Chapter 15: Operational and Enterprise Risk Management

Outline: General Risk Management Operational Risk Management Payment System Risk (PSR) Enterprise Risk Management (ERM) Disaster Recovery and Business

Continuity Insurance Risk Management

v3.0 © 2011 Association for Financial Professionals. All rights reserved. Session 11: Module 6, Chapter 15 - 1

Discussion Question

What is the purpose of risk management?

Answer: Helps managers identify future events that

create uncertainty Responds to negative possibilities by

balancing the negative economic/ regulatory effects of these possibilities with costs that can be incurred to mitigate or eliminate them

Provides direction to guide recovery actions when serious, negative events occur

v3.0 © 2011 Association for Financial Professionals. All rights reserved. Session 11: Module 6, Chapter 15 - 2

Risk Management Process

Determining organization’s risk tolerance

Identifying impact/level of exposures

Measuring impact/level of exposures

Developing/implementing appropriate risk management strategy

Reporting/monitoring exposure to evaluate and measure strategy

v3.0 © 2011 Association for Financial Professionals. All rights reserved. Session 11: Module 6, Chapter 15 - 3

Step 1

Step 2

Step 3

Step 4

Step 5

Risk Appetite Examples

Three different attitudes toward risk: A new company in a rapidly evolving industry

may be more aggressive in taking significant risks in order to gain a competitive advantage.

An established company in a mature industry may be more cautious about taking risks to protect an existing competitive advantage.

Government entities and not-for-profit organizations may be completely averse to risk.

v3.0 © 2011 Association for Financial Professionals. All rights reserved. Session 11: Module 6, Chapter 15 - 4

Risk Management Policy

The policy should: Contain a concise

statement of risk management goals

Identify the types of exposures to be managed

Delineate the mitigation techniques and products that may be used

Outline the process for determining specific strategies to be employed and exposures to be hedged

Summarize the process for monitoring performance

Outline contingency plans Define authorities and

responsibilities Require periodic review

v3.0 © 2011 Association for Financial Professionals. All rights reserved. Session 11: Module 6, Chapter 15 - 5

Discussion QuestionA qualitative assessment of risk exposure should do all of the following EXCEPTa) find where hedges may be useful in operating

procedures.b) determine how business processes contribute

to risk and find solutions.c) assess the materiality or level of exposure

(i.e., high, medium, low).d) ensure that financial risk derivatives

are structured, sized and accounted for properly.

Answer: c. This is a quantitative assessment.

v3.0 © 2011 Association for Financial Professionals. All rights reserved. Session 11: Module 6, Chapter 15 - 6

Developing and Implementing an Appropriate Risk Management Strategy

v3.0 © 2011 Association for Financial Professionals. All rights reserved. Session 11: Module 6, Chapter 15 - 7

Avoid

TransferMitigate

Keep

Not entering a line of business

Choosing a particular process

Insurance Contractual

transfer

Derivatives Balance sheet

hedges

Inherent risks, opt to selectively bear

Disaster recovery and contingency

Risk Profile

A risk profile analysis needs to:

Identify risks.

Classify each risk into clearly defined categories.

Quantify the risks with respect to probability of occurrence and cash flow impact.

v3.0 © 2011 Association for Financial Professionals. All rights reserved. Session 11: Module 6, Chapter 15 - 8

The risk profile refers to how the company’s overall value changes as the price of financial variables change.

Operational Risk Management

Internal risks Employee Process Technology

External risks Financial institution Counterparty Legal and regulatory/

compliance Supplier External theft/fraud Physical and

electronic security Natural disaster Terrorism

v3.0 © 2011 Association for Financial Professionals. All rights reserved. Session 11: Module 6, Chapter 15 - 9

Discussion Question

Which of the following employee risks is a more significant source of risk than the others?a) Defalcation riskb) Fidelity riskc) Employee errors in data entry/

reentry, including transposition or deletion of numbers

Answer: c

v3.0 © 2011 Association for Financial Professionals. All rights reserved. Session 11: Module 6, Chapter 15 - 10

