poyry risk management audit ver 4
TRANSCRIPT
Pöyry Enterprise Risk Management Audit
Oslo, January 2015
2
PÖYRY MANAGEMENT CONSULTING – ENERGY
· Europe’s leading specialist energy management consultancy
· Offering expert advice from strategy to implementation on policy, regulation, business operations, financing and valuation and sustainability
· Providing in-depth market analysis and strategic insight across Europe
· Over 200 energy market experts in 12 offices across Europe:· Düsseldorf· Helsinki· London· Milan· Moscow· Oslo
· Oxford· Paris· Vienna· Villach· Zurich· Madrid
3
PÖYRY ENTERPRISE RISK MANAGEMENT AUDIT
…from board room to trading desk and back
4
PÖYRY ENTERPRISE RISK MANAGEMENT AUDIT
· You do not want last resort Auditors to take lead:
Enterprise Risk Management needs to be forward looking and proactive – are you ready for the future?
5
PÖYRY ENTERPRISE RISK MANAGEMENT AUDIT
· What’s up?· Expected cost:
· EU regulations and the transition towards Internal Energy Market (IEM).
· Tougher regulation sanctions (unlimited?).· Change of market design and capacity markets· More mandatory reporting.
· Expected revenue:· Current market prices are down· Future market prices are down· Will we ever see nominal 2008 levels again?
· Expected P&L· Does expected P&L, return and dividend reflect changes in revenue
and cost?· Does asset valuation reflect market values?· Should stable dividend expectations be solved by increasing risk?
Enterprise Risk Management needs to be forward looking and proactive – are you ready for the future?
Energy Act EU regulation
6
PÖYRY ENTERPRISE RISK MANAGEMENT AUDIT
· Pöyry Enterprise Risk Management Audit is a structured way to diagnose current status, identify need for change, redesign and implement ERM improvements.
· Supplementary examples:· Enterprise Risk Management - FrameworksFrameworks are nothing but frameworks they all need tailormade implementation. Putting it all togheter depends on KPI & KRI library quality and several other factors.
· Enterprise Risk Management - CompliancePoint of no return is reached. Transition from Energy Act to EU regulation will be a gamechanger. We are moving from intention based frameworks to detailed regulations.
· Enterprise Risk Management - Tailor made implementation
Several issues to look at depending on company. Provided examples are meant as ideas for scoping with clients.
Todays agenda:
7
PÖYRY ENTERPRISE RISK MANAGEMENT AUDITEnterprise Risk Management Goals & Process:
· Enterprise Risk Management goals:· Understanding the shock resistance of the
enterprise to its key risks· Managing enterprise risk exposure to the level
desired by senior management.
· Enterprise Risk Management process:· Coordinating Risk Management Objectives and
Components· Focusing on cooperation among departments to
manage the organization’s full range of risks as a whole.
· Creating a framework for effectively managing uncertainty, responding to risk and harnessing opportunities as they arise.
· Embodying the notion that risk analysis cuts across the entire organization.
RM Objectives
Ris
k C
ompo
nent
s
8
PÖYRY ENTERPRISE RISK MANAGEMENT AUDITWhat is it, why do you need it and the alternative approach
· What: Pöyry Enterprise Risk Management Audit is a structured way to diagnose current status, identify need for change, redesign and implement ERM improvements:· Based on real world experience from trading & hedging environments combined with decades of
fundamental analysis and studies.· Voluntary, Confidential and Objective
· Why: Enterprise Risk Management is vulnerable to implementation and often fail to deliver:· Consistency and coherency are crucial in all aspects of implementation. Lack of standardization,
communication, coordination, cooperation and understanding are devastating.· Need for tailor made implementation combined with strong dependency on individuals· Internal audits cannot be neutral and objective· Mandatory external audits are ex-post focused (based on accounting & tax legislations)· Solutions that are not soundly based could contribute to unforeseen consequences and increased
risk
· Alternative: External audits and an objective second opinion are a far more convenient way of improving ERM quality than learning the hard way from own mistakes
Diagnostic Redesign Implementation
9
PÖYRY ENTERPRISE RISK MANAGMENT AUDIT
· Evaluating G’SOT:- Goal- Strategy- Objectives- Tactics
· With focus on:- ERM Framework
- Strategic RM- Compliance RM- Reputational RM- Financial RM- Operational RM
· Using:- KPI, KRI and KCI
· Evaluation:- Gap analysis- Improvement Proposal
Voluntary, Confidential and Objective audit with intention of improvement
1. KPI: Key Performance Indicators, KRI: Key Risk Indicators, KCI: Key Control Indicators
10
PÖYRY ENTERPRISE RISK MANAGMENT AUDIT
· Evaluating G’SOT:- Goal- Strategy- Objectives- Tactics
· With focus on:- ERM Framework
- Strategic RM- Compliance RM- Reputational RM- Financial RM- Operational RM
· Using:- KPI, KRI and KCI
· Evaluation:- Gap analysis- Improvement Proposal
Voluntary, Confidential and Objective audit with intention of improvement
1. KPI: Key Performance Indicators, KRI: Key Risk Indicators, KCI: Key Control Indicators
11COPYRIGHT©PÖYRY
PÖYRY ENTERPRISE RISK MANAGEMENT AUDIT
11PÖYRY MANAGEMENT CONSULTING
Where do we start?
Data collection:• Why are we in business:
• G’SOT (Goals, Strategy, Objectives and Tactics)
• Evaluation of G’SOT consistency & coherency with ERM Framework
• Strategic-, Compliance-, Reputational-, Financial-, Operational RM
• KPI, KRI and KCI Library
Phase 1 - Identification Phase 2 - Capture
Diagnostic Redesign Implementation
Based on:Pöyry Enterprise Risk Management Audit Diagnostic Report• Proposal for RM redesign
Des
crip
tion
Res
ult
Pöyry Enterprise Risk Management Audit Diagnostic Report:• GAP quantification • Identification of improvement
Based on:Pöyry Enterprise Risk Management Audit Redesign Proposal• Significant on-site presence • Implementation of new
management processes and information tools
• Coaching and training of staff at all levels to utilize improvements
• Capture of improved KPI, KRI and KCI results
Pöyry Enterprise Risk Management Audit Redesign Proposal:• Presentation of the proposal• Red flag report, identification of
implementation challenges.• Define solutions to overcome
technical barriers
Pöyry Enterprise Risk Management Audit Implementation Report:• Identification of improvement• Identification of objectives for follow
up
12COPYRIGHT©PÖYRY
PÖYRY ENTERPRISE RISK MANAGEMENT AUDIT
12PÖYRY MANAGEMENT CONSULTING
Details on Phase 1Phase 1 - Identification
Diagnostic
Des
crip
tion
Res
ult
Pöyry Enterprise Risk Management Audit Diagnostic Report:• GAP quantification • Identification of improvement
· Approach, context and scope of the Audit• Identify an appropriate suite of focus areas• Project work streams details• Project timeline• Budget
· What we need from you:• Quantitative & qualitative description of G’SOT• ERM Framework, e.g.:
• Organisation map and risk owner hirarchy• Risk policy & operational risk limits• Portfolio structure• KPI, KRI and KCI Library
· Deliverables• Pöyry Enterprise Risk Management Audit Report:
· Pöyry project team:• Heine Rønningen• Michel Martin• Cathrine Torvestad
Data collection:• Why are we in business:
• G’SOT (Goals, Strategy, Objectives and Tactics)
• Evaluation of G’SOT consistency & coherency with ERM Framework
• Strategic-, Compliance-, Reputational-, Financial-, Operational RM
• KPI, KRI & KCI Library
13
PÖYRY ENTERPRISE RISK MANAGEMENT AUDIT
· Pöyry Enterprise Risk Management Audit is a structured way to diagnose current status, identify need for change, redesign and implement ERM improvements.
· Supplementary examples:· Enterprise Risk Management - FrameworksFrameworks are nothing but frameworks they all need tailormade implementation. Putting it all togheter depends on KPI & KRI library quality and several other factors.
· Enterprise Risk Management - CompliancePoint of no return is reached. Transition from Energy Act to EU regulation will be a gamechanger. We are moving from intention based frameworks to detailed regulations.
· Enterprise Risk Management - Tailor made implementation
Several issues to look at depending on company. Provided examples are meant as ideas for scoping with clients.
Todays agenda:
14
ENTERPRICE RISK MANAGEMENT FRAMEWORKS
· ERM Qualitity is dependent on implementation rather than the choice of policy framework school.
· ERM Policy based on:• COSO ERM:Committee of Sponsoring Organizations of the Treadway Commission www.coso.org
• RM effect on objectives• RM as a compliance based function
• ISO 31000:International Organization for Standardization www.iso.org
• R/RM as an event or process• RM as a strategic discipline for making risk-adjusted
decisions• COSO/ISO Hybrid or other solutions
Enterprice Risk Management (ERM) Policy: Different methodologies, same objective and challanges
15
RISK MANAGEMENT FRAMEWORKS
• RM Quality is dependent on implementation. No closed form solution/equation
• RM Policy based on:• @ Risk methodology:
• Value at Risk (VaR)• Cash flow at Risk (CFaR)• Profit at Risk (PaR)• X at Risk (XaR)
• Other methods: • Function of probability and
expected value• All based on:
• Predefined distributions• Empirical values• Monte Carlo simulation• Market values• Mean reversion• External boundaries• Assumptions
Strategic, Compliance, Reputational, Financial, Operational RM Policy: Different methodologies, same objective and challenges
16
RISK MANAGEMENT CONSISTENCY AND COHERENCY
· Missing link between RM components can be devastating in reaching the objectives.
· Consistent: the quality of behaving the same way over time (input, methodology, output).
· Coherent: the quality of being logically connected (organization levels, business units..).
Consistency and coherency are of outmost importance in all aspects of the business
17
RISK MANAGEMENT CONSISTENCY AND COHERENCY
· Expected EBITDA· Dividend Capacity· CAPEX budget
Financial RM Link Operational RM· Risk owners· Exposure limits· Stop loss rules· Hedging\Rehedging strategy
· A common base for:· Input· Calculation methods· Output
18
RISK MANAGEMENT CONSISTENCY AND COHERENCY
· Specific: Explicit description of what we are measuring
· Measureable: Absolute or relative benchmark values
· Achievable: Far fetched goals are discouraging
· Relevant: Coherent with objectives and Consistent over time
· Time-bound: time dimension and granularity must be explicit
Are the indicators SMART
19
PÖYRY ENTERