enterprise risk management in financial institutions- revelations of the recent credit crisis and...
TRANSCRIPT
[Type text] [Type text] [Type text]
Enterprise Risk Management in Financial Institutions
Revelations of the Recent Credit Crisis and Financial Turmoil
“ A smart man always learns from his mistakes, A wise man learns from mistakes of others, A foolish man never learns “ K.Hayes
A n d r e a s Z a r i f i s
Enterprise Risk Management – Evaluating the Systems in place throughout 2007-2008
2 Page Andreas Zarifis
Cass Business School MSc Insurance and Risk Management, July 2008
Enterprise Risk Management
In Financial Institutions
Revelations of the Recent Credit Crisis and Financial Turmoil
Submitted By:
Andreas Zarifis
July 2008
Supervisor
Dr Sotiris Staikouras
This dissertation is submitted as part of the requirements for the award of MSc Insurance and Risk Management
Enterprise Risk Management – Evaluating the Systems in place throughout 2007-2008
3 Page Andreas Zarifis
Cass Business School MSc Insurance and Risk Management, July 2008
MSc PROGRAMMES
MSc in:____________________________
08 Fall
CRITERIA COMMENTS (Supervisor only) Literature Review
Examination and analysis of information/data
Understanding and coverage of topic
Originality and difficulty
Overall structure of the work
Conclusions
Literacy, style and presentation
GENERAL COMMENTS (Second Internal Assessor)
GENERAL COMMENTS (External Examiner)
70% + 60-69% 50-59% 49% or less Signature Supervisor (name) 2nd Internal Supervisor (name) External Examiner
Student(s) Name(s):_________________________________Date:____ Title of Project: ______________________________________________________
FINAL AGREED MARK
Please enter percentage mark in appropriate Box
(Title of Degree)
Enterprise Risk Management – Evaluating the Systems in place throughout 2007-2008
4 Page Andreas Zarifis
Cass Business School MSc Insurance and Risk Management, July 2008
Abstract
This study investigates the application of Enterprise Risk Management1 within
Financial Institutionswith focuson the recent credit crisisand financial turmoil.
Forthepastyears,bothacademicsandpractitionershavepraisedEnterprisewide
riskmanagementpoliciesandprocedures inFinancialInstitutionsexhibitinghow
Enterprise RiskManagement implemented as a strategic tool and as part of the
decisionmakingprocess,mayreapoutvariousbenefits.Itmayallowvaluecreation
over the longtermandmitigateunforeseenscenarios thatpreventacorporation
fromreachingitsobjectives.Evenso, implementationisparadoxical, fromalong
termprofithousecentre,toashorttermmarketingcompliancetool.
The recent financial turbulence tested the riskmanagement systems of FI2s and
exposed weaknesses of institutions risk management practices, bringing to
questiontheviabilityofERM.Incontrastseveralfirmsweatheredthestormquite
comfortablywithoutseveredeficiencies.Thedifferentiatingfactorisfoundtolieon
howERMwasappliedandexecutedacrosstheorganization,withspecificareasof
concernandlessonstobelearned.
An outperformance by firms successfully applyingERM throughout the period is
documented. These firms have overcome the recent turmoil without significant
losseswhileotherorganizationsfinancialperformancehasdeterioratedtovarious
levels, even bankruptcy. Furthermore it is found that in those firms that avoided
significant losses senior management played an active role and closely
communicatedwithriskdepartmentsatalltimes.Flexibleriskmodelswereutilized
incorporatingnewmarketconditionsanddecisionsinvolvingnewproductswhere
challenged by various views and perspectives. Lastly, based on results attained,
recommendationswillbemadeonwaystoprogressintermsofimplementingERM
insearchforafoolproofriskmanagementsysteminfinancialinstitutions.
1Inthecontextofthisreportissynonymousto“holisticriskmanagement”,“strategicriskmanagement”and“strategicriskmanagement”intermsofassessingriskandriskmanagementviaacomprehensiveviewandaspronouncedbythe(CAS)CasualtyActuarialSociety
2 InthecontextofthisreportwillrefertoFinancialInstitutions(Banks,Insurancecompanies,Assetmanagementfirms,hedgefunds)
M S c I n s u r a n c e a n d R i s k M a n a g e m e n t
Enterprise Risk Management – Evaluating the Systems in place throughout 2007-2008
5 Page Andreas Zarifis
Cass Business School MSc Insurance and Risk Management, July 2008
Acknowledgements
First and foremost, I would like to express my gratitude to my supervisor, Dr Sotiris
Staikouras. He has been a true mentor; providing me with invaluable guidance, help
and support throughout the course of this MSc. His professionalism and enthusiasm
have proven inspirational for researching and writing up this paper. Furthermore I’d
like to thank my course leader, Dr Christopher Parsons, his wisdom and manner of
conveying information have been encouraging throughout the year. I would also like to
thank my friends for their encouragement and patience. I am grateful to my father for
his support and understanding and as well as for the sacrifices he has made, giving me
the opportunity to do this MSc. Last but not least, I would like to dedicate this piece of
work to my mother who despite not physically being present throughout the majority of
my life has always been my key motivator in search for knowledge, self-fulfillment and
happiness.
Enterprise Risk Management – Evaluating the Systems in place throughout 2007-2008
6 Page Andreas Zarifis
Cass Business School MSc Insurance and Risk Management, July 2008
TableofContents
Contents .................................................................................................................................................6
ListofFigures .......................................................................................................................................7
ListofTables .........................................................................................................................................8
DataandMethodology......................................................................................................................9
Chapter1Introduction ............................................................................................................ .11
1.2PurposeoftheStudy........................................................................................................... 15
1.2MainFindings......................................................................................................................... 15
1.3Limitations .............................................................................................................................. 16
Chapter2RiskManagementinFinancialInstitutions ........................................... 18
2.3UpsurgeofRegulatoryScrutinyandCapitalRequirements .............................. 18
2.3RiskManagementinSilos ................................................................................................. 21
Chapter3LiteratureReview.................................................................................................. 23
3.1ERMDevelopmentandFoundations ........................................................................... 23
3.2DefiningandImplementingtheFramework............................................................ 24
3.3ERMinPracticeandIndustryObservations............................................................. 29
Chapter4FindingsfromtheCreditCrisis...................................................................... 33
4.1DriversandImplicationsfromtheFinancialTurmoil.......................................... 33
4.2CaseStudies ............................................................................................................................ 35
4.3FundamentalWeaknessesinERMImplementation ............................................. 37
4.3QuestioningtheViabilityofERM................................................................................... 49
Chapter4Conclusions ............................................................................................................... 41
References ........................................................................................................................................ 54
Enterprise Risk Management – Evaluating the Systems in place throughout 2007-2008
7 Page Andreas Zarifis
Cass Business School MSc Insurance and Risk Management, July 2008
ListofFigures
Figure1:TheProspectTheory............................................................................................... 11
Figure2:MainCategoriesofRisksFacingFinancialInstitutions ........................... 12
Figure3:GoalofRiskManagementinaStrategicPerspective................................ 13
Figure4:TotalEligibleCapitalasProvidedbyBaselII............................................... 19
Figure5:EconomicCapitalforCreditRisk....................................................................... 20
Figure6:RiskManagementinSilos..................................................................................... 21
Figure7:COSOERMFramework .......................................................................................... 25
Figure8:TheRiskManagementProcess.......................................................................... 26
Figure9:ERMImpactsFourBoardFunctions ................................................................ 28
Figure10:PhasesofTheCrisis .............................................................................................. 33
Figure11:LawsuitsrelatedtotheCreditCrisissoFar ............................................... 42
Enterprise Risk Management – Evaluating the Systems in place throughout 2007-2008
8 Page Andreas Zarifis
Cass Business School MSc Insurance and Risk Management, July 2008
ListofTables
Table1:Mostsignificantlossessofar................................................................................ 35
Table2:S&PDefiningERMinrespecttoCreditRatingRequirements................ 43
Enterprise Risk Management – Evaluating the Systems in place throughout 2007-2008
9 Page Andreas Zarifis
Cass Business School MSc Insurance and Risk Management, July 2008
DataandMethodology
Theresearchreportwasprimarilybasedondeskresearch.Themajorityofthe
material was gathered from books, journals and the Internet. The topic in
research has been in discussion for more than a decade but is still at its
embryonic stages of development in practice. As such there are various
limitations in termsofcollectingadequateprimarydata.Despite this, the topic
has attracted abundant literature from academics and research by various
practitioners as (GARP) Global Association of Risk Professionals; (RMA) Risk
Management Association, (PRMIA) Professional Risks Managers Association,
(CAS) Casualty Actuarial Society, (ERMII) Enterprise Risk Management
International Institute, (IRM) Institute of Risk Management, all of which
investigate the benefits of ERM. At the same time regulators have been
promotingsuchframeworks insearchof investorprotectionandinassociation
with specialist practitioners have published various guidance’s relevant to
effective incorporation. (Basel II, 2003);(COSO, 2004); (Solvency II proposal,
2007);(CombinedCode,2003);(SarbanesOxleyAct,2002).
InconsiderationofthecurrentpracticesofERMasecondarytypeinvestigation
wasappliedanalysingtheimplementationofERMthroughouttherecentturmoil
and the weaknesses that have been discovered in Financial Institutions’ Risk
Managementprocesses.Theprimarybasisofthiswasderivedthroughsurveys,
reports and speeches published post‐onset of the turmoil from various
practitioners; as Deloitte, (PWC) PriceWaterhouseCoopers, KPMG, (AIRMIC)
AssociationofInsuranceandRiskManagers,ERMsymposium,(IOA)Instituteof
Actuaries, research companies within the field; Edhec, Navigant Consulting,
(CEPR)CentreofEconomicPolicyresearch,ChartisaswellasCentralBanksand
regulators;FederalReserve,BankofEngland,(IMF)InternationalMonetaryfund
and(SEC)theSeniorSupervisorsGroup.Theseprovidedinvaluableinformation
inrelationtotheresearchfindingsofthisreport.
Enterprise Risk Management – Evaluating the Systems in place throughout 2007-2008
10 Page Andreas Zarifis
Cass Business School MSc Insurance and Risk Management, July 2008
This report should be seen as an effort to tackle the loopholes that deprive
banks, insurersandother financial institutions fromadequatelyandeffectively
applyingERM.Thisisprovidedbythemarketplayersthatmanagedtoweather
thestormandwithoutsevereconsequencesduetoefficaciousimplementationof
the framework. Most Financial Institutions, especially banks have already
adopted such firm‐wide risk management but there is no empirical evidence
backingthesupremacyofsuchanapproachtothetraditionalriskmanagement
insilos.Regardlessof,theresearchstipulatesthosequalitativefactorsthatincite
Financial Institutions to adopt such an approach and riposte to why ERM is
superior to the traditional departmental riskmanagement approach. Based on
thesuccessfactorsimpliedbythefinancialturmoiltherewillbeintegrationwith
literature findings ensuing the way to adequate risk management systems in
financialinstitutions.
Enterprise Risk Management – Evaluating the Systems in place throughout 2007-2008
11 Page Andreas Zarifis
Cass Business School MSc Insurance and Risk Management, July 2008
Chapter1:IntroductionPertinenttofinance,riskmanagementemergedin1959andreferredtoportfolio
theory (Markowitz, 1952), it was initially utilised in managing the insurance
portfoliosoforganisations.Theriskmanagementprocesscanbetracedbackto
1974 when Gustav Hamilton pioneered in illustrating the interaction and
integrationofallelementsoftheriskmanagementprocessin“riskmanagement
circle”. Five years on ‘prospect theory’ (Daniel Kahneman and Amos Tversky,
1979)demonstratedtheperverseirrationalityofhumannaturewhenfacedwith
risk,withfearoflosingoften‐outshininggainexpectations,asexhibitedin
Figure1.
Figure1TheProspectTheory
(Padulaetal,2005)
Riskmaybedividedinto2categories(Schroek,2002):
Specific:Thesearerisksspecifictothefirmortheindustryitoperatesandthat
maybediversifiedthroughabalancedportfolioofstocks.
Systemic:Suchrisksaffectthemarketfundamentally,cannotbediversifiedand
expressthedegreeofcovarianceofthedeviationswiththechangesinthebroad
market environment. This risk may be rewarded in the expected returns as
derivedbytheCAPM.3
3CapitalAssetPricingmodel
Enterprise Risk Management – Evaluating the Systems in place throughout 2007-2008
12 Page Andreas Zarifis
Cass Business School MSc Insurance and Risk Management, July 2008
Figure2illustratesthemaincategoriesofriskfacedbyFinancialInstitutions4.
AnactualexampleandmoreabsoluteproposalofaFinancialInstitution’sriskisillustratedinFigure3
4Thesecategoriescanbefurtherbrokendownintoalargenumberoffurtherriskcategories.SeeSaunders(2008).
5Externalfraud(e.g.3rdpartytheftofinformation),physicaldamage(e.g.earthquake,fire)6Itshouldbenotedthatthereisnoagreeduniversaldefinition.
Figure2MainCategoriesofRisksFacingFinancialInstitutions
OperationalRiskTheriskoflossarisingfrominadequateorunsuccessful internal controls, people andsystems or from external hazardous5events6(BIS,2004).
CreditRiskTheriskthatariseswhenacounterpartyofaloanreschedulesorfailstomakeapaymentoritscreditgradeismigraded(e.g.downgradingofcreditrating)leadingtoeconomiclossoftheFI.(Ong,1999)
MarketRiskTheriskarisingfromassetsandliabilitiesofanFIduetochangestomarketfactorsasinterestrates,currencyvaluesand/orcommodiyorequityprices(Saunders,2008)
BusinessRiskThe risk that arises (other than credit ormarket risk) driven by Fundamentalchanges within the FIs environment thatmay impact its future revenues(e.g. pricewars, threat of entry) (Lam andCameron,1999)
(ERisk.com,2004)
Enterprise Risk Management – Evaluating the Systems in place throughout 2007-2008
13 Page Andreas Zarifis
Cass Business School MSc Insurance and Risk Management, July 2008
As the Economic landscape evolved7 FI’s interest in risk management grew
considerably. Reacting to such increasing volatilities led to the introduction of
innovative products as forwards, swaps, options and futures. Furthermore as
financial institutions sought to incorporate riskmanagement into theirday‐to‐
dayactivitiesbankersadvocatedonnewmeasuresasValueatRisk,(J.PMorgan8
1994) this was mainly utilised to strengthen internal controls within their
lendingandtradingactivities.Atpresentdayfinancial institutionsconductrisk
managementextensivelyandconsider itasavitalcorporateobjectiveandcore
competence(Raposo,1999).Thisischaracteristicoffinancialinstitutionsasthey
continuouslyendeavourinenhancingtheefficiencyoftheirprocessesaswellas
thewealthoftheirstakeholders,therebydevelopingtechnologicalandfinancial
innovations. Peters goes further arguing that innovation is a prerequisite of
7A)Increasesinvolatilityfrominterestrates,exchangeratesandcommodityprices;B)Regulatorychangesandmodernrequirements;C)technologicaladvances:D)Globalisation.
8RiskMetrics.
Figure3GoalofRiskManagementinaStrategicPerspective
(TDBankFinancialReport,2004)
Enterprise Risk Management – Evaluating the Systems in place throughout 2007-2008
14 Page Andreas Zarifis
Cass Business School MSc Insurance and Risk Management, July 2008
survival9 in the financial sector (1997). New products develop and markets
integrate aiming to deliver corporate objectives bringing along a number of
complexitiesandriskspreviouslyunheardof.Oneofthefirstacademicstonote
thiswasUlrichBeck(1992),DirectorattheUniversityofMunichwhoargues,the
dynamic aspect of risk is linked to the increasing organisational and
technological complexity within modern societies. Furthermore, Shimko and
Humphreys (1998) point out that bankswith superior risk‐management skills
andsystemssurpasstheircompetitorsbecauseinthelongrunacompany’sstock
willoutperformaslossesareavoided.
Thisreportprovidesanovel literatureexaminingEnterpriseRiskManagement
Drivers and the stage the Financial Sector has reached in effectively
implementing such framework. Surveys convey industry participants’
confirmation of the dominance of ERM in their organizations; findings from
actual market practice are discovered in search for such confirmation,
emphasizinghowwelltheseframeworkswereestablishedandoperatedpreand
postfinancialcrisis.
9AxelLehmann,CROatZurichFinancialServices(2008)argues“Financialinnovationhasbeenakeyfactorineconomicgrowthoverthelast10to20years.Soifwewanttohavecontinuedeconomicgrowthonaworldwidebasis,thatabsolutelydependsoninnovationinthefinancialsector,includinginsurance.”
Enterprise Risk Management – Evaluating the Systems in place throughout 2007-2008
15 Page Andreas Zarifis
Cass Business School MSc Insurance and Risk Management, July 2008
1.1 PurposeoftheStudyThisstudyhasabinarypurpose
1. To determine the main motivations behind ERM development and the
levelofunderstandingexhibitedbymarketparticipantscorrespondingto
the framework. Academia literature and industry reports prior to the
turmoilwereusedforthispurpose.
2. To investigate how financial institutions applied risk management
practices throughout the financial distress and how effective enterprise
risk management contributed to several organisations’ safeguarding in
lightofstressfulconditions.
1.2 FindingsEnterprise Risk Management implementation was the key factor affecting the
effectivenessofriskmanagementpracticesthroughouttheturmoil.Thisproved
to be the differential between Financial Institutions avoiding significant losses
throughout the subprime crisis and those that sustained considerable losses.
Specifically, those firms that championed ERM throughout the turmoil
successfullyimplementedanumberofcriticalsuccessfactors:
1. Seniormanagementimplementedvigorousoversightofrisk.
2. A wide array risks measures were used that were flexible in terms of
refiningunderlyingassumptions.
3. Data fed in stress testing and Value at Risk models were constantly
updatedandchallenged.
4. EffectiveCommunicationamongstseniormanagement,riskmanagement
functionsandbusinesslineswasemphasised,breakingdownhierarchical
structuresandsilos.
5. Due diligence and judgement pioneered when assessing valuations,
without excessive reliance on external rating agencies, constantly
developingmodelstovaluecomplexorlessliquidsecurities.
6. Robust controls on balance sheet growth, including incentives for
Enterprise Risk Management – Evaluating the Systems in place throughout 2007-2008
16 Page Andreas Zarifis
Cass Business School MSc Insurance and Risk Management, July 2008
businesslinesadheringtolimitsandextensivemonitoringofoff‐balance
sheetentities.
1.3 LimitationsoftheStudy
1. Aprimaryresearchonthetopicwouldhavederivedmorecompleteand
explicitresults.Duetotheundevelopednatureofthetopicinpracticeand
the lack of appropriate transparency in risk management disclosures
secondaryresearchcouldprovideutmostunprejudicedresults.
2. Despitederiving results fromawidearrayof sourcesandorganisations
thesemaybebiasedtoadegree,reasonbeing,firmsanalysedwithinthis
report may have shareholdings in research companies that have
conducted surveys throughout the turmoil. Thus there may be a
distortion related to publicised findings. In an attempt to mitigate this
manipulation, regulatory and central bank reports have been used to
confirmfindings.
3. The Financial turmoil is still proceeding and affecting firms in various
ways,thusbytheendofthecrisisanumberofnewfindingsmaycometo
thesurfacewithoutbeingmentionedinthefollowingcontext.
4. Financial Institutions analysed within this study have a capital base of
$5bnattheminimum.
Enterprise Risk Management – Evaluating the Systems in place throughout 2007-2008
17 Page Andreas Zarifis
Cass Business School MSc Insurance and Risk Management, July 2008
This report should be seen as an effort to tackle the loopholes that deprive
banks, insurersandother financial institutions fromadequatelyandeffectively
applyingERM.Thisisprovidedbythemarketplayersthatmanagedtoweather
thestormandwithoutsevereconsequencesduetoefficaciousimplementationof
the framework. Most Financial Institutions, especially banks have already
adopted such firm‐wide risk management but there is no empirical evidence
backingthesupremacyofsuchanapproachtothetraditionalriskmanagement
insilos.Regardlessof,theresearchstipulatesthosequalitativefactorsthatincite
Financial Institutions to adopt such an approach and riposte to why ERM is
superior to the traditional departmental riskmanagement approach. Based on
the critical success factors implied by the financial turmoil there will be
integration with literature findings ensuing the way for the application of
adequateriskmanagementsystemsinfinancialinstitutions.
Enterprise Risk Management – Evaluating the Systems in place throughout 2007-2008
18 Page Andreas Zarifis
Cass Business School MSc Insurance and Risk Management, July 2008
Chapter2:RiskManagementinFinancialInstitutions2.1UpsurgeinRegulatoryScrutinyandCapitalRequirements
Towards the late 1990’s, RiskManagement caught the attention of the Anglo‐
Saxon Corporate Governance policy makers who endeavoured in finding a
solution to the lack of basic management integrity/competence and weak
internal risk controls. This was brought by a number of internal control
inadequacies(B.Baringsbank,199210),accountingscandals(Enron,200211)and
irresponsible seniormanagement actions (Equitable Life Assurance Society12).
The rise of high company profile failures and scandals had led to corporate
governance and regulatory scrutinywidening its scope, to dealwith risks that
companiesface.Corporationsarenowrequiredtoincreasethetransparencyof
their disclosures and internal control systems which they have embedded to
retain, finance or transfer risk. This can be through a rule base system issued
through legislation as the US Sarbanes Oxley Act 2002 or a principal based
systemastheCombinedCode2003intheUK.
European institutions are directed to comply with guidance concerning their
capital requirements and valuations. Solvency II, a principle‐based guidance
aimed at improving risk management across a Single European Insurance
market. It directs insurers to identify and report risk correlations and
interdependenciesthatsuggesttheuseofEnterpriseRiskmanagementmodels. 10 Nick Leeson a 27-year-old futures trader at the Singapore offices of the bank who managed to los over $1billion of the bank’s money. He concealed his losses as a result of allowing him to get involved in settling his accounts that he exploited by creating an error trading account. He sustained this until he left the bank in 1995. This resulted in the bank’s bankruptcy and was subsequently sold to the ING group (Gapper et al, 1995). 11 Despite not related to financial institutions it is worth mentioning due to the impact it made on corporate governance regulations. The Enron scandal led to 5000 job losses and $1bn in employee in retirement fund losses. This was disguised in Special Purpose Vehicles as no reporting requiremenst are required that were used to book loans as trading revenues (Batson, 2008). They executive management not only fooled investors but also analysts who continued recommending it as a “strong buy” when it was making consecutive losses (Bloomberg, 2008) 12 The oldest mutual life insurer (246 years of age) promising its policyholders more money (in the form of guaranteed annuities) than it actually had for almost more than a decade, (this gap reach $4.4bn by 2001) due to faulty Asset and Liability Management and using dubious actuarial techniques to obscure this. Equitable distributed maximum payouts in the good years (characterized by low interest rates) and inadequately reserved for rainy days (BBC News, 2004). This resulted in more than a million’s retirement funds being slashed. Seven years on, investors are seeking $4.5 from ministers in the UK as the investigation discovered “Serious regulatory failure” when overseeing their operations. (Guardian, 2008).
Enterprise Risk Management – Evaluating the Systems in place throughout 2007-2008
19 Page Andreas Zarifis
Cass Business School MSc Insurance and Risk Management, July 2008
FurthermoreBaselIIidentifiesthelong‐termuncertaintiesthatexistrespective
to financial institutions operations.Within this setting, theBasel accordswere
formulated to develop and the risk management functions of Financial
Institutions; “From a commercial bank wholesale perspective, from allocating
capital based on generic categories (Banks, Corporate, Sovereigns) to specific
borrowers or institutional debt (Citi Microfinance & Clifford Chance LLP April
2008).”It provides international directives regarding minimum capital
requirements that ought to be held against risks. The following three tiers
(Figure 4) provide eligible provisions on Regulatory capital, as defined by the
BaselAccord.
Figure4EligibleProvisionsofRegulatoryCapitalasProvidedbyBaselIITier1:(CoreCapital)includescapitalanddisclosedreserves(e.g.Qualifiedstock,surplus,retainedearnings)Tier2:(Supplementary–SecondaryCapital)includesundisclosedreserves,subordinateddebt,perpetualdebtandotherdebtandequityinstrumentsTier3:(TertiaryCapital)–IncludesawidearrayofdebtandequityproductsinplacetocoverpartofaFIsmarketrisksthathavenotbeenexternallyverified.13
(BIS,2004)
Furthermore Basel II recapitulates on the use of Economic Capital, this is the
amount of risk capital from a bank’s perspective that would be required to 13Investopedia.comprovideseasytoreadcomprehendibleguidelinesofthese.
Enterprise Risk Management – Evaluating the Systems in place throughout 2007-2008
20 Page Andreas Zarifis
Cass Business School MSc Insurance and Risk Management, July 2008
remainsolventatagivenconfidence leveland timehorizon.The framework is
incorporated by Value at Risk models, deriving measures for market (VaR),
credit(cVaR)andotherrisks.AnexampleofaVaRcalculationof(EC)Economic
capitalforcreditriskisdepictedinFigure5.
Figure5EconomicCapitalforCreditRiskThe illustration provides the organisation with expected and unexpected lossesproduced by a VaR calculation. The former encapsulates losses arising from dailyoperationswhilethe latter (tailpast3%inthiscase)representsstandarddeviationsfromtheexpectedlosses.Thisexampleillustratesaconfidenceintervalof99.95%.Thiscorresponds to a “AA” rating.Depending on the firms risk appetite and target creditrating,economiccapitalcanbecalculatedlikewise.
(Investopedia.com,2008)
Lastly Basel II defines operational risk14, integrates it with credit risk and
provides threemechanisms bywhich operational risk of increased complexity
may be computed. Thus credit rating agencies and lendersmay be adequately
informed. It aligns regulatory requirements on capital closer to risk but also
introduces amore sophisticatedapproach to riskmanagement.This aspires in
developingariskcultureamongstlenders,wherebythecorporationunderstands
andremainsfocusedonriskasacoreelementofthedesiredstrategy.
14 This definition includes legal risk, but excludes strategic and reputational risk. (BIS, 2004) and isportrayedinfigure2
Enterprise Risk Management – Evaluating the Systems in place throughout 2007-2008
21 Page Andreas Zarifis
Cass Business School MSc Insurance and Risk Management, July 2008
2.3RiskManagementinSilos
Gainingwideacceptanceforthepastyearsandinfluencingthereformsproposed
by Basel II is management of risks via silos, a method emphasising the
quantification of risks,making use of the latest riskmeasurement advances in
the field (Garside et al, 1999). This method (Figure 6) sets limits across risk
typesandmonitorsandreportsdevelopmentsintherisksilos(Marrison,2002).
Figure6RiskManagementinSilos
TheCaseofanInsurer
(KPMG,2007)
There are weaknesses attached to this approach, for example performance
indicatorsforonebusinesslinemaybedrivenbypremiumgrowthwithoutthe
consideration on how thismay affect the overall risk and capital needs in the
longterm.Likewiseafirm’sdivisionmayunderwriteanamountofbusinessto
increase itsmarketsharewithoutevaluating,understandingorcommunicating
Enterprise Risk Management – Evaluating the Systems in place throughout 2007-2008
22 Page Andreas Zarifis
Cass Business School MSc Insurance and Risk Management, July 2008
the risk to theoverall enterprise.A firmmayalter its riskprofile andappetite
without full consideration of the implications from various hazards (e.g.
policyholder behaviour, variations in location); Despite aiming to reduce the
overall risk profile it may actually result in increasing the risk for the
corporation,overall(KPMG,2007).AreferencetoanidiombyAlfredEinsteinis
appropriate15atthisstage:
"Noteverythingthatcountscanbemeasured.Noteverythingthatcanbemeasured
counts."
15Thissuitableissuitableforriskmanagementinsilosastheemphasisoftheapproachisonrenderingas
manypossibleriskssusceptibletoquantification(Mikes,2008)
Enterprise Risk Management – Evaluating the Systems in place throughout 2007-2008
23 Page Andreas Zarifis
Cass Business School MSc Insurance and Risk Management, July 2008
Chapter3:LiteratureReview
3.1EnterpriseRiskManagementDevelopmentandFoundations
Risk managers are required to broaden their scope of responsibilities and
developcomplexprocessesinrelationtothepast.Duetothecomplexityofthe
task associated with the risk management process across the enterprise,
specialist expertise is required. Thus a new management role has recently
emerged,thatoftheChiefRiskOfficer.Thishasbeengrowinginuseandscopeof
responsibilitiesandisusuallyaseniorexecutivetakinganintegralcoordinating
role within the strategic planning process. Since the Chief Financial Officer is
responsible for the overall financial policy of an organisation, the CRO is
requiredtomaintaincloselinkswithhim.
Companies have started considering the importance of such roles and the
implementationofafirm‐wideriskmanagementapproachtotheriskstheyface.
Jointdecisionsarebemade concerninghedgingand insurance and finding the
rightbalancebetween‘retaining’andtransferringrisks,indicatingthedegreeof
correlation between risks. Corporations strive to satisfy key stakeholders in
reachingtheirobjectives,indicatinginterdependenciesandminimisingsystemic
effects.AservicesstudyconductedbyDeloitteonfirmsthatsustainedsignificant
dropinshareholdervaluefounddiscoveredthat80%ofcompaniesaffectedhad
experiencednumerous, interdependent riskevents (KPMG,2007)This implies,
that firms able to manage risk cohesively will result in superior an stable
performance.
Many dominant firms are abandoning their traditional risk silo approach
adopting firm‐wide enterprise risk approach (Lienenberg et al, 2003),
transformingtheirriskmanagementtoEnterpriseriskmanagementasitenables
firms to manage risks in an integrated fashion. Academics and practitioners
argue that ERM may benefit corporations via decreasing stock‐price and
Enterprise Risk Management – Evaluating the Systems in place throughout 2007-2008
24 Page Andreas Zarifis
Cass Business School MSc Insurance and Risk Management, July 2008
earningsvolatility,increasingcapitalefficiency,reducingexternalcapitalcosts16
and creating synergies between the risk management activities (Lam 2001;
Beasly et al 2006). They argue that generally it increases risk awareness
enhancing both operational and strategic decision‐making. Despite the
increased awareness and amplitude of survey results regarding the popularity
and attributes of ERM frameworks (Hoyt et al, 2003; Beasley et al, 2005)
empirical evidence exhibiting the impact of such program is unavailable
(Schroeck,2002)orscarce(Hoyt,2008).
3.2DefiningandImplementingtheFramework
InSeptember2004theCOSOreleaseditssecondandlongawaitedupdatedERM‐
integrated framework. This model describes key components and risk
management principles for organisations of any size. Compared to the
fragmentedsilostructuredriskassessment,EnterpriseRiskManagementtakesa
broadportfolioapproachtoriskandfocusesonthoseeffectsthatnotonlyhedge
or mitigate risk but also enhances shareholder value (Moelbroek, 2002). The
new framework is complex and the definition17 is not easy to grasp as it was
developedasanall‐inclusivedefinitiontobeusedbyanycompany,profitornon‐
profit,privateorpublicventures.Thisundoubtedlycreatesworkforconsultants,
without guidance it would be hard to implement the model and realise the
benefits due to the complexity in understanding the various components and
their interrelationships. It has to be comprehended that integrating ERMwith
the overall strategy is not a quick and sudden fix but a dynamic process
(Dickinson,2001).Comparedtothepreviousinternalcontrolmodel(1992)the
recentmodelconsistsofonenewobjective;thestrategysetting,whichgrasping
isvitallyimportant.(Bowlingetal,2005)
16 In2006Standard&PoorsupgradedMunichRe from“A‐“ to “AA‐”partlydue to robustERMpractices(Hoyt,2008)
17“Enterpriseriskmanagementisaprocess,effectedbyanentity’sboardofdirectors,managementandotherpersonnel, applied in strategy setting and across the enterprise, designed to identify potential events thatmay affect the entity, and manage risk to be within its risk appetite, to provide reasonable assuranceregardingtheachievementofentityobjectives.”(COSO,2004,p2)
Enterprise Risk Management – Evaluating the Systems in place throughout 2007-2008
25 Page Andreas Zarifis
Cass Business School MSc Insurance and Risk Management, July 2008
ERMrequires firstabroadrecognitionof thestakeholderswithintheobjective
setting, allowing interestedparties to consider and act daily on themission of
contributingtotheachievementofgoals.Theeighthorizontallayersidentifythe
chronological approach required to achieve eachof the four objectives.This is
founded on the latest risk management process produced by a myriad of
international standards. Startingwith the top layer the company firstneeds to
understand its appetite for risk as part of its internal environment before
beginningitsRiskManagementprocessandthethreebottomlayersexhibitthe
internalcontrols,needberequiredtomanageandmonitorrisksdaily. The3rd
dimensional aspect of the framework exhibits the different levels of the
organisation,startingfromlefttoright,fromenterpriselevelnarrowingdownto
endatthesubsidiarylevel.18ThisisillustratedinFigure7.
Figure7COSOERMFrameworkAnIntegratedApproachAcrosstheStrategicSetting
(COSO,2004)
As previously mentioned, ERM requires a disciplined top‐down process (as
provided by Figure 8); robust parameters for policies and internal control are
18ThisdependsontheFIssizeandstructure.
Enterprise Risk Management – Evaluating the Systems in place throughout 2007-2008
26 Page Andreas Zarifis
Cass Business School MSc Insurance and Risk Management, July 2008
necessitatedatexecutivelevels(Walkeretal,2002).OnceBusinessunitsarefed
the information and implement the strategy, managers closest to risks are
required to feed back information centrally so as to formulate, amend and
monitortheoverallriskpolicy(Dickinson,2001).Businessunitdelegatesmust
haveacertaindegreeofresponsibilitytocombatbusinessline’exposuresbefore
thesebecomesevere.
Figure8TheRiskManagementProcess
ACorporateFrameworkRequiredforEffectiveImplementation
(Chapman,2006)
Enterprise Risk Management – Evaluating the Systems in place throughout 2007-2008
27 Page Andreas Zarifis
Cass Business School MSc Insurance and Risk Management, July 2008
Since corporate governance codes make top executives liable, audit functions
have to be made independently from executive functions; (Combined Code
2003)(SarbanesOxleyAct2002)theboardofdirectorssetsapersonresponsible
for the audit committee clearly defining the risk audit function including an
overview of their top management. Subsequently the board of directors is
responsiblefortheERMofthecompanyaccountabletoshareholdersandother
stakeholders. TheChiefRiskOfficer ideally, shouldprovide a linkbetween the
executive committee and operations of the corporation in addition to liaising
with the non‐executive committee, subsequently providing an independent
assessmentandguidancetoshareholders(Lam,2003).
Enterprise Risk Management ought to be embedded within the corporate
strategy of an organisation as the activities used to reach objectives largely
dependon the resourcesandorganisational structure it chooses touse,within
theuncertainenvironmentoftheoperation(Vijentra,2006).
Itcanonlybemeasuredasthedifferencebetweentheinitialsettingofobjectives
and theactualoutcomesof these,both in termsof variance from theexpected
distributionaswellasthedownsidefailureofmeetingtheseentirely(Walkeret
al,2007).Forquotedcompanies,themorealignedarecorporateobjectiveswith
shareholder values the more transparent to enterprise risk will be the stock
market price assessments (Schroeck, 2002). Figure 9 exhibits the effect a
comprehensiveERMframeworkmayhaveontheboardofdirectors.
Enterprise Risk Management – Evaluating the Systems in place throughout 2007-2008
28 Page Andreas Zarifis
Cass Business School MSc Insurance and Risk Management, July 2008
Figure9ERMImpactsFourBoardFunctions
TheseimpingeonShareholderValue
(Garratt,2003)
Insurance,hedgingandotherfinancialriskdecisionsdemandcoordinationwith
the corporate treasury and capital structure. Both risk retention decisions on
insurance and hedging and their aversion to risk (choice of deductibles and
strikeprices)oughttobedeterminedjointlyasbeingundertheEnterpriseRisk
managementumbrellaastheywillbeprobablynotbeindependent.(Dickinson,
2001)
Throughoutaperiodwherehedginginstrumentsareexpensiveandinsuranceis
goingthrougha“Hard”market19astrategicplanoughttohaveeffectiveinternal
controls in place andminimise operational risks. Thiswillminimise excessive
insurance costs from economically unfair rates. Through an Enterprise risk
management approachwhereby all risks of a strategicportfolio are taken into
19Thisisduetothetheoreticalphenomenonknowsastheunderwritingcyclewherebyinsurancemarketsswingbetweenhardandsoftmarkets.Throughoutahardmarketinsurerstrytocoverforanypreviouslossesincreasingratesandreducingsupply.
Enterprise Risk Management – Evaluating the Systems in place throughout 2007-2008
29 Page Andreas Zarifis
Cass Business School MSc Insurance and Risk Management, July 2008
account one can more easily monitor and alternate the risk appetite of the
organisationandcounteractsystemiceffects.
3.3ERMinPracticeandIndustryObservations
AsurveyconductedbytheConferenceBoardandMercerOliverWymanin2004
surveyed271executives.Aproportionof91%ofthosequeriedhaveunderstood
theimportanceofacceptingERMorareactuallyimplementingitinpractice.The
survey also derived that 93% of those responsible for assessing risk in their
organisationwhereriskorfinancialmanagers.Respondingtothemaindriverof
ERM66%saidduetocorporatecompliancewhilstoptimistically60%rankedas
importanttheunderstandingofoperationalandstrategicrisks.Cynicallythough
only 11% have formally adopted tan actual framework. This stems from the
complexity of the model and the compliance priorities of organisations on
review.(MITSloanReview,2006)
Anotherdiscoverywasthatonlya fifthofthosesurveyedtakeinventoryofthe
criticalrisksfacedbytheirorganisation;fromthisminorsegmentmorethanhalf
respondents found ERM helped make better informed decisions as well as
improved communication between the executives and the board of directors.
Furthermore organisations that had a fully integrated approach on ERM
reported that it produced better management consensus, assessment and
understanding of key risks 83%, compared to the 36% for all other
organisations. The companies that fully integrate the framework also reported
increasedtransparencyandmanagementaccountability. Itcanbederivedthat
thosewithadvanced integratedapproacheswhoviewedriskmanagementasa
central discipline derived the full extent of advantages, in contrast to the rest
thatimplementacompliance‐drivenmodel.Thisisreaffirmedbyanothersurvey
conducted by Deloitte in association with AESRM in 2007 exhibiting how the
majorityof financial institutionscontinue tomanageriskat the traditional silo
level, thus concealing potential interdependencies of risks and financial
indicators and with the potential exposure of financial institutions to acute
Enterprise Risk Management – Evaluating the Systems in place throughout 2007-2008
30 Page Andreas Zarifis
Cass Business School MSc Insurance and Risk Management, July 2008
losses. In addition, such isolation may exacerbate dangers attached to new
business lines, thus stifling competition and forgoing growth opportunities
(Kopp.G,2007).Thisexposesfinancialinstitutionstospeculativethreatsinthe
futureduetothechangingeconomiclandscapeandevolutionof4factors:
“EraofRegulation”:The increasingsophisticationofregulatoryrequirements;
from Sarbanes Oxley act and Combined Turnbull Guidance, both increasing
responsibilitiesandtheintegrityofdutiesoftheboard;toBaselandSolvency;all
nowrequireorganizationstocaptureinformationonabroadrangeofrisksthat
may affect theirmarket or operations. As this sophistication increases, so too
must senior management’s and the board’s understanding and related
responsiveness.
Complexity:Duetotheincreasingnatureofnewproductsandcomplexitiesthat
arisefrombusinessmodelsandinterrelationshipsbetweenorganizations,there
needstobeamoreholisticapproachtomanagingrisk.
Connectedness:Theincreasinginterdependencybetweenoperations,risksand
controlshasbecomeevident.Thetraditionalsiloapproachcannotcapturethisas
it leaves too many gaps and does not provide an overall evaluation of an
organization’sriskposition.SomeERMadvocatesrefertoitascommonsenseas
riskbytheirinherentnaturearedynamic(LamthepioneeroftheCROfunction,
2003).Onceasystematicprocessreachesacrossthefunctionsanddepartments
and promotes the sharing of risk and control knowledge, only then can the
correlationsand interconnectednessamongst riskbe trulycaptured.Theseare
thefundamentalsofERM.
MarketForces:Riskmanagementhasbeenenforcedtoseniormanagementand
boardlevelduetovariouscorporatescandals(e.g.Enron,WorldCom)thatforced
boardmembers todigdeep into theirpocketsand settle shareholder lawsuits.
Subsequently Directors have rushed to educate themselves in terms of
understandingarangeofrisks.Atthesametimeexecutivesarepaidexorbitant
Enterprise Risk Management – Evaluating the Systems in place throughout 2007-2008
31 Page Andreas Zarifis
Cass Business School MSc Insurance and Risk Management, July 2008
bonuses,evenwhenfailingtoincreaseshareholdervalue20.
ErnstandYoungconductedasurveytargetingLifeinsurancecompanies(2008).
In contrast to itsprevious survey (2003)68%respondents statedhavingERM
policiesinplace,23%areintheprocessofdevelopmentand9%areplanningto
developone.ThesurveyexhibitsthatERMisworkstillinprogressandhavenot
yet been fully integrated in companies’ systems andpolicies. Most companies
have formally developed ERMmission statements, principles, procedures and
ownershipstructuresbuthaveyet toaddressthedynamiccharacteristicof the
processasriskaggregation,tolerancesandlimitsandhowtoidentifyemerging
risks.AfindingrelatedtoCROs,isthatdespitehavingaseatatthemanagement
table, 81% stated influencing; product design, pricing and investment strategy
relateddecisionbuthavenoinfluenceonstrategicplanningandfeelsomewhat
that their contribution is rather implicit rather than a consequence of some
formal explicit oversight. Moreover, regardless of the increasing awareness at
board level of risk management other business priorities21 may draw their
attention.
It isyet toberealizedhowimportantriskmanagement isnot inbuilding long‐
term value creation nor have companies clearly understood the depth of
operational and cultural change required to implement the framework
effectively.Significantgapsremainpresent,andcertainareashaveyettomature
in order to promote a disciplined and rigorous approach. Work is needed to
integratefirmsERMpracticestoinfluencestrategicdecision‐making.Thereisa
variabilityoftasksaddressedtoCROsbutthereisalongwaytogobeforetheir
formal risk oversight, aggregation and risk taking evolve and strengthen to a
required degree. Risk measurement should be invested in heavily, so that
sophisticationincreasesincorporatingallcriticaldataneededforriskreporting
anddecision‐making.TheincreasingengagementbytheC‐level22hasbeenfound
20ThreeformerexecutivesofUBSwhoundertheirmanagementledthebankto$38bnlosseslastyear,shareda$87milbonusfromSwitzerland'sbiggestbank(timelesonline.com,2008)
21Asincreasingmarketshareorseekingshort‐termprofit.22C‐levelpostulatesaChiefposition(CEO,CFOandnowCRO)
Enterprise Risk Management – Evaluating the Systems in place throughout 2007-2008
32 Page Andreas Zarifis
Cass Business School MSc Insurance and Risk Management, July 2008
tobeencouraging,however,risk leadershipeducationespeciallyatboard level
requiresaugmentationtoassertthesustainableevolvementofriskmanagement
within decision‐making (IBM‐CFO survey, 2008). CROs and other Risk
managementexecutiveswillhavetoimprovethequalityoftheircommunication
with executive andboard leadership.Critical formoving risk leadership to the
nextlevelrequiresstrongerfunctionallinksandbettercommunicationbetween
allriskstakeholderswithinorganizations.Noccoconfirmsthisbyarguing“While
ERM maybe straight forward conceptually, its implementation in practice is
not”(2006). The industry has experienced years of consolidation and
reorganization of departments, incorporating risk silo management. Common
creditortradinggroupsdoexistbutveryfewbanksorFIsactuallyreorganizeto
takefulladvantageofanERMculture(IBM‐CFOsurvey,2008).
Restructuring in financial institutions may be required due to a merger or
acquisition, this involves integrating processes, methodologies and
Infrastructure, these need to be realigned (Atkins et al, 2008) as “legacy
systems23” may be developed. The most daunting task is to consolidate IT
systems,astheymustincorporatesystemsfromvariousdepartmentsandlevels
andatthesametimemaintainaregulatoryreportingstandard.ITisasignificant
amount of investment in financial institutions; the problem arises when such
systemsmeet both external and internal requirements, as these remain static.
However, the market environment is constantly changing with an upsurge of
bothcreditratingagencyandregulatoryrequirements.Firmscannotexpectthat
historicalsuccesswillspeculativelyprevailbutmustdynamicallyimprovetheir
systemsenhancingtheircompetitiveadvantage(s).
Thisleadstotheconclusionthatorganizationsneedtobecomemoreefficientas
the more accurate the risk measures are employed; the more effectively the
financial institution may compete in cutthroat competitive environment.
23Computersystemsoperatingforalongtimeandduetothevitalityofthefunctiontheyservecannotbeeasilyupdatedorintegratedwithnewsystemsofadvancedtechnology.
Enterprise Risk Management – Evaluating the Systems in place throughout 2007-2008
33 Page Andreas Zarifis
Cass Business School MSc Insurance and Risk Management, July 2008
Chapter4:FindingsFromtheCreditCrisis
4.1DriversandImplicationsoftheFinancialTurmoil
Recent market events indicate a number of risk management lessons for
financial institutions. Before the recent turmoil the banking system was
characterisedbystrongbalancesheets,rapidgrowth, innovationandrelatively
fewbankfailures.Suchstatuswithinthemarketbredasenseofoverconfidence
among bankers and investors leading to underestimation of risks and lack of
understanding that such statemaypotentially come toanend.This greedwas
fed into the housing market that was exhibiting an upward trend and led to
blindness in consideringwhatmay result froma disruption to such trend and
housing prices falling (Kohn, 2008). The timeline of events is depicted in the
followingparagraphandsummarisedinthefollowingpage.
Figure10PhasesoftheCrisisAnatomyoftheStorm
(Saunders,2008)
Enterprise Risk Management – Evaluating the Systems in place throughout 2007-2008
34 Page Andreas Zarifis
Cass Business School MSc Insurance and Risk Management, July 2008
Financial institutions made hefty losses due to concentrated exposure to
securitisation of U.S mortgage related credit. Despite having an inadequate
understandingofCDOs24andrelative instruments’ inherentrisks theyretained
large exposures on them. This resulted in major losses on such holdings and
substantially affected both their earnings and capital positions. Furthermore
failingtounderstandbalancesheetgrowthandliquidityneedsledtoinaccurate
pricing of the risk inherent to possible funding of pricing off‐balance sheet
entities internally when market factors prevented external subsidising.
Leveragedloanswherehardtosyndicateasriskaversionincreasedandappetite
for assets diminished. This impact was trivial regarding capital ratios, but
regarding firms’balancesheets, theseexposures led tosignificantwrite‐downs
andwrite‐offs.Inabilitytoaggregateanorganization’soverallriskpositionwas
themainreasonacreditfailureinarelativelyminorsectionoftheUSrealestate
market to enable a spill over into a global liquidity risk for financialmarkets.
Furthermore increased overreliance onmodel assumptions and the sustaining
silo structure resulted in lackof transparencybetween functions resulting ina
breakdown of confidence, as firm‐wide exposure was unknown. Such state
brought into question the advocacy of Enterprise Risk Management as
imperativeforassessingriskmanagementinfinancialinstitutions.
CertaincompaniesdischargedtheirCROs includingAmbac,WashingtonMutual
IncandCitigroup.InotherfirmsCROsquitinrepulsion,astheywerenevergiven
the opportunity to ever apply an enterprise riskmanagement system orwere
ignoredbytraderswhosettheirownfiefdoms.Otherswereblamedforerrors
beyond their controlandwere treatedasscapegoats. “When theonionpeeled
back, itdisclosed thatonepartof thebankwasn’t talking to theother—itwas
almost thatsimple,” (MatAllen,enterpriseriskservicespractice leader,Marsh,
2008). Table 1 provides the most significant losses incurred by Financial
Institutions,insofar.
24CollateralDebtObligations:Differenttypesofdebt(bonds,loans,otherassets)referred“tranches”that
aresyndicatedinapooltogetherandtradedasaninvestmentgradesecurity.Dependingontheriskandmaturityassociatedwiththedebtthepayoutisadjusted.
Enterprise Risk Management – Evaluating the Systems in place throughout 2007-2008
35 Page Andreas Zarifis
Cass Business School MSc Insurance and Risk Management, July 2008
James Lam, the father of the position of CRO (GE Capital and Fidelity
Investments)arguesthat ifERMfaileditwasduefirmswerenot incorporating
therightdatatoallowforeffectivedecision‐making,thiscreatedastateofrisk
ignorance. (e.g. some firms relied heavily on credit models that utilized only
sevenyearsofcreditinformation,thiswouldhaverevealedsteadyhouserates
andmilddefaultrates,obviously,suchmodelsunderestimatedexposures).
4.2CaseStudies
BusinessModelFailures
Northern Rock prompted the first run on a UK bank for the first time in 140
years. Despite not being technically insolvent with asset values exceeding
liabilitiesitstruckaliquiditydrought.Duetoitsbusinessmodelitwasrelianton
Table1MostNotableLossessofarFinancialInstitution LossValue
Citigroup $40.7bnUBS $38bnMerrillLynch $31.7bnHSBC $15.6bnBankofAmerica $14.9bnMorganStanley $12.6bnRoyalBankofScotland $12bnJPMorganChase $9.7bnWashingtonMutual $8.3bnDeutscheBank $7.5bnWachovia $7.3bnCreditAgricole $6.6bnCreditSuisse $6.3bnMizuhoFinancial $5.5bnBearStearns $3.2bnBarclays $3.2bn(Bloomberg,2008)
Enterprise Risk Management – Evaluating the Systems in place throughout 2007-2008
36 Page Andreas Zarifis
Cass Business School MSc Insurance and Risk Management, July 2008
the money markets in fund its mortgage liabilities more than any other
commercial bank.When investors lost their appetite in investing inmortgage
related assets the bank could no longer meet its pending obligations. In
September 2007 the Bank of England injected £25 bill in loans and £30bill in
guaranteesresultinginNationalizationofthedistressedbank25.
BearSternswasaninvestmentbankthatflourishedbetween2001‐2007,anera
characterizedbylowinterestratesandaboominghousingmarket.Itsbusiness
model was highly reliant on fixed income securities. Its troubles came when
demandforsubprimerelatedsecuritiesfadedandcontemplatingonreputational
risk it financed (SIVs) structured investment vehicles from its balance sheets
leadingtoexcessiveliabilitygrowth. Withinthreedays13‐15Marchitscapital
cushionof$17bilevaporated,thisledJPMorganwiththebackingoftheFederal
Reservetomakeanofferof$2persharethatwaslaterfinalizedat$10.Thisis
inconceivablelookingbackayearagowhenBearSterns’sharestradedashighas
$171.51(Bilbull,2008).
Otherexamplescanbefoundinmonoline26insurersasAMBAC,MBIAhadtoseek
additionallyfundingwhentheassetstheyguaranteedweredowngradedsoasto
avoidtheirowndowngradingandcontinueattractingbusiness.
These failures exhibit the degree of vulnerability internal models exhibit in
estimating the risk inherent in organizations’ activities throughout the crisis.
Thebenignmarketconditionsofanumberofyearsprior to the turmoilwhere
usedtocalibratethesemodels, thiswasflawedasthevolatilitythatonewould
find going back 5 years ago would not reflect the extremity of events in the
secondhalfof2007.
25AlotofquestionsarebeingaskedabouttheNorthernRockdownfallaswhythedeteriorationofitsportfoliowasnotactedupontimeandwhydidtheycontinuetradingcomplexfinancialproductsknowingtheriskanduncertaintyconcerningloanswasrising?AninvestigationonthesubjectbytaxexpertRichardMurphydiscoveredthatNRweredisguising$50milusinganoffshoretrust“Granite”andacharityinEngland(CreditMagazine,2008).
26Inthispretextamonolineinsurerisdefinedasaguarantorthatassignsitscreditratingtoloansandoffersassuranceovercounterpartydefaultpayments.
Enterprise Risk Management – Evaluating the Systems in place throughout 2007-2008
37 Page Andreas Zarifis
Cass Business School MSc Insurance and Risk Management, July 2008
OperationalDeficiencyFailures
LehmanBrothersLondonoperationssuffered losses fromunauthorizedactivity
worth$150milliononmiss‐valuedexoticoptionderivatives.Another financial
titan Credit Suisse suffered $2.85billion write‐downs in February (adjusted
March20th to$2.65bil)due to the failureof its traders toupdatevaluationsof
portfoliosofsubprimelinkedstructuredcreditproductswhilstthesehadfallen.
(CampbellA,April2008,page8).
LateJanuary2008,amediafrenzywascreatedwhenE.SocieteGeneralealleged
thatoneofitsParis‐basedjuniortraders,JeromeKervielaccumulatedmorethan
$7bninlossesfromtheplacementofdirectionalbetsonfuturestransactionsand
covered his tracks by creating forged hedges from the opposite direction. (FT,
2008).Asaresultoftheseallegations,SocieteGeneralerespondedwitha$5.5bn
offer to increase its capital base.(NYT, 2008). Following the investigation,
France’s banking regulator fined “SG” a record €4m for breaching banking
regulations,itwasfoundthatfraudsignalswerepresentbutignoredandthatthe
bankfailedtoinvestadequatelyinitscontrolsystems.(FT,2008)
4.3FundamentalWeaknessesinERMImplementation
During the AIRMIC conference in July (2008) Marsh revealed the results of
research it had undertaken discovering that risk management has not yet
reachedthestageof full integrationwiththedecisionmakingprocessatboard
level.Oneofthemainfindingswasthatonly30%ofRiskmanagersqueriedfelt
somewhat confident that risk management was taken into account in the
strategic decision making process, more worryingly 22% felt that it never or
seldomhappenedwhatsoever.Whenaskedhowtheymeasurethevaluecreated
by riskmanagement 35% stated itwas the impact on ‘cost of risk’while 25%
quantified it in terms of the reduction of incidents or losses. Furthermore5%
citeditasthereductionsininsurancepremiumwhile14%answeredtheydidn’t
Enterprise Risk Management – Evaluating the Systems in place throughout 2007-2008
38 Page Andreas Zarifis
Cass Business School MSc Insurance and Risk Management, July 2008
measure value. In response to the biggest risk management challenge facing
theirorganizationthemajorityrepliedthatquantificationofriskandmeasuring
value were their biggest concern, 37% found incorporating risk management
into their organizationwas a challenge. Concerning the findings of the survey
Eddie McLaughlin (leader of Marsh Risk Supervisory Group) noted his
understanding that riskmanagement is recognised to contribute to long‐term
successandcompetitiveadvantagebuthasnotyetbeenfullyrecognisedinthe
boardroom. He argues “The challenge remains proving the shareholder value
addedthrougheffectiveriskmanagement.Progresshasbeenmadebylinkingrisk
managementqualitytocapitalallocation,andovertimetoa firm’screditrating,
butasanindustrywearenotthereyet.”
FollowingthemagnitudeoflossesintheindustryEdhecsoughttoinvestigatethe
modelsusedtosupportriskmanagementdecision‐making.Theyaddressed229
financial Institutions based in Europe holdingmore than€10 trillion of assets
undertheirmanagement.ThisisquiterepresentativeofthePan‐Europeanasset
management industry.Oneof themain findingsof the researchwas that firms
are often familiar with research findings but rarely actually implements such
techniques. In consideration to previous years Edhec found usage of VaR and
cVaR(conditionalVaR)hadspreadthroughouttheindustry,methodologiesthat
werepreviouslyusedmainlybyinvestmentbanks.
Such progress has its limits as despite making use of the models; 42%
worryingly assumed normality in their returns and only 10% were
implementingExtremeValuetheorytools(Goltz,2008).Anevenmoreworrying
observationwasthatdespite50%useVaRtoassessriskonly33%makeuseof
themeasuretoestimaterisk–adjustedperformance.Furthermoreitwasfound
that42%ofinstitutionalinvestorsdon’texplicitlyincorporateliabilityriskwhen
developingassetallocationstrategies.
Enterprise Risk Management – Evaluating the Systems in place throughout 2007-2008
39 Page Andreas Zarifis
Cass Business School MSc Insurance and Risk Management, July 2008
In addition there has been plentiful noise in terms of alpha27, but only a few
actuallymeasureitcorrectly.DespitethelimitationsofassessingAlpha(Myner,
2001) via peer performance analysis; 62%‐ of those queried make use of it,
whilstonly23%actuallymakeuseofmulti‐factormethods;ofwhichadvantages
havebeenproclaimedwithinfinancialresearch(Martellinietal,2005).
ItseemsthatcertainFinancialInstitutionshavefailedtoridethetideofresearch
for the past 2 decades andmakeuse of riskmanagement as amarketing tool.
Edhecfindsthisconcerning;asknowledgeisnottransferredtotheindustryand
testedwithin realistic environments but usedmerely as an aid to the systems
alreadyinplace.
4.4QuestioningtheViabilityofERM
For the past years, both academics and practitioners have praised Enterprise‐
wide risk management policies and procedures in Financial Institutions. ERM
hasbeentouted,as thestandardizedFIriskmanagementapproachandnowis
being re‐evaluated subsequently after the subprime market meltdown. A
disciplinedframeworkguidingcompaniestoapplytheriskmanagementprocess
across the organization including any interplay that may exist between these
acrossbusinessunits.
FinancialInstitutionsfirstembracedERMwithinsuranceandenergycompanies
following. This gave rise to the Chief Risk Officer a senior level position to
manage and supervise the effort. (T&R, 2008). Then the credit crisis and
financial turmoil impacted company after company, especially Financial
Institutions,longthoughttobetheparadigmsinERMpractices–hitabrickwall.
27Ameasureofperformanceonariskadjustedbasis,Alphatakesthevolatility(pricerisk)ofamutualfundandcomparesitsriskadjustedperformancetoabenchmarkindex.Theexcessreturnofthefundrelativetothereturnofthebenchmarkindexisafund'salpha.Alphaisoneoffivetechnicalriskratios;theothersarebeta,standarddeviation,Rsquared,andtheSharperatio.Theseareallstatisticalmeasurementsusedinmodernportfoliotheory(MPT).Alloftheseindicatorsareintendedtohelpinvestorsdeterminetheriskrewardprofileofamutualfund.Simplystated,alphaisoftenconsideredtorepresentthevaluethataportfoliomanageraddstoorsubtractsfromafund'sreturn.Apositivealphaof1.0meansthefundhasoutperformeditsbenchmarkindexby1%.Correspondingly,asimilarnegativealphawouldindicateanunderperformanceof1%(Investopedia,2008)
Enterprise Risk Management – Evaluating the Systems in place throughout 2007-2008
40 Page Andreas Zarifis
Cass Business School MSc Insurance and Risk Management, July 2008
Such exposures were what ERM was designed to ferret out. As would be
expected,therealityismuchmorecomplicated.
To begin with not all companies experienced large losses as they did in fact
manage their risks appropriately. Empirical evidence finds that certain
companiesapplyingERMdidquitewellrelativetotheircompetitorsandothers
didn’t se the signals coming and grabbed the headlines within the past year
(TreasuryandRisk,ERMsurvey2008).
“JPMorganinthebankingindustryandGoldmanSachsinthesecuritiesindustry—
both well known for their ERM capabilities—actually did quite well relative to
theircompetitors,”“Otherfirms,ofcourse,didn’tseethesignals.”Thosefirmsare
the headline grabbers of the day—Bear Stearns, Countrywide Financial, Ambac,
MBIA,UBSandSwissRe,amongothers.(Lam,presidentofJamesLam&Associates,
2008).
ProblemshavebeenfoundtolieonhowERMisappliedandexecutedeffectively
across the organization. Moreover specific areas of concern and weaknesses
havebeen found in how riskmanagement is applied (Treasury andRisk, ERM
survey2008).
Enterprise Risk Management – Evaluating the Systems in place throughout 2007-2008
41 Page Andreas Zarifis
Cass Business School MSc Insurance and Risk Management, July 2008
Chapter5:Conclusions
Organisations now are updating and focusing on their risk profiles. Global
regulators request improved corporate governance models and the usage of
internalcontrolframeworks,policiesandprocedures.Simultaneously,investors
arelosingconfidenceandbecomingmoreprudent
NavigantConsulting(2008)recordedastaggeringincreaseinlawsuitactivityin
relationtosubprimeandcreditissues,with170casesfiledinthefirstquarterof
2008 compared with a total of 278 cases filed in 2007. 448 cases have been
found to relate to the credit crisis over a period of 15months up to the first
quarterof2008.Thislevelindicatesthatsoonthe559savingsandloancasesof
theearly1990’swillbesurpassed.Ofthese,42%wherenamedaFortuneGlobal
500companyasthedefendantandfromthe10%thatwerenon‐UScompanies,
half originated from theUK.As Figure11 exhibits and as reportedby aNERA
consulting report 49% of plaintiffs where shareholders, this implies that
shareholders are becoming more active, reinforced with regulatory measures
that have been developed in concern of adequate safeguarding of their
investments.
This finding is reaffirmedby a survey conductedbyRiskMetrics inApril 2008
and in response to shareholder lawsuits 38% indicated lack of effective risk
managementastheprimaryreasonfortherise inactivismandaskeycauseof
thesubprimemeltdown.
Enterprise Risk Management – Evaluating the Systems in place throughout 2007-2008
42 Page Andreas Zarifis
Cass Business School MSc Insurance and Risk Management, July 2008
FurthermoreCreditratingagenciesfocusonRiskManagementmorethanever.
For example Standard and Poor’s latest report explains the development and
that it will recognize the adoption of firms of accepted risk management
standardsbutthiswillnotbeconsideredbesufficientevidenceofeffectiverisk
management.TherecentturmoilhasFinancialInstitutionsrethinkingtheirrisk‐
management functions; this translates into updates and revived insights for
rating agencies risk analysis. Such updates will revolve around probabilities,
severities and various losses thatmay arise; the fundamental structure of the
ratingwillstayintact.Furthermorerecenteventshavehighlightedtheincreased
importance on focusing on riskmanagement as part of the rating process, not
just as an internal framework but how this is applied throughout the
organizationandasdefinedbytable2.
28DefendantsincludedamongstothersCreditSuisse,HSBC,LehmanBrothers,MerrillLynch,Citigroup,WashingtonMutual,BearStearns,UBS,MorganStanley,andBankofAmerica.
Figure11LawsuitsrelatedtotheSub‐primeCrisis(throughto21/04/08)
Defendants28 Plaintiffs
(NeraConsulting,2008)
Enterprise Risk Management – Evaluating the Systems in place throughout 2007-2008
43 Page Andreas Zarifis
Cass Business School MSc Insurance and Risk Management, July 2008
In today’s environment Financial Institutions face investor confidence issues,
increased regulatory requirements and rating agency oversight. To effectively
meet such challenges organizations are restructuring their PMI processes
(polices,methodologies,infrastructure).ConsideringCrouhy’s‘essentialsofrisk
management’ these are the three building blocks required to develop an
enterpriseriskmanagementenvironment(Crouhy,etal,2005).
Withinthelastdecadeacademicsandpractitionershavepublishedanumberof
differentmethodsofmeasuringrisk,sometailoredforspecificriskfactorsothers
Table2S&PDefinitionofERMinrespecttoCreditRatingRequirements
ERM ERMisnot…
Anapproachassuringthefirmsisattendingallrisks
Amethodtoeliminateallrisks
Asetofexpectationsamongstmanagement,shareholders,andtheboardaboutthefirmsriskappetite
Aguaranteethatthefirmwillavoidlosses
Asetofmethodsforavoidingsituationsthatmayresultinlossesthatwouldbeoutsidethefirm’srisktolerance
Acrammed‐togethercollectionoflongstandinganddisparatepractices
Amethodtoshiftfocusfrom“cost/benefit”to“risk/reward”
Arigidsetofrulesthatmustbefollowedunderallcircumstances
Awaytohelpfulfillafundamentalresponsibilityofacompany’sboardandseniormanagement
Limitedtocomplianceanddisclosurerequirements
Atoolkitfortrimmingexcessrisksandasystemforintelligentlyselectingwhichrisksneedtrimming
Areplacementforinternalcontrolsforfraudandmalfeasance
Alanguageforcommunicatingthefirm’seffortstomaintainamanageableriskprofile
Exactlythesameforallfirmsinallsectorsorthesamefromyeartoyear
Apassingfad
(S&P,2008)
Enterprise Risk Management – Evaluating the Systems in place throughout 2007-2008
44 Page Andreas Zarifis
Cass Business School MSc Insurance and Risk Management, July 2008
foraggregatingrisk(e.g.EconomicCapital).
History has exhibited a number of financial crisis from the ‘Black Monday’ of
1987whenworldstockmarketscollapsed, to theAsianCrisisof1997 that led
(IMF)InternationalMonetaryFundininjecting$40billtostabilizetheeconomies
mostlyhit by the crisis; and to the recentUSmortgage crisis of 2007 that has
given rise to a global systemic shock within the financial community. Each of
thesecrisescallsoutfortheimportanceofestablishinggoodriskmeasuresand
PMIprocesses.
Financialinstitutionsfocusthesethreefactors,whichareinfluencedbyinternal
management as well as external factors, such as investor confidence and
regulatory standards. In terms of infrastructure it would be safe to say that
technologyisnotabank’scorecompetenceandwouldbenefitfromoutsourcing
such functions to third parties and gain specialist processes, personnel and
Informationtechnology.
Riskmanagementcanbeappliedviamanagingeachriskonitsownorthrough
anintegratedandholisticapproach,thishasbeenreferredtoasEnterpriseRisk
Management (Nocco, et al, 2006). Its goal is to set policies determining risk
across the firm and its diverse business activities and require methodologies
aggregating thevariable risk types (credit, operational,market).This isnot an
easy task as their distribution patterns vary substantially (Rosenberg, et al,
2004).
Enterpriseriskcanbecalculatedusingeconomiccapitalandriskadjustedreturn
on capital as steered by the capital adequacy guidelines of Basel II. Such
measures integratevarious risk components intoaholisticmeasureutilized to
calculateEnterpriseRisk. Commencingtheanalysisof thecreditcrisis,several
factorsdiscoveredhavetobeprospectivelyaddressedtoimplementasuccessful
ERMframework.
Enterprise Risk Management – Evaluating the Systems in place throughout 2007-2008
45 Page Andreas Zarifis
Cass Business School MSc Insurance and Risk Management, July 2008
a) Risk Measurement and Management reporting practices ought to be
informativeanddistributedintimelymanner
Communicationbetweenback‐middle‐frontofficesisoptimal. Duetoincreased
convergence of markets and many firms operating globally around the clock;
there needs to be a consensus of streamlining and constructing a solid, data
infrastructure.Thiswillhelpovercomethecomplexityandsheervolumeofdata
nownecessitatedbycurrentadvancedmethodologies.Besidesthis,thereneeds
to be consistent use of a common set of integrated data throughout the
organization. Interdependenciesmayalsoarisecreatingbottlenecks in internal
processes so efficiency in terms of minimizing duplications redundancies is
advised.
Organisationsareinstructedtointegratemeasuresofmarketandcounterparty
risk positions successfully by blending qualitative rigor with quantitative
valuations.Suchharmonisationofriskanalysistendstoproduceahigherdegree
of insight and uniform communication to management regarding fluctuating
exposures. This will equip the firm with the capacity to identify emerging
opportunities andmore importantly to enable a timely reductionof exposures
when risks outweigh expected returns. Furthermore, tools used to manage
liquidity positions should be flexible without built‐in assumptions to assist in
producingmorereflectiveassessmentsoftheir liquidity in lightofthestressful
marketconditions.Thisisvitaltoenabletheirinvestmentonriskmanagement
tomakeanimpactonthebottomlineandcreateshareholdervalue.
If the information derived from the models is not communicated in a timely
mannerthatenablesspeedyactions,then,insteadofaddingbusinessvaluethese
estimateswillonlyreflecthistoricalaccuracy.Thefirmneedstohaveadefined
methodology that by implementingwill give actionablemeasures to act upon.
Historical accuracy will only satisfy regulators but will not meliorate risk
awareness or behaviour of the firm. Whatever the case these can only be
effectiveiftheappropriate ‘input’dataareutilized.Bankshavetheappropriate
Enterprise Risk Management – Evaluating the Systems in place throughout 2007-2008
46 Page Andreas Zarifis
Cass Business School MSc Insurance and Risk Management, July 2008
knowledge to integrate risk andmarket risksbut toderive an enterprise level
measuretheymustalsoincorporateoperationalriskormayevengobeyondand
include reputational, strategic and business risks. Both Basel II and Sarbanes
Oxley Act (2002) elaborate on operational risk and have provided market
participantswithmoreadvancedmodelsaseconomiccapitalcalculations,rather
thanconsistentlyrelyingonsimplemetricasreturnonequity.
As mentioned the purpose of integrated risk management is to measure risk
acrossthewiderangeofactivitiesaFinancialInstitutionmayoperate;fromthe
traditionalbankingbook,toinsuranceandsecuritiesestimates.Rosenbergstates
thatthisentailstheintegrationofthoserisksandtheirunderlyingdistributions.
(Rosenberg,etal,2004).Anexclusiveenterprisemodelshouldbeinplace,based
on the organizations’ internal competencies and customer analysis; such
methodology will improve the firm’s risk measurement and enhance the risk
management systems inplace.Furthermore firmsmustbeprudent innotonly
measuringtheorganizationsrangeofrisksbutalsoERMitself.
b) Independent and rigorous valuations29 should be constantly applied
acrossthefirm
Senior management must employ critical judgement and discipline when
complexandpotentiallyilliquidsecuritiesarevalued.Rigorousprocessesshould
be established and monitored constantly. Despite considering external rating
agencyassessmentsofcomplexstructuredcreditproductsfirmsshouldnotrely
heavily on them and utilise in‐house expertise to conduct independent
assessmentstoassistinmakingappropriateindependentvaluations.
29Valuation:theverificationofpriceestimatesforholdingswithintherecordsandbooksofafinancialinstitutionthatiscriticaltoestimatethepricebywhichthesecanbesoldortransferredinamarkettoday.
Enterprise Risk Management – Evaluating the Systems in place throughout 2007-2008
47 Page Andreas Zarifis
Cass Business School MSc Insurance and Risk Management, July 2008
Commencingtheturmoilsuccessfulfirmssoughttoassesstheprecisionoftheir
valuationsbysellingasmallpercentageofsuchassetsandsearchfordisputesof
collateralmarketvaluations.Estimatedvaluations;includingboththeirownand
counterparties positions where used consistently across the corporation.
Thomson Claire, PWC Risk Advisory (2008) argues that companies nowmust
carry out muchmore riskmanagement due diligence themselves, rather than
relyingontheassurancesofothers.
c)Data incorporatedwithindefinedmethodologies shouldbe relevant tomarketconditionsManagement information systems installed to assess risk positions should
exploit a number of tools that rely on various underlying assumptions. Risk
managementprocessesandsystemsshouldbedynamicratherthanstaticsoas
to rapidly alter underlying assumptions regarding elements such as asset
correlations to reflect current conditions, as this may lead to “model risk30”.
Managementmust utilise an array of measures of risk, including hypothetical
gross and net positions in addition to profit and loss reporting to incorporate
divergentperspectivesonthesameexposures.
One can either build flexible models that may respond to current market
conditionsormodelsshouldbecalibratedusingalongertimehorizontoembed
amore realistic level of volatility. Inboth cases though, adegreeof judgment
needstobeexercised.Asexhibited,inputtingthemostrecentdataownitsown
inamodelwillnotprovideanappropriatelong‐termstrategy.Alongerhorizon
is desirable that encompasses amore complete and realistic set of events. For
examplesimilareventstothecreditcrisiswereobservedwhenLTCMcollapsed
in 1998. Increased credit spreads between risky bonds and risk free bonds
30‘Modelrisk’istheriskthatfirmsmayincureitherfromanalyzingwrongdataintherightmodelormay
arisefromtheerroneousimplementationofamodel
Enterprise Risk Management – Evaluating the Systems in place throughout 2007-2008
48 Page Andreas Zarifis
Cass Business School MSc Insurance and Risk Management, July 2008
caused substantial losses in an arbitrage strategy thought to be risk free,
similarlytocurrentevents.Thecrisis inthebondmarketthenwasinitiatedby
theRussian government defaults that came subsequently on theAsianmarket
turmoil. Stress testing and assumptions are vitally important when historical
data doesn’t exhibit similar instance but when a historical benchmark for
performance is readily available then such data need to be incorporated in
current models. Leo Tilmann31 spoke at the ERM symposium in Chicago this
April and explains that the models used were right, but where just used
incorrectly.
“IfyoutookanykindofaCDOandyoustresstestitthedefaultspeeds,youwould
havegottherightanswersoit’sthebaselinedefaultspeedsthatwerefedintothe
modelsthatwereotherwisefinethatresultedinthewronganswer.”
HeidentifiedthesameweaknesseswithValueatRiskmodelsastheycantellyou
theappropriateriskinanykindofenvironment,howeverwhenrelyingonvery
recenthistoryandvolatilitiesandcorrelationsareexhibitingadecreasethenone
wouldgettheimpressionthattheriskisdeclining,consequentlyafirmtakesup
moreriskatexactlythewrongmoment.
D)CombiningtheinformationatalllevelsintoaggregatemeasuresProblemsareinherentinthewayfinancialinstitutionsmakedecisions.
Disconnect between executive decision‐making and riskmanagement remains.
Despite the fact that the industry has saying risk management should be
proactive,incorporated,aprofitcentreitisnot.Itsnot,becausethelanguageof
strategic decision‐making is still an accounting earnings business strategy,
corporate finance, once all these decision aremade the riskmanager is called
intotheroomandjustconfirmsthatthedecisionsareok,thusviciouscirclesare
created.(Tilmann,2008)
AsoneofthekeyprinciplesofERMistodevelopariskmanagementcultureitis
vitalthatriskmeasuresareaggregatedatall levelsthatoverseemanydifferent
31FormerCFOofBearSterns
Enterprise Risk Management – Evaluating the Systems in place throughout 2007-2008
49 Page Andreas Zarifis
Cass Business School MSc Insurance and Risk Management, July 2008
levels of the organization; both horizontally and vertically. For example a
business line manager in Geneva will benefit if he/she could notice how the
branch’sportfolioriskcontributestotheaggregateriskmeasureofthefirm.This
willleadtoanunderstandingonhowhisdecisionswillhaveaneffectontherisk
appetite of the enterprise. The ability to aggregate and disaggregate such
measureswillallowforthedevelopmentofrisk‐awareculturedorganization.
Itisanimperativethatcompaniesneedtooperatewithinacomprehensivewell‐
structured risk –appetite; this was reaffirmed by the credit crisis. Exposures
needtobeaggregatedandmanageddynamicallyandholistically.Disciplinedand
robust governance concerning the ownership of risk, its management and
monitoring is vital to counterbalance revenue and growth pressures thatmay
give rise to concentrations of risk. In addition risk‐adjusted performance
measuresarerequiredtooffsetexcessivereturnstemptations.
E)Robustandeffectiveseniormanagementoversight,inconsiderationofstrategicriskA fundamental requirement for effective and prudent riskmanagement is the
effective oversight of an organization. Senior managers should be actively
involvedinriskmanagementsettingoutthefirmsenterprise‐wideriskappetite
generatingincentivesandcontrolstoaffirmthatemployeeswillabidebythose
preferences,withoutexceeding limits. Suchcontrolsactasa counterbalanceof
short‐term profit based incentives that may characterize the prevailing
compensation culture. Successful oversight necessitates the ability to gain
instantaccesstoadiversifiedpoolofhigh‐qualityinformation.Thisinformation
shouldbe transmittedbothhorizontally andvertically; throughout the turmoil
certainfirms’businessunitsdidnotdistributecriticalinformationrelatedtorisk
positionsandbusinesstactics.Thisinturnimpactedtheirprofitabilityadversely.
Competent leaders that successfully managed organizations throughout the
storm had strong and independent risk functions. These functions support
cohesive, disciplined thinking about the firms’ enterprise wide risk profile. In
additionbenefitsmaybegainedwhenriskmanagersare instructedtouncover
Enterprise Risk Management – Evaluating the Systems in place throughout 2007-2008
50 Page Andreas Zarifis
Cass Business School MSc Insurance and Risk Management, July 2008
latent risks and identify those business lines were excessive risk taking is
assumed. The Basil Committee of Banking Supervisions research found that
Governanceandcontrolprocessesarevitaltotackledifficultiesthatmayarisein
associationwith:
• Complexandilliquidproducts;• Conflicts of interest between front office (traders in business lines) and
back‐officestaff(riskmanagement,accounting);• Linkingaccountingwithriskmanagement.Moreover Financial Institutions should understand the importance of
determiningstrategic riskaboveallotherrisks.CROSshouldreportdirectly to
theCEOandtheboardofdirectors(ERM– InsuranceRiskLeadershipSurvey).
Easley,PofRSMMcGladleyarguesthatifERMfailsitisduetothemisalignment
of strategic risk to other risks occurring concurrently (2008). Easley further
notes that mortgage related risk wasn’t part of many financial institutions
strategicrisk.
“ManycompaniesthinkofERMprimarily,ifnotsolely,intermsoffinancialand
operationalrisks.Othersseeitpurelyasacompliancetool.”“ERMmustgofrom
thebackroomtotheboardroom(Lam,2008).
“The new chapter in ERM is greater understanding of strategic risk (Axel
Lehmann, CRO Zurich Financial Services, 2008)”. A robust link between risk
appetite, corporatestrategyand financialandoperationalobjectives,as setting
limitsandtolerancelevelsacrosstheenterpriseandamongkeystakeholdersis
heavily reliant upon the effective dialogue between risk management with
executivesanddirectors.
Thecrisisaffectedawiderangeofcompaniesthatdidn’trealizehowsuchrisks
couldleadtodireconditionswithintheirownmarkets.(e.g.Paintmanufacturers
were affected as falling real estate values placed less supply of homes on the
market,subsequentlyfewerhousesneededrepaintingpriortotheirsale)Thisis
strategic risk; the risk that events taking place in one industry may have
catastrophiceffectsonanother.ThecompanythathassoundERMpracticeswill
have real estate sales as a key performance indicator that will subsequently
Enterprise Risk Management – Evaluating the Systems in place throughout 2007-2008
51 Page Andreas Zarifis
Cass Business School MSc Insurance and Risk Management, July 2008
interpret this information to direct effective and timely decisions concerning
their strategy. It all comes down to strategic planning. “You fail to realize a
strategic risk and your stock price is decimated.” (Douglas French, Ernst and
Young,2008).
Interactions as such are insufficient and infrequent in practice andmost CROs
relationshipwiththeboardisona‘dottedline’basislimitinginmanycasesthe
reportingtoauditorcompliancecommittees.CROpowerisalsoverylimited(e.g.
Intheinsuranceindustry,lessthanhalfofriskcommitteesorCROsmayactually
influence key actions as strategic planning, investment strategy, financial
planning,productdesignandpricing)
InErnst&Young’sInsuranceRiskLeadershipSurvey(2008)onlyhalftheCROs
surveyedhadanycontrolorsupervisionregardingequity,interestrate,creditor
operationalrisk.Themajorityrespondedtoexpecthavingsuchoversightinthe
future.ReportingoftheCROtotheCEOandboardshouldbethroughasolidline
and the CEO must have full responsibility of Strategic Risk management in
consultationwiththeCRO.JamesLamgoesastepfurthernotingthatwhenthe
riskmanagementtaskisfoundexhaustingorcannotbeaddressedappropriately,
thenariskmanagementcommitteeshouldbeformed(e.g.Zurichdidthatjust2
yearsago).
To take advantage of a CRO within an FI, such role should be absolutely
independent and able to affect decisions. Throughout the crisis what is
incomprehensibleisthelackofobjectionfromriskprofessionalsconcerningthe
securitizationofbadcredit,asitisstillbadcredit.Practitionersblamethisonthe
lack of CRO independence. It is a very difficult tasks for a CRO to outcry their
concernswhenmaximizingprofitsandmeetingearningsexpectations formthe
culture of the firm. A CRO needs to be rigorous not only in understanding
financial and operational risks but also strategic risks. (Douglas French, Ernst
andYoung,2008).Zurichsoughttoput inplaceaCROasdespitehavingawell
structuredriskorientedorganizationbeforetherewasnorelationshipbetween
thebusiness and riskmanagementdepartments; the formerdidn’t understand
what iswas that riskmanagement provided and the latter didn’t comprehend
Enterprise Risk Management – Evaluating the Systems in place throughout 2007-2008
52 Page Andreas Zarifis
Cass Business School MSc Insurance and Risk Management, July 2008
whatthebusinesswasdoing.ThustheygaveLehmannthe jobofCROtomake
suchconnectionandfillsuchloopholes.Hehasundertakenthetaskbyinitiating
to integrate its isolated IT systems geographically so as to improve the
organization’s risk–returnmodel and have a clearer strategic view of the vast
amountofdatathatinsuranceorganizationsrelyon.
Such formal, structured processes enable strategic risk –versus –reward
assessments andwithin three years 60% (E&R Survey, 2008) of insurer CROs
anticipate having such systems in place within the next 3 years. Furthermore
90%(E&RSurvey,2008)expectthatwithinthenextfiveyearseconomiccapital,
which can be derived from subtracting the fair value of liabilities from the
market value of assets, will be a key performance indicator. Others feel that
measurement of economic capital has been compliance driven due to intense
pressuresfromindustryparticipatorsasratingagencieswhonowrequireERM
valuationsfromFinancialInstitutions,recentlyextendedtoallcorporationsnon‐
financerelated)
ChallengesOnce the firm establishes ERM as part of the decision making process with
businesslinesassessingandmanagingrisksonadailybasis,thelevelofsenior
oversightmayevenbereduced(Gates,2006).MeasuringERMisnotaneasyand
inexpensivetask.Onecannotsimplyaddthevariousexposuresofmarket,credit
and operational risks together as “Correlation is a minefield for the unwary”
(Embrecht,etal,1999)ormayevenoverestimatedriskby40%(Rosenberg,et
al, 2004). One can make use of a copula approach and by constructing a
correlation matrix, link marginal distributions of the various risks together.
(Rodriquez, 2004) This will benefit banks in terms of building their ERM
measures and lead to one robust, integrated and risk‐aware environment
accountingforanydependenciesorcorrelationsthatmayexist.Attheendofthe
day;theaimistoprovideasinglesetofinformationthateveryonecanleverage
Enterprise Risk Management – Evaluating the Systems in place throughout 2007-2008
53 Page Andreas Zarifis
Cass Business School MSc Insurance and Risk Management, July 2008
their efforts, sowhen evolving conditions arise; everyonewill knowhow they
maycontributeandbenefit from the system inplace. Inaddition thedesignof
such infrastructureshouldbe flexible inmanipulationtermsto incorporatethe
today’srequirementsbutalsothoseundefinedandwhichlieahead.
Enterprise Risk Management – Evaluating the Systems in place throughout 2007-2008
54 Page Andreas Zarifis
Cass Business School MSc Insurance and Risk Management, July 2008
References
Aabo,T.Fraser,JR.S.andSimkins.BJ(2005)"TheRiseAndEvolutionOfTheChiefRiskOfficer:EnterpriseRiskManagementAtHydroOne,"JournalofAppliedCorporateFinance,v17(3,Summer),62‐75.AIRMIC(2008)NewsletteroftheAssociationofInsuranceandRiskManagers,JulyVolume.Atkins,D.andBates,I(2008)ManagementofInsuranceOperations,FinancialWorldPublishingBankofEngland(2008)CreditconditionsSurveyQ2:Surveyresults2008/Q2.Banham.R(2008)TreasuryandRisk:TimetoBailonERM?June.BaselCommitteeofBankingSupervision(2008)Fairvaluemeasurementandmodelling:Anassessmentofchallengesandlessonslearnedfromthemarketstress,BankforInternationalSettlements.BankofInternationalSettlements(2006)BaselII:InternationalConvergenceofCapitalMeasurementandCapitalStandards:ARevisedFramework‐ComprehensiveVersion.Beck,U(1992)RiskSociety:TowardsaNewModernity.London:Sage.Blaine,HandHoban,JPJr(1980)"InvestmentInNewEnterprise:SomeEmpiricalObservationsOnRisk,Return,AndMarketStructure,"FinancialManagement,v9(2),44‐51.Beasley,M.S,Carcello,JV.andHermanson,DR(2005)Enterpriseriskmanagement:Anempiricalanalysisoffactorsassociatedwiththeextentofimplementation.JournalofAccountingandPublicPolicy,Vol24,pp521‐531.Beasley,MS.Clune,R.andHermanson,DR(2006),TheImpactofEnterpriseRiskManagementontheInternalAuditFunction,AltamonteSprings,FL,InstituteofInternalAuditorsResearchFoundation.Beasley,M.Pagach,D.andWarr,R(2007)Theinformationconveyedinhiringannouncementsofseniorexecutivesoverseeingenterprise‐wideriskmanagementprocesses.JournalofAccounting,AuditingandFinance.Bilbul.J(2008)EnterpriseRiskManagement:LessonsfromtheCreditCrisis,EMB:ActuariesandBusinessConsultantsLLP.
Enterprise Risk Management – Evaluating the Systems in place throughout 2007-2008
55 Page Andreas Zarifis
Cass Business School MSc Insurance and Risk Management, July 2008
Bowling,D.Frederick,J.andRieger,J(2003)"TakingTheEnterpriseRisk‐ManagementJourney,"BankAccountingandFinance,v16(2,Feb),16‐22.Bowling,DM.andRieger,LA(2005)"MakingSenseOfCOSO'sNewFrameworkForEnterpriseRiskManagement,"BankAccountingandFinance,2005,v19(1,Feb/Mar),29‐34.Campbell,A(2008)RiskMagazine,NewAngles:Lehmannfeelsthestrain,Volume21,No4.Carrel,P(2008)Executivevie‐presidentatReutersTradeandRiskManagementCreditMagazine:CreditRisk:LearningfromtheCrunch,AprilVolume.Chapman,JR(2006)SimpleToolsandTechniquesforEnterpriseRiskManagement,TheWileyFinanceSeries.CitiMicrofinance&CliffordChanceLLP(2008)MicrofinanceSectorTransformation‐MakingsenseoftheBaselIICapitalAccord,April.Clohan,FH(2003)RiskManagementReports,EnterpriseRiskManagement:Past,Present,Futures,Volume30,No.5.CommitteeofSponsoringOrganizationsoftheTreadwayCommission2004),EnterpriseRiskManagement‐IntegratedFramework,ApplicationTechniques,COSO.CommitteeofSponsoringOrganizationsoftheTreadwayCommission(2004)EnterpriseRiskManagement‐IntegratedFramework,ExecutiveSummary,COSO.CrouhyM,D.Galai,andR.Mark(2005)TheEssentialsofRiskManagement.NewYork:McGraw‐Hill.Cummins,J.Lewis,DChristopher,M.andWei,R(2004)"TheMarketValueImpactofOperationalRiskEventsforU.S.BanksandInsurers"Dec23rd/04.DATAMONITOR(2008)TheEvolutionofEnterpriseRiskManagement:Sub‐primecrisishighlightsneedforEnterprise‐wideapproachtoriskmanagement,DATAMONITORJan31/08.Davis,P(2007)FTreport‐FundManagement:ProperRiskToolsnotAlwaysinPlace,May14th2007,FinancialTimes.Deloitte&ToucheLLPcommissionedbyTheAllianceforEnterpriseSecurityRiskManagementAESRM)(2007),ResearchReport:TheConvergenceofPhysicalandInformationSecurityintheContextofEnterpriseRiskManagement,Canada.
Enterprise Risk Management – Evaluating the Systems in place throughout 2007-2008
56 Page Andreas Zarifis
Cass Business School MSc Insurance and Risk Management, July 2008
Dickinson,G(2001)"EnterpriseRiskManagement:ItsOriginsAndConceptualFoundation,"GenevaPapers‐Theory,v26(3,Jul),360‐366.Doherty,N(2000)IntegratedRiskManagement:TechniquesandStrategiesforReducingRisk,NewYork,McGrawHill.Edhec(2008)EuropeanInvestmentpracticessurvey,EDHECRiskandAssetManagementResearchCentrePublication.January2008.Embrecht,P.McNeil,A.andStrautmann,D(1999)“Correlation:PitfallsandAlternatives“,.RISKMagazine,May,pp.69‐71.Ernst&YoungLLP(2008)InsuranceRiskLeadershipSurvey:MovingtotheNextLevel–AProgressReportonInsuranceRiskLeadership.Espersen,D(2002)"TrendsInEnterpriseRiskManagement,"BankAccountingandFinance,v16(1,Dec),45‐50.Felsted,A(2008)FinancialTimes:Thedangerofover‐reactingtorecentevents,FinancialTimesLtd2008,April28.FinancialStabilityForum(2008)"ReportoftheFinancialStabilityForumonEnhancingMarketandInstitutionalResilience",April7.Frank,B(2008)FinancialWeek,Survey:EnterpriseriskmanagementstillablindspotforinsuranceCFOs,CrainCommunicationsInc,MayVolume.
Garrat,B(2003)TheFishRotsfromtheHead:TheCrisisinOurBoardrooms‐DevelopingtheCrucialSkillsoftheCompetentDirector,2RevEdition,ProfileBooksLtd,London
Garside,T.andNakada,P(1999)EnhancingRiskMeasurementcapabilities,Erisk.com.Gates,S.andHexter,E.(2006)MITSloanReview,TheStrategicBenefitsofManagingRisk,Spring2006,Vol.47,No.3,pp.6‐7.Gates,S(2006)"IncorporatingStrategicRiskintoEnterpriseRiskManagement:ASurveyofCurrentCorporatePractice”.JournalofAppliedCorporateFinance,Vol.18,No.4,pp.81‐90.Gorvett,R.andVjentra,N(2006)SettingUptheEnterpriseRiskManagementOfficeCallPaperProgram,EnterpriseRiskManagementSymposium,Chicago,IL.Grene,S(2008)FundManagement:Value‐at‐riskskills‘lacking’,FinancialTimes,Feb25,2008.
Enterprise Risk Management – Evaluating the Systems in place throughout 2007-2008
57 Page Andreas Zarifis
Cass Business School MSc Insurance and Risk Management, July 2008
Harrington,S.Niehaus,G.andRisko,K(2002)"EnterpriseRiskManagement:TheCaseOfUnitedGrainGrowers,"JournalofAppliedCorporateFinance,v14(4,Winter),71‐81.Hoyt,RE.andKhang,H(2000)OntheDemandforCorporatePropertyInsurance,JournalofRiskandInsurance,67,91‐107.Hoyt,RE.Merkley,BM.andThiessen,K(2001)ACompositeSketchofaChiefRiskOfficer,TheConferenceBoardofCanada,September.Hoyt,RE.Moore,DL.andLiebenberg,AP.(2008)TheValueofEnterpriseRiskManagement:EvidencefromtheU.S.InsuranceIndustry.Jenkinson,N(2008)Speech:StrengtheningRegimesforControllingLiquidityRisk:someLessonsfromtheRecentTurmoil,EuromoneyConferenceonLiquidityandFundingRiskManagement.London24thApril.Kahneman,D.andTversky,A(1979)ProspectTheory:AnAnalysisofDecisionunderRisk.Econometrica,Vol47,No2,March,pp263‐292.Kleffner,A.,Lee,R.,&McGannon,B.(2003),Theeffectofcorporategovernanceontheuseofenterpriseriskmanagement:EvidencefromCanada.RiskManagementandInsuranceReview,6,1,pp.53‐73.Kohn,LD(2008)BISReview,TestimonyBeforetheCommitteeonBanking,Housing,andUrbanAffairs:Conditionofthebankingsystem:RiskmanagementanditsimplicationsforsystemicriskU.S.Senate,FederalReserve,June5.KPMG(2001)UnderstandingEnterpriseRiskManagement:AnEmergingModelforBuildingShareholderValue,KPMGLLP.Labate,J(2008)TreasuryandRisk:WheredidERMGoWrong?June2008volume.Laeven,RJA(2005)"WorstVaRScenarios:ARemark",December15.Lam,J.andCameron,G(1999)“MeasuringandManagingOperationalRiskwithinandIntegratedFramework–PuttingTheoryintoPractice,”OperationalRiskinFinancialInstitutions,London,RiskPublications,pp.34‐38.Lam,J(2003)EnterpriseRiskManagement:FromIncentivetoControls,WileyFinance.Markowitz,H(1952)PortfolioSelection,TheJournalofFinance,7,pp.77‐91.Marrison,C(2002)TheFundamentalsofRiskMeasurement.NewYork:McGrawHill
Enterprise Risk Management – Evaluating the Systems in place throughout 2007-2008
58 Page Andreas Zarifis
Cass Business School MSc Insurance and Risk Management, July 2008
MarshandMcLennanCompanies(2005).AQualitativeSurveyofEnterpriseRiskManagementPrograms,NewYork.Marsh2008AIRMICConferenceSurvey(2008)RiskManagement“stilllacksboardroomclout.“Martellini,L.Malaise,P.andAmenc,N(2005)“FromDeliveringtothePackagingofAlpha,”EdhecRiskandAssetManagementResearchCentre.
Mikes,A(2005),“Enterpriseriskmanagementinaction”,DiscussionPaperNo.35,ESRCCentreforAnalysisofRiskandRegulation.
Minsky,HP(1985)“TheFinancialInstabilityHypothesis:ARestatement.”ArestisandSkourasedition,PostKeynesianEconomicTheory.Meulbroek,LK(2002)IntegratedRiskManagementfortheFirm:ASeniorManager’sGuide,JournalofAppliedCorporateFinance,14,56‐70.Myners,P(2001)"InstitutionalInvestmentintheUnitedKingdom:AReview",ReporttotheChancelloroftheExchequer,HMTreasury,MarchNavigantConsultingReport(2008)FirstQuarter2008Update:ReachingNewHeights,NavigantConsultingInc,April23rd2008Nocco,BW.andStulz,R(2006)Enterpriseriskmanagement:Theoryandpractice.JournalofAppliedCorporateFinance,18,4,pp.8‐20.OliverWyman(2007)FinancialServicesTheCreditCrisis:CorrectionorCatastrophe?OliverWymanInc.Ong,MK(1999)InternalCreditRiskModels‐CapitalAllocationandPerformanceMeasurement,London:RiskPublications,p56. Operational Risk Corporate Governance Exert Group (2005) The ‘Use Test’, Financial Services Authority. OperationalRiskCorporateGovernanceExertGroup(2005)The‘UseTest’,FinancialServicesAuthority.Oswalt,MJ(2003)"AdaptingRiskManagementToProtectTheEnterprise,"CommercialLendingReview,v18(4,Jul),8‐14.President'sWorkingGrouponFinancialMarkets(2008),"PolicyStatementonFinancialMarketDevelopments",March13.Raposo,CC(1999)“CorporateHedging:WhatHaveWeLearnedSoFar?”DerivativesQuarterly,Volume5,Number3,pp.41‐51
Enterprise Risk Management – Evaluating the Systems in place throughout 2007-2008
59 Page Andreas Zarifis
Cass Business School MSc Insurance and Risk Management, July 2008
RiskMetrics(2008)“WeakRiskManagementPracticesSeenasKeyCauseoftheMortgageMeltdownandSubsequentRiseinSubprime‐RelatedLawsuits,”RiskMetricsGroup,NewYork.Rodriguez,JC(2004)MeasuringFinancialContagion:ACopulaApproach,Workingpaper,EURANDOM.Rosenberg,JV.andSchuermann,T(2004)"AGeneralApproachtoIntegratedRiskManagementwithSkewed,Fat‐TailedRisk"(May).FRBofNewYorkStaffReportNo.185.Sabry,F.Sinha,A.andLee,S(2008)SubprimeSecuritiesLitigation:KeyPlayers,RisingStakes,andEmergingTrendsPartIIIofANERAInsightsSeries,NERAEconomicConsulting,3rdJuly2008.Schroeck,G(2002)RiskManagementandValueCreationinFinancialInstitutionsJohnWiley&Sons,Inc.,NJ,USA.Seib,C(2008)Timesonline:Ex‐UBSchiefsreappayoutdespitelosses,TheTimes,March19SeniorSupervisorsGroup(2008)."ObservationsonRiskManagementPracticesduringtheRecentMarketTurbulence",March6.Segal,S(2006)“DefiningRiskAppetite.”RiskManagement.DeloitteConsulting.July,pp:17‐19.Shenkir,WG.andWalker,PL(2007)EnterpriseRiskManagement:ToolsandTechniquesforeffectiveimplementation,InstituteofManagementAccountants,Montvale,NJ.Shimko,D.andHumphreys,B(1998)“VotingonValue”RiskMagazine,December1998,p33.Smiecheweicz,W(2001)"CaseStudy:ImplementingEnterpriseRiskManagement,"BankAccountingandFinance,14(4,Summer),21‐28.Stambaugh,F(1996)RiskandValueatRisk,EuropeanManagement.JournalVol.I4,No.6,pp.612‐621,Copyright©1996PublishedbyElsevierScienceLtd,PrintedinGreatBritain.Standard&Poors(2008)EnterpriseRiskManagement:Standard&Poor’stoApplyEnterpriseRiskAnalysistoCorporateRatings,RatingsDirect,May72008.Tillman,L.(2008)SpeechatERMSymposium:“InthePursuitofReturn,HaveweLostsightofRisk?”(FormerBearSternsCFO)April15th.TowersPerrin(2008)LifeInsuranceCFOsurvey#19:EmbeddingEnterprise
Enterprise Risk Management – Evaluating the Systems in place throughout 2007-2008
60 Page Andreas Zarifis
Cass Business School MSc Insurance and Risk Management, July 2008
RiskManagement.TreasuryandRisk(2008)EnterpriseRiskManagementPracticesSurvey,PaisleyLtd.Trippensee,A(2008)EnterpriseRiskManagementSolutions,SASInstituteIn,Cary,NorthCarolina.Varutbangkul,S.andPhakdurong,P(2007)ERM:Compliance‐drivenorvalue‐driven?BankPost,Aprilissue.Wallace,W.andR,Kreutzfeldt.(1991),Distinctivecharacteristicsofentitieswithaninternalauditdepartmentandtheassociationofthequalityofsuchdepartmentswitherrors.ContemporaryAccountingResearch,7,2,pp.485‐512.Walker,PL.Shenkir,WG.andBarton,TL(2002)MakingEnterpriseRiskManagementPayOff:HowLeadingCompaniesImplementRiskManagement,FinancialTimesPrenticeHallBooks,2002. Zhou,Y(2005)RiskManagementataLeadingCanadianBank:AnActuarialScienceGraduate’sView,QuantitativeAnalytics,GroupRiskManagementTDBankFinancialGroup.