Process Risk

v3.0 © 2011 Association for Financial Professionals. All rights reserved. Session 11: Module 6, Chapter 15 - 11

Lack of controls/failure to follow procedures in any functional area

Accounting/financial reporting errors

Lack of timely bank account reconciliation

Manual process data entry errors

Products unsuitable for intended use (unsupported claims)

Inability to meet terms of contracts

Excess/insufficient capacity

Clearing/ settlement errors

Technology RisksRisks associated with: Choice of a particular

technological platform or vendor—issues such as after-sale installation and support or that a vendor may go out of business

Potential failure of vendor-acquired hardware, software and/or communications devices

Capabilities, capacity, compatibility

Security breaches from either internal sources or external hackers

Computer-based spreadsheet use

v3.0 © 2011 Association for Financial Professionals. All rights reserved. Session 11: Module 6, Chapter 15 - 12

Legal and Regulatory Compliance Risks

Lawsuits or other legal actions Compliance requirements with

federal, state and local regulatory agency regulations (e.g., USA PATRIOT Act)

Foreign assets—expropriation, loss of foreign asset value and/or tax risks

Operational risk component to tax risk

v3.0 © 2011 Association for Financial Professionals. All rights reserved. Session 11: Module 6, Chapter 15 - 13

External Theft/Fraud RiskRisk Response

Payment process (e.g., false invoices)

A/P controls: positive pay, debit blocks/filters, authorization process, segregation of duties

Check fraud Replacing paper-based payments with electronic payments

ACH network fraud Debit blocks/filters, daily ACH reconciliation, timely ACH returns

Breach or compromise of databases

Physical and electronic security

Malfeasance (e.g., embezzlement, falsifying accounting data)

Corporate culture, ethical directives, strict code of conduct

Robbery or theft Armored car services, automated safes

v3.0 © 2011 Association for Financial Professionals. All rights reserved. Session 11: Module 6, Chapter 15 - 14

Discussion Question

What sort of organizational culture do most risk management experts feel will help control operational risk?Answer: Culture that promotes individual responsibility

and is supportive of educated risk taking Questioning approach to decision making Willingness of senior management to

admit a lack of sufficient information where applicable

Written policies for ethics at every organizational level

v3.0 © 2011 Association for Financial Professionals. All rights reserved. Session 11: Module 6, Chapter 15 - 15

Fundamental Factors for Operational Risk Management Strategy

v3.0 © 2011 Association for Financial Professionals. All rights reserved. Session 11: Module 6, Chapter 15 - 16

Organizational culture

TechnologyGuidelines for board of directors

Necessary to gather and analyze information

Monitor operational controls and procedures

Travel restrictions Conflicts of interest Number of internal board

members Personal responsibility Conflict resolution Clear lines of reporting Board behavior procedures

Payment System Risk

Systemic risk—risk of collapse of an entire financial system or entire market, as opposed to risk associated with a single entity.

Settlement risk—the party funding a transaction defaults on its settlement obligation. Wire transfer credit—accountholder daylight

overdrafts. ACH origination—ODFI has credit exposure from ACH

file release until settlement. Return item—return items exceed funds in account.

Fraud risk—altered transactions or false items may cause a loss for the disbursing party.

v3.0 © 2011 Association for Financial Professionals. All rights reserved. Session 11: Module 6, Chapter 15 - 17

Discussion Question

What are some of the requirements set forth by FIs to reduce ACH origination credit risk?

Answer: Requiring financial information, credit

approval, limit monitoring and/or pre-funding for ACH originations.

Because the exposure related to ACH transactions may be as long as two days, large-value originations result in exposure that a bank may view as a short-term credit extension.

v3.0 © 2011 Association for Financial Professionals. All rights reserved. Session 11: Module 6, Chapter 15 - 18

Fraud Risk Related to Payments

Check fraud Counterfeit

checks Forged checks Altered checks

Kiting Electronic debit

risk

Payment card risk Address

verification service (AVS)

Card verification value or code (CVV/CVC)

Merchants can avoid liability by obtaining authorization, an authentic signature or an electronic imprint of the card.

v3.0 © 2011 Association for Financial Professionals. All rights reserved. Session 11: Module 6, Chapter 15 - 19

Enterprise Risk Management (ERM) Market risk

(including financial risk)

Credit risk Liquidity risk Operational risk Legal and

regulatory risk

Business risk Strategic risk Reputation risk

v3.0 © 2011 Association for Financial Professionals. All rights reserved. Session 11: Module 6, Chapter 15 - 20

Discussion Question

Each of the following is generally considered to be a component of financial risk EXCEPTa) equity price risk.b) interest rate risk.c) FX risk.d) commodity price risk.

