erm and internal controls- a dovetailed relationship mr. ravi varadachari november 17, 2008

<Insert Picture Here>

ERM and internal controls- A dovetailed relationship

Mr. Ravi VaradachariNovember 17, 2008

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions.The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

Safe Harbor Statement


Agenda

• Setting the stage

• The changing landscape

• Key to Enterprise Risk Management

• Deep dive into ERM and Internal Controls

• Recommendations and Conclusions

3© 2008 Oracle Corporation – Proprietary and Confidential

Enterprise Risk Management

© 2008 Oracle Corporation – Proprietary and Confidential4

• Financial institutions are exposed to a variety of risks like financial risk, economic risk, geo-political risk and societal risk.

• Traditionally, the focus has been on understanding and managing the financial risk.

• Enterprise Risk Management is a mechanism to have a holistic view of all the risks that a financial institution is exposed to at the right level of granularity.

Economic Risk

Societal Risk

Financial Risk

Technological Risk

Geopolitical Risk

• Market risk

• Credit risk

• Operational risk

• Liquidity risk

• Interest rate risk

•ALM

• Concentration risk

Global risks


Economic• Oil price shock/energy supply interruptions• US economy• Chinese economic hard landing• Fiscal crises caused by demographic shift• Blow up in asset prices/excessive indebtedness

Geopolitical• International terrorism• Proliferation of weapons of mass destruction• Civil wars and failed and failing states • Retrenchment from globalization• Middle East instability

Technological • Breakdown of critical information infrastructure • Emergence of risks associated with nanotechnology

Societal• Pandemics• Infectious diseases in the developing world • Chronic disease in the developed world• Liability regimes

Financial• Market risk• Credit risk•Operations risk•Liquidity risk•Interest rate risk•Concentration risk


Agenda







7

Changing Landscape of Risk

• Financial Crisis Experienced by Banks/Financial Institutions

• Increase in “Rare Events”

© 2008 Oracle Corporation – Proprietary and Confidential

The current financial crisis

16th Mar ’08- Bear Stearns

•Bear Stearns gets acquired for $2 a share by JP Morgan Chase in a fire sale avoiding bankruptcy.

7th Sept ’08- Fannie Mae & Freddie Mac

•Federal takeover of Fannie Mae and Freddie Mac was based on a growing concern about the liquidity of the firms• These two companies back-up nearly half the country’s mortgages.

•The US Federal Reserve loans $85 billion to American International Group (AIG) to avoid bankruptcy

17th Sept ’08- AIG

15th Sept ’08- Lehman Brothers

•Liquidity crisis forced Lehman Brothers to file for bankruptcy


25th Sept ’08- Washington Mutual

•Liquidity crisis due to a 10-day bank run forced the OTS (Office of Thrift and Supervision) to place the bank under FDIC.•The banking assets were sold to J P Morgan Chase.

29th Sept ’08- Wachovia Bank

•Wachovia Bank was acquired by Wells Fargo• The bank was invested heavily in adjustable-rate-mortgages and faced severe losses.


The Global Story …

14th Sept ’07- Northern Rock Bank, UK

•UKs fifth largest mortgage lender sought financial support from the Bank of England. The bank was taken into state ownership/nationalized•This was on account of the global credit crunch triggered by the sub-prime mortgage crisis in the US.

18th Sept ’08- HBOS, UK

•HBOS was taken over by Lloyds Bank TSB.• The share prices suffered heavy fluctuations on account of short selling and rumors of a credit crunch.


29th Sept ’08- Bradford & Bingley, UK

•The share prices of the bank fell on account of the credit crunch.•The bank was nationalized and the Spanish bank Group Santander acquired all the savings bank assets.

29th Sept ’08- Fortis Bank, Belgium

•The bank was partially nationalized by the European Central Bank• The share prices fell dramatically on account of rumors of insolvency.•Can be attributed to the sub-prime mortgage crisis in the US

The Black Swam Phenomenon

“No amount of observations of white swans can allow the inference that all swans are white, but the observation of a single black swan is

sufficient to refute that conclusion.”

What is a Black Swam?

•It is an Event

•Hard to predict based on historical data

•After the event – many people saw it coming

Stress testing models must assume black swan events to ensure greater predictive power.

The London “Millennium Bridge” Incident

Source: http://www.urban75.org/london/

The London “Millennium Bridge” Incident

London Bridge – Architect Lord Norman Foster

Source: http://www.urban75.org/london/


Agenda







Key to effective Enterprise Risk Management

• How Do We Address ERM?

• Risk measurement and management• Regulatory capital• Economic capital• Risk based pricing and compensation• Stress testing

• Internal controls and mechanisms• Strategy• Governance• Organization structure• Processes, Policies and Procedures



Agenda







Regulatory, Economic and Book Capital Regulatory Capital : Capital that banks are required to hold by their regulator

“The amount of capital a bank must have to stay in business”

Under the Basel II framework – computed based on a prescriptive formula for credit risk

Economic Capital : Capital that is required commensurate with the risk profile of the bank

“The amount of capital a bank should have”

Various models to estimate economic capital - stochastic view

Endeavor is to use it for business decisions

Book Capital : Capital that a prudent bank would choose to hold

“The amount of capital a bank that a bank has on its book”

Economic book value – different from accounting concept of book value

Concept of risk appetite

Credit Risk Capital Market Risk Capital Operational Risk Capital

Risk Capital –Other Risks

Total Capital

Capital Management

Framework for Capital Estimation

18

Key Differences – EC and RC

Economic Capital Regulatory Capital

Doing it RightSuccess Condition Doing it Right & demonstrating

that “we have done it right”

Lower focus on auditabilityAuditability High focus on auditability

Continuous ProcessFrequency Monthly/Quarterly/Year End focused

Objective Focus on deriving numbers useful

for business decisions Focus on “dotting the “i’s” and

crossing the “t’s”

Will RC Converge with EC?

Uniformity – Regulatory capital should be based on similar principles

while economic capital can be different

Simplicity – Regulatory capital methods need to be simple while

economic capital models can be sophisticated in tune with the

underlying business

Conservatism: Regulatory capital would be more conservative that

economic capital methods

Substantial “Distance to Travel” before convergence!!

Risk Adjusted Performance EvaluationAccounting notion of return on assets (ROA), has long been used as a bank-wide performance metric

Shareholders perspective brought in by using return on equity (ROE) instead of ROA

Both of the above performance metrics have two shortfalls namely:The measures do not take into account “risk”These measures can only be applied at a bank wide level & not for individual business lines

Risk adjusted performance metrics were hence developed to counter the above shortfalls. Bankers trust a commercial bank came out with the concept of RAROC (“Risk Adjusted Return On Capital)

Where :

“Expected Loss” is the mean of the loss distribution associated with the portfolio/business line

“Capital” is the capital deployed for the portfolio/business line; it is mostly understood as the “Economic Capital” for the portfolio/business line & the “Income from Capital” is the additional income generated by investing that capital

Stress testing – Key to Capital Management

• Demanded as part of Pillar II by most regulators

• Estimation of capital under Pillar I assumes “Steady State” and the estimate may be

“point-in-time” as opposed to a range based on economic cycles (Through the cycle

rating)

• The requirement of capital under “stressed conditions” and “unfavorable events” need to

be understood

• Stress testing can be used to check if the “capital buffer” is sufficient under conditions

described

• Regulators concerned about Procyclicality that may exacerbate an economic crisis

further– stress testing may be a solution

• Rigor in methodology to be demonstrated

Regulator Prescription

Basel II • Basel II Pillar 1 • Paragraphs 435 -437, highlights requirements for stressing risk parameters like PD, LGD &

EAD under downturn economic conditions.• Stress testing to include impact of a deterioration in the credit quality of the protection

providers. • Basel II Pillar 2 Principal

• Banks should have a process for assessing their overall capital adequacy in relation to their risk profile and a strategy for maintaining their capital levels.

“ In assessing capital adequacy, bank management needs to be mindful of the particular stage of the business cycle in which the bank is operating. Rigorous, forward-looking stress testing that identifies possible events or changes in market conditions that could adversely impact the bank should be performed.”

NPR Supervisors expect that banks will manage their regulatory capital position so that they remain at least adequately capitalized during all phases of the economic cycle.

• A bank may choose to have scenarios apply to an entire portfolio, or it may identify scenarios specific to various sub portfolio.

• The severity of the stress scenarios should be consistent with the periodic economic downturns experienced in the bank’s market areas.

• The scope of stress testing analysis should be broad and include all material portfolios.• The time horizon of the analysis should be consistent with the specifics of the scenario on key

performance measures.

Regulatory Expectation

Regulatory Expectation: CRD – FSA - BIPRU

Regulator Prescription

FSA Guidelines, CP06/3

“A firm must have in place sound stress testing processes for use in the assessment of its capital adequacy. Stress testing must involve identifying possible events or future changes in economic conditions that could have unfavorable effects on the firm’s credit exposures and assessment of the firm’s ability to withstand such changes.”

FSA Guidelines, CP06/3

“The CRD requires firms to perform this stress-test but is silent on what they should do with the results. CP05/3 (BIPRU) made the superequivalent proposal that the amount that results from the stress-test be held as an additional capital requirement. In response to the feedback to CP05/3, we now propose that the stress-test be used as the starting point of a discussion with firms as to whether they have adequate contingency plans to manage their capital (relative to their Pillar 1 capital requirements) through a recession (now defined as a recession roughly equal in severity to the early 1990s recession).”


