31 Mart 2016 Perşembe

Risk Management and Corporate Governance


  • What is Corporate Governance ?
  • What is Risk Management ?
  • How do they intersect ?
  • Why is Risk Governance important ?
  • What is consequence of failure?
  • What to do or how do we respond ?
Risk Management:
It is defined in ISO 31000 as the effect of uncertainty on objectives (whether positive or negative) followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities.
Risk management is the identification, assessment, and prioritization of risks.
Key Issues
•Probability (Likelihood) of event occurring,
•Severity (Impact) of the event on set objectives.
The strategies to manage risk typically include transferring the risk to another party, avoiding the risk, reducing the negative effect or probability of the risk, or even accepting some or all of the potential or actual consequences of a particular risk.
Credit Risk - Credit risk is most simply defined as the potential that a bank borrower or counterparty will fail to meet its obligations in accordance with agreed terms.
Market Risk - Market risk refers to the risk of loss to an institution resulting from movements in market prices, in particular, changes in interest rates, foreign exchange rates, and equity and commodity prices.
Operational Risk – This is the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events.

What happens when it fails?
ENRON – Before bankruptcy in December 2001, one of global leading power, energy & utilities companies - employed 20,000 staff. “A” rated. Was one of Fortune’s Top 100 companies to work for in America in 2000. Creative accounting. Chairman Ken Lay; CEO – Jeff Skilling; CFO – Andrew Fastow. Placed liabilities in shell companies – not appear in books. Fraudulent deals - Also led to demise of Arthur Andersen. Partly led to Sarbanes Oxley Act of 2002 (Public Company Accounting and Investor Protection Act). Corporate Governance rules – responsibility of directors; criminal penalties etc.

WorldCom – was America’s second largest long distance phone company (after AT & T). CEO Bernard Ebbers; CFO Scott Sullivan; Comptroller David Myers – aggressive growth strategy – tried to merge with Sprint in 2000. Not approved by regulators. Fraudulent Financial records from mid-1999 to 2002 – booking interconnectivity costs as capital instead of expenses and inflating revenues. Internal auditors unearthed $3.8BN in fraud. Arthur Andersen withdrew opinion. Bankruptcy July 2002.
Lehman Brothers – Founded 1850. Fourth largest investment bank in US (after Goldman Sachs; Morgan Stanley and Merrill Lynch). Declared bankruptcy September 2008. following large exodus of clients; drastic losses in stock and downgrade of assets by credit rating agencies. Largest bankruptcy in US history! Holdings shared between Barclays (NA divisions) and Nomura (Asia-Pac, Europe and Middle East). Financial accounting gimmicks; sub-prime mortgage bets (large positions in securities backed by lower rated mortgages). In first half of 2008, lost 73% of value as credit markets continued to tighten – had to sell of $6bn of assets and lost $2.8bn.
Bear Stearns – Founded 1923. Issued large amounts of asset-backed securities including mortgages (by Lewis Ranieri – “father of mortgage securities”). As losses mounted in 2006 and 2007, company actually increased exposure especially to mortgage backed securities which were central to sub-prime crisis. Sold to JP Morgan for $10/share from 52 week pre-crisis high of $133.20.
Barings Bank – Oldest merchant bank in London (founded 1762) until collapse in 1995 after loss from unauthorized speculative trades by its Head Derivatives Trader, Nick Leeson in Singapore – lost GBP827m. Instead of buying and simultaneously selling, Leeson held on to the contract, gambling on future direction of Japanese markets. Internal challenges – doubled as both floor manager and head of settlement operations. No check and balance.
Societe Generale – Jerome Kerviel – caused Eur4.9bn ($6.1bn) trading loss in 2008. one of largest in history. Arbitraging between equity derivatives and cash equity prices. Wiped off almost two years of pre-tax profits of SG’s investment banking unit. Taking unhedged positions far in excess of desk limits up to Eur 49.9bn (in excess of bank’s total market cap) – disguising exposure with fake hedges. Highlights lack of risk experts on risk committees. States making a profit makes hierarchy turn blind eye
J.P Morgan – Losses on Trading/derivatives bet – Made by CIO in London – invests excess deposits to create interest rate hedge – brought in $4bn over last 3 years. Estimates could reach as much as $6bn - $9bn (versus Q1 profit of $5.4bn). CEO Jamie Dimon under pressure. Pay of responsible officers to be docked – little real impact.
Barclays – Rate-rigging scandal brought down CEO, Bob Diamond. Fined GBP290m (approx $450m). Possible criminal prosecution. Glass-Steagall type action possible (division between investment and commercial banking). CEO lost $30m bonus
RBS – IT glitch caused breakdown of service to customers – could they have tested on one of their brands or regionally before full rollout? Also fighting to keep LIBOR records private – rate fixing scandal.
So who is to save us?
–Board
–Executive Management
–Internal Audit
–Accounting firms
–Rating agencies
–Regulators
All have failed.

10 Mart 2016 Perşembe

RISK CULTURE

Risk culture can be defined as the system of values and behaviors present throughout an organization that shape risk decisions. Risk culture influences the decisions of management and employees, even if they are not consciously weighing risks and benefits.

Essential parts of a successful risk culture:
  • Leadership and commitment from the highest levels of the organization.
  • Adherence to ethical principles and concern for all stakeholders.
  • Organization-wide recognition of the need for effective risk management.
  • Ready access to reliable information relating to risk at all levels.
  • Active encouragement to share information when things go wrong so that the lessons can be learned.
  • Application of risk management to all activities, even those considered to be complex, remote, or too hard to understand.
  • Encouragement and reward for appropriate risk-taking as well as sanctions for reckless or negligent approaches.
  • Ready access to support and resources for the development of risk management skills.
  • Acceptance of multiple perspectives to challenge the approaches adopted.
  • Alignment of risk culture with the organizational culture.
These can be regarded as the characteristics of a risk mature organization.
Risk culture is revealed in a number of ways. The risk appetite is an expression of how much risk the organization is prepared to accept or tolerate. This in turn is related to its risk capacity, which reflects the ability to accept risk as a consequence of the skills and resources at the organization’s disposal. More than being just the totality of risk appetite, capacity, framework, and processes, however, risk culture determines whether there is genuine buy-in at all levels to address risks and opportunities that arise out of the uncertainty of events.

RİSK MANAGEMENT PROCESES

The main processes of risk management relate to:
Risk analysis:
Risks (both current and emergent) must be identified and assessed for relevance to the organization, its context, and its objectives, and evaluated, leading to a determination of the key risks—the ones requiring most urgent attention by management.
Risk response:
There are a number of ways to respond to identified risks, depending on the risk appetite, available resources, and perceived priorities.
Risk Monitoring:
The potential for change requires routine monitoring with regard to:
  • The system of internal controls and other responses to determine whether they remain relevant, and whether the required measures are in place and are having the intended effect with respect to the risks or opportunities (sometimes referred to as the control objectives).
  • Changes to the internal and external environments that may alter the risk profile, making some less severe while raising the severity of others; or introducing new and previously unanticipated risks, each requiring a new response.
  • Adjustments to the strategy of the organization, causing objectives and risks to change.
Risk Reporting: 
Management and the board (directly or via the audit committee or other similar body such as a risk committee or combined audit and risk committee) will require updates and assurance on the risk profile of the organization and its state of preparedness with respect to internal controls. Risk management does other things:It establishes and maintains a risk management framework that is aligned to organizational objectives as well as coordinated, integrated, and enterprise-wide (where “risk management framework” refers to the sum total of all elements of risk management). The framework helps less risk mature organizations to move toward this desired status.It helps management determine:
  • Risk appetite.
  • Responses to particular risks.
  • The overall risk culture of the organization, enabling it to be progressively more risk mature.
  • It enables organizations to prepare for risks and opportunities before they arise to maximize operational effectiveness and strategic gain.
  • It allows organizations to deploy their resources according to need and potential for advantage.
While risk management can report on the risk profile, internal audit’s analysis of risks and internal control effectiveness provides independent and objective assurance by virtue of its unique role and position. The effectiveness of the risk management framework and processes is often reflected in terms of the organization’s overall risk maturity.

RİSK MANAGEMENT PROCESS

Risk management process objectives include the following:
  1. To contribute to the long-term survival of the organization.
  2. To maximize the value delivered to all stakeholders.
  3. To link growth, risk, and return.
  4. To safeguard the assets and reputation of the organization.
  5. To facilitate greater operational effectiveness and efficiency.
  6. To increase the likelihood of achieving strategic and operational objectives.
  7. To comply with legal and regulatory requirements.
  8. To improve organizational learning and resilience.
  9. To be better placed to take advantage of opportunities as they arise.
  10. To help an organization become more risk mature by considering its current and future risks in a coordinated manner within an enterprise-wide framework.
  11. To improve the understanding an organization has of itself and its activities to enable better decision-making, operational management, and deployment of capital and resources.
  12. To reduce uncertainty and volatility in those areas of organizational activity that do not benefit from being risk-laden. In other words, if there is not a reason to accept a risk or to incur the costs associated with controls, the risk should be minimized or removed.
Risk management follows a cyclical and iterative process that uses monitoring as a feedback loop to maintain alignment with strategic objectives, improve the effectiveness of identification and response, and continually raise the level of risk maturity.
Risk management, as a structured approach to addressing the full range of risks faced by an organization, has developed considerably over the last 30 years.
Operational and strategic plans may fail because events occur or conditions arise for which the organization was unprepared. Similarly, losses may arise if resources are irreversibly committed to one opportunity when a better opportunity presents itself. Risk management processes aim to help management by identifying and analyzing potential threats, vulnerabilities, and opportunities; agreeing on effective strategies; and providing regular updates to confirm risks are being managed effectively.

8 Mart 2016 Salı

Organizational Governance and Risk Management

Risk management, as a structured approach to addressing the full range of risks faced by an organization, has developed considerably over the last 30 years.
Operational and strategic plans may fail because events occur or conditions arise for which the organization was unprepared. Similarly, losses may arise if resources are irreversibly committed to one opportunity when a better opportunity presents itself. Risk management processes aim to help management by identifying and analyzing potential threats, vulnerabilities, and opportunities; agreeing on effective strategies; and providing regular updates to confirm risks are being managed effectively.
There are many highly sophisticated tools, models, frameworks, and resources that organizations can adopt. However, since risk management exists to serve the needs of the organization, it is very important that the approach used is tailored to particular requirements based on its goals, culture, internal and external environments, and overall risk maturity. Therefore, any assessment of risk management processes—the first stage in providing risk management assurance—must consider how well those processes support organizational aims.

Assess risk management processes in the context of alignment with strategic imperatives
The principal purpose of risk management is to help an organization achieve its strategic objectives. It does so by assisting management in:
•   Identifying and assessing the sources and nature of uncertainties that may impact positively or negatively on organizational objectives.
•   Determining how much risk stakeholders are prepared to tolerate.
•   Establishing and maintaining appropriate responses, including controls, to keep risk at a tolerable level.

Any assessment of whether risk management processes are effective must include the extent to which those processes are aligned with organizational objectives.

Objectives of risk management processes
The purpose of risk management and its processes is not always to eliminate or even minimize risk. Instead, the primary aim is to understand risk so that management can make informed decisions. Risk is unavoidable and, to an important extent, desirable. The key processes relate to reviewing strategic objectives, and then risk identification, risk analysis, risk response, monitoring, reporting, and review.

Risk culture
Risk culture refers to the overall attitude and approach an organization takes toward risk. Organizations may be described as being more or less risk mature. As the risk culture becomes more mature, greater importance is attached to understanding risk and considering it in planning and decision-making throughout the organization.

Risk capacity, appetite, and tolerance of organization
Risk capacity refers to how much risk an organization is able to take with respect to its resources and capabilities. Risk appetite is a measure of how much risk an organization is prepared to take, from being risk averse to tolerating higher levels of risk (temporarily or on a long-term basis) in exchange for potential benefits.

Assess the processes related to the elements of the internal environment in which organizations seek to manage risks and achieve objectives
Risk management processes are set in a framework that must be understood and developed in the context of the organization’s internal environment. The approach and implementation of risk management should be sympathetic to and mesh with the organization’s resources and capabilities, and serve to reveal and manage the risks that exist in the internal environment.

Integrity, ethical values, and other soft controls
Unethical behavior has the potential to create significant reputational and financial risks, while acting with integrity may generate positive opportunities. Organizations need to address business ethics with leadership from the highest levels. Risk management processes themselves must be delivered with integrity and support the organization’s resolve for compliance with its codes for professional conduct and ethical behavior.

Role, authority, responsibility, etc., for risk management
Organizations function effectively when there is a clear division of labor with well-defined roles and lines of authority that usually flow down the various structural tiers. Risk management equally requires an appropriate structure together with the necessary resources and channels of communication. From such arrangements, it gains its authority.

The three lines of defense model makes a sharp distinction among the roles of:
  • Operational management.
  • Risk management oversight.
  • Internal auditing (independent and objective assurance on the effectiveness of internal controls and risk management).
In addition, as primary stakeholders, senior management and the board have a critical role to play in ensuring that these three lines of defense are in place and working.

Management’s philosophy and operating style
The organization has a way of doing things that forms a large part of its culture. The “tone at the top” should drive that culture and be reflected by the approach management takes and the style that is adopted across all operational areas.

Organizational culture makes a significant impact on the risk culture
Risk management processes must consider the attitude and style of management generally, and aim to be consistent with the prevailing philosophy while moving the organization toward greater risk maturity.

Legal/organizational structure
The structure of an organization is determined by the way it distributes its responsibilities and resources and the manner in which the various divisions interact. 
  1. Strategic goals, internal capabilities, and its response to the external environment are all determining factors of the structure. As these may change over time, it is sometimes necessary to alter the structure, whether organically or through a more substantial readjustment.
  2. Risk management processes should recognize the risks and benefits of different organizational structures as well as the current configuration.
  3. In addition to structure, organizations may use one of a number of legal forms that are available to reflect the needs of the organization in terms of its size, ownership, control, sources of capital, liability for losses, stakeholder interests, and reporting requirements
Documentation of governance-related decision-making
Corporate governance arrangements exist to ensure that the interests of the stakeholders—especially those of the agent (management) and the principal (owner)—remain in balance with transparency and accountability. 
  • Documentation is used in support of decision-making and as an audit trail that can be accessed and referenced to ensure openness. 
  • The board (or equivalent) and its subcommittees collectively form the principal mechanisms for oversight and governance. In addition, other external functions may contribute to this process. 
  • Risk management plays a major role in corporate governance
Capabilities of people and other resources (i.e., capital, time, processes, systems, and technologies
An organization adds value by taking various inputs and transforming them in some fashion. The extent to which this is possible depends upon the capabilities represented by the staff, equipment, systems, processes, etc.An organizational advantage is gained by meeting customer demands or service-user expectations better than the competition. Each of these capabilities should be evaluated in order to identify risks and opportunities.

Management of third-party business relationships
Organizations can extend their capabilities significantly by engaging with third parties to pursue goals of common interest and the mutual benefits of shared resources. Such relationships carry both risk and opportunity. Risk management processes should extend to cover such relationships and consider the internal arrangements for managing risks by those third parties.

Needs and expectations of key internal stakeholders
The key internal stakeholders are staff, managers, and the owners of the organization. They have significant stakes (or interests) that must be taken into account when considering any new initiative or strategy. Stakeholders contribute greatly to the success or failure of an enterprise. At times, the interests of different groups may be in competition. Therefore, management of stakeholder interests needs to be an integral part of strategic and operational planning

Internal policies
To ensure consistent operational activity in a way that serves to deliver strategic objectives, it is necessary to set organizational policies. These provide the rationale and guidelines for procedures and are likely to form part of internal controls. Their operation should be considered by risk management processes to determine whether they are working and having the desired effect.

Assess the processes related to the elements of the external environment in which organizations seek to manage risks and achieve objectives
Organizations operate in an external environment in which multiple influences are a continual source of changeable threats and opportunities. Risk management processes should protect the organization from surprises by monitoring the external environment for signs of change to be exploited, resisted, or endured.

Key external factors (drivers and trends) that may impact the objectives of the organization
External factors are often analyzed under the headings of political, environmental, social, technological, economic, and legal (PESTEL). This provides a convenient framework in which to identify risks and opportunities that may have an impact on organizational objectives. It is important to understand the forces that drive change in the external environment and identify the underlying trends.

Needs and expectations of key external stakeholders (e.g., involved, interested, influenced)
There are many external stakeholders (including customers, suppliers, investors, banks, the government, regulators, local communities, and the public at large) who can be powerful allies or strong adversaries to organizational efforts. Identifying them and anticipating their reactions are part of the process of determining risk and enabling management to establish suitable strategies for stakeholder engagement.
Risk management is a part of organizational governance, providing stakeholders with clear information about risks and opportunities. In fostering a better understanding and appreciation of risk (both positive and negative), risk management is able to raise the level of risk maturity and contribute to the greater success of the organization.
Risk management processes are not only required to provide management with insights into the riskiness of the organization’s internal environment, they are also very much part of that same environment, intrinsically linked to the ethical values, culture, structural arrangements, policies and procedures, and capabilities that operate in the organization. The real strength of an embedded, enterprise-wide approach is that risk management processes are working consistently along with routine activities to shine a spotlight on uncertainties that are always present and to help the organization understand them.
As an organization can only be understood in its environmental context, risk management can only truly enable an organization to understand itself by providing a view on current and emerging risks. There are key drivers in play that create an endlessly changing set of conditions.
By analyzing the underlying causes and likely trajectory of these changes, risk management processes are able to help the organization prepare its responses. It has been said that forewarned is forearmed.
By eliminating surprises, organizations are better able to resist, endure, and exploit the threats and opportunities that come along.

1 Mart 2016 Salı

RİSK GALAKSİSİ-MONTE CARLO RİSK MODELİ

Risk tanımlama konusunda bankaların uygulamada karşılaştıkları temel sorun çok fazla sayıda riskin tanımlanması yönündeki eğilimdir. Bu durum geniş risk yelpazesinde risk galaksisi olarak bilinmektedir. Monte Carlo RİSK modeli, samanyolu veya risk galaksisinin parlayan bir yıldızıdır.

The Monte Carlo method was invented by scientists working on the atomic bomb in the 1940s, who named it for the city in Monaco famed for its casinos and games of chance.  Its core idea is to use random samples of parameters or inputs to explore the behavior of a complex system or process...! Faced physics problems, such as models of neutron diffusion, that were too complex for an analytical solution -- so they had to be evaluated numerically.  
The Monte Carlo method is surprisingly ineffective and hence useless method in determining risk and uncertainty in risk management literature too.