Answer: a. Another view of financial risk is its impact on the value of the firm or a portfolio of investment assets.

v3.0 © 2011 Association for Financial Professionals. All rights reserved. Session 11: Module 6, Chapter 15 - 21

Credit Risk

Impact of a change in credit quality of a company on the value of a security or portfolio Default Downgrading

Amount of value recovered after default Recovery value or rate Loss given default (%)

Lack of portfolio diversification Industry Type of security

v3.0 © 2011 Association for Financial Professionals. All rights reserved. Session 11: Module 6, Chapter 15 - 22

Disaster Recovery and Business Continuity

Contingency plans usually cover supply chain but not always cash and information flows.

Financial supply chain key parties: Internal resources: Treasury

staff, computer systems, policies, procedures, processes, office facilities

External financial counterparties: Financial institutions, market information providers, financial markets

Infrastructure: Computers, servers, telecommunications, utilities, vendor support services

v3.0 © 2011 Association for Financial Professionals. All rights reserved. Session 11: Module 6, Chapter 15 - 23

Disaster recovery: Restoration of systems and communications after outage

Business continuity: Crisis management actions, alternative operating procedures, and communications to staff and customers

Insurance Risk Management Process Goals of insurance

risk management Insure against

catastrophic loss. Decide when and

what to insure. Manage the

purchase and use of insurance.

Obtain efficient pricing for insurance needs.

Insured losses may still result in lost profits.

Types of losses Property loss Business interruption or

net income loss Surety or breach of

contract loss Liability loss including

lawsuits from injured customers

Personnel loss Workers’ compensation

v3.0 © 2011 Association for Financial Professionals. All rights reserved. Session 11: Module 6, Chapter 15 - 24

Basic Types of Business Insurance

Liability Difference in

conditions (DIC) Excess or umbrella Property Casualty Workers’

compensation Business

interruption

Directors’ and officers’

Fidelity and crime

Other types Ocean/marine Fiduciary

v3.0 © 2011 Association for Financial Professionals. All rights reserved. Session 11: Module 6, Chapter 15 - 25

Criteria for Selecting an Insurer

Long-term solvency of the insurer Rating for the insurer

A.M. Best ratings Best’s Financial Strength Ratings Best’s Debt Ratings

Service provided Cost versus exposure

v3.0 © 2011 Association for Financial Professionals. All rights reserved. Session 11: Module 6, Chapter 15 - 26

Discussion Question

Match each insurance option with its description.a) Way of setting what companies

can use to obtain a significantly lower premium when compared to first-dollar coverage

b) Must consider catastrophic event exposure, other catastrophic exposure, cost vs. limits and cost vs. exposure

c) Way insurance payouts can determine eligibility

v3.0 © 2011 Association for Financial Professionals. All rights reserved. Session 11: Module 6, Chapter 15 - 27

Per-occurrence basis

Aggregate basis

Liability limit

Claims-made basis

Basic occurrence basis

Risk Financing Techniques: Risk Retention

Non-insurance Self-insurance Single parent

captive Group captive Risk retention

group Claims

managementv3.0 © 2011 Association for Financial Professionals. All rights reserved. Session 11: Module 6, Chapter 15 - 28

Risk Financing Techniques: Risk Transfer

Contractual transfer (hold harmless) Guaranteed cost insurance program Retrospectively (retro) rated

insurance program

v3.0 © 2011 Association for Financial Professionals. All rights reserved. Session 11: Module 6, Chapter 15 - 29

A contract between transferor and transferee, who agrees to pay for certain losses in exchange for fee or business contract