Serious power supply failures in North America and Europe in 2003❙ Computer viruses: My doom, Sober …❙ Contingency obligations (e.g. TARGET security Requi rements, KRITIS, Basel II, Act on Corporate Governance and T ransparency…)KRITIS, Basel II, Act on Corporate Governance and T ransparency…)
Internal reasons❙ In-house power supply failures❙ Structural reform renders the Bundesbank’s former de centralised crisis management organisation obsolete
Seite 25BCM at Deutsche Bundesbank
Levels of Business Continuity Planning and Crisis Management
❙ Bundesbank internal arrangements
❙ Arrangements concerning the national banking sector : Working Group Crisis Management for Payment and Clearing Systems ( ���� communication infrastructure for serious crisis and contingency s cenarios in large-value payment transactions)
❙ National level of preparations:
❙❙ Emergency Management (Bundesbank is involved regarding securing supply of cash)
❙ Communication networks for managing financial crisis
❙ Federal Government initiated a working group to ana lyse security and stability of IT infrastructures, which are critical to the common good ( ���� e.g. electricity, telecommunication, transport, financia l services, …)
❙ Arrangements on ESCB level
Seite 26BCM at Deutsche Bundesbank
Basic approach of the Bundesbank on BCM
❙ Business Impact Analysis (BIA) to identify most cri tical business functions / processes ���� definition of core business function
❙ Analysis of potential threats ���� definition of scenarios to be responded to
❙ Decision which function / process has to be secured against which threat on basis of a cost/benefit analysis by the boardbasis of a cost/benefit analysis by the board
❙ Identification of organisational and technical meas ures to reach safeguarding
❙ Ongoing investigation; reason: processes and threat s change permanently❙Responsibility: business areas and IT❙Co-ordination and reporting to Executive Board via ACO (= Steering Committee)❙Regular review by Internal Audit and during Organizational Analysis
Seite 27BCM at Deutsche Bundesbank
Roles and responsibilities
❙ BCP strategy ���� Ex. Board (= definition of scenarios to respond to; definition of critical fun ctions)
❙ BCP (developing and implementation) ���� business units on basis of predefined scenarios
❙ BCP (methodology and reporting) ���� Division Organisation, Security and Crisis Management Section
Seite 28BCM at Deutsche Bundesbank
Core business areas of the Deutsche Bundesbank
❙ Cash and cashless payments
❙ Operational monetary policy including collateral ma nagement
❙ Account management and accounting
❙ Foreign exchange and reserve management for the Bun desbank and on❙ Foreign exchange and reserve management for the Bun desbank and onbehalf of the ECB
❙ not statistics or research
Seite 29BCM at Deutsche Bundesbank
Scenario technique
Scenario 1 Production system or communication links temporaril y unavailable; backup-system available, staff available ���� contingency measures; hot secondary site
Scenario 2 Essential site(s) partially unavailable but the pro duction system and all communication links are available and functioning, staff available ���� Use of remote access/teleworking; use of office spa ce at other locations
Scenario 3a Essential site(s) inaccessible; production system a nd all communication links down; backup system functioning, staff availa ble� Hot secondary site
Seite 30BCM at Deutsche Bundesbank
� Hot secondary site� Use of remote access/teleworking; use of office spa ce at other locations
Scenario 3b Essential site(s) inaccessible; production system a nd all communication links down; backup system functioning, staff unavai lable� Hot secondary site� Perform critical business by split teams at differe nt locations (so that one part of the team is not affected by the inciden t)
Scenario 4 Essential site(s) inaccessible; production system a nd all communication links down; backup system not functioning; loss of competent staff, entire Rhein/Main area similarly affected, Bundesbank cust omers/partners also affected
Implementation of Business Continuity Planning (Part I)
❙ Securing availability of information technology app lications and data❙ Data backup ❙ Installation of a second data processing center (2nd site, hot-standby) ❙ Redundancy of hardware, power supply, network, …
❙ Securing ability to communicate for crisis manageme nt team and BCP ❙ Securing ability to communicate for crisis manageme nt team and BCP Teams❙ Redundancy of telecommunication infrastructure❙ Fall back solutions
❙ Implementation of fall back procedures, if IT appli cations are not available
Seite 31BCM at Deutsche Bundesbank
Implementation of Business Continuity Planning (Part II)
❙ Service Level Agreements between business units and supporting units (so that everybody exactly knows, what is exp ected and what can be delivered)
❙ Installation of backup operations sites depending o n organisational issues (fully equipped sites or sites normally used for other purposes which can be used by BCP-team if necessary)
Seite 32BCM at Deutsche Bundesbank
❙ Splitting of operations staff into teams at differe nt sites in normal times, so that one team can take over in a crisis
❙ Training of staff
❙ Regular testing
BCP for the core central bank business areas
– some practical experiences from the beginning
❙ A central bank is different to companies with profit maximisation; no consideration of business areas that have the most financial impact in case of an interruption but what has the biggest impact on public life
Seite 33BCM at Deutsche Bundesbank
❙ At the beginning, most business units do not see the necessity for BCP �increasing of costs, unneeded activities, “disturbs” normal business;
❙ Later on, nearly every business unit liked to have a BCP, as every unit sees itself as “important” � new large discussion: which business unit / process is “critical”