• Based on past events (9-11, market crash of 1987, financial crisis of 2008)

• Plausible scenarios/identification of a set of appropriate risk factors in the specific context of the portfolio:

• Realistic

• Corresponds to the approach and portfolio of exposures

• Informative and valuable to risk management objectives

• Design of “Perfect Storms”

• Simultaneous occurrence of multiple events/scenarios

• Bottoms-up: Stressing PDs, Transition matrices, top ten accounts

• Top-Down: Stressing GDP and other macro economic variables

Design of Stress Tests - Critical

Integrating Internal controls


• Internal control is a process, effected by an entity’s board of directors, management and other personnel and designed to encompass the following key elements-• Strategy• Governance• Organization structure• Policies, procedures and processes

ERM frameworks for internal control

• UK - The Combined Code (2003) and Turnbull (2005)

• US – Committee of Sponsoring Organizations (COSO) ERM (2004)

• Australia/New Zealand 4360 Standard on Risk Management 1999, 2004

• South Africa– King II Report (2002)

• Federation of European Risk Management Association (FERMA) (2004)

• Basel II (2004)


The COSO ERM framework


ERM Framework

Internal environment

Objective setting

Event identification

Risk assessment

Risk response

Control activities

Information and communication

Monitoring

•The eight components of the framework are interrelated.

•It considers activities at all levels of the organization.

•The objectives can be viewed in the context of four categories-

•Strategic•Operations•Reporting•Compliance

•A strong system of internal control is essential to effective enterprise risk management.


Agenda




• Deep dive into ERM



Six principles for effective ERM implementation

• Ensure Top Management Commitment• Holistic view of risk management, compliance and

controls• Bridge the Islands• Ensure Data Quality • Design an Appropriate Technology Architecture• Cost- benefit analysis


30

1. Management Commitment

Management to see benefits of compliance – else will be treated as a cost of doing business

Source: www.cartoonbank.com

31

IFRS / IAS 32,39• Harmonizing & Upgrading

of accounting standards• Valuation methodology• Disclosure & presentation

of financial statements

COSO Framework • ERM program• Risk assessment and

response• Internal control• Monitoring and reporting

SOX Selection 404• CEO / CFO certification on

accuracy & reliability of Financial Statement

• Management assessment & audition attestation

Basel II – Credit , Market & Operations Risk

• Capital Adequacy• Supervisory Review and

Market Disclosure• Improved Risk management

SOX & IFRS / IAS 32,39 • Internal Controls over

recording, validating & accounting

• Presentation, Disclosure & Financial reporting

Basel II Credit, Operations & Market Risk & IFRS / IAS 32.39

• MTM / Valuation of assets, instruments, Collaterals

• NPA & default definition• Hedging treatment• Reconciliation of risk &

finance data

SOX & Operational Risk• Risk & Control identification

& assessment • Key Risk Indicators• Scenario & Risk

Management • Reporting

AML & Operational Risk• AML operational process• Surveillance & detection

of suspicious transactions• Scenarios• Reporting

2. Holistic view

32

3. Bridge the Islands …

Compliance

Audit

Legal

CorporateCommunications

FacilitiesMgt

HR

Security

BDRP

Controllers

Customer Service

ITSecurity

InsuranceIndividual

LoBMgt

Traditional Approach Enterprise Wide Approach

Line of BusinessPrimary

Responsibility for OR

OpRisk Function Facilitator and

validator

Internal Audit

Independent validation

External Audit, Regulators

Specialist Departments

Legal, Compliance, HR, Insurance…

33

4. Ensure Data Quality


34

5. Appropriate technology architecture

Controls

Assessment

Monitoring

Exposure Measurement

Loss Estimates

Capital Computation

Capital Allocation/Attribution

Performance Management

Technology Sophistication

Risk Managem

ent Sophistic

ation

Co

ver

age

35

6. Cost Benefit Analysis


Potential benefit and cost

20022.95 billion USD

Source: Forbes – Wall Street Fine Tracker



Time

Capital 10 10 10 10

Borrowings 90 100 110 120

Total assets 100 110 120 130

Average cost of borrowings

4% 4% 4% 4%

Average yield on loans

7% 7% 7% 7%

Average costs 1% 1% 1% 1%

Interest Income 7.0 7.7 8.4 9.1

Interest Expenses 3.6 4.0 4.4 4.8

Other Expenses 1.0 1.1 1.2 1.3

Net Income 2.4 2.6 2.8 3.0

Return on Equity 24% 26% 28% 30%

Substantial impact on RoE and profitability in the long term

Thank you

Mr. Ravi Varadachari

Practice Leader – Risk Management & [email protected]

+1 917 502 9480


erm and internal controls- a dovetailed relationship mr. ravi varadachari november 17, 2008

Documents

geopolitical risk

confidential slide

oracle corporation proprietary

current financial crisis

sole discretion of oracle

changing landscape key

global risks

variety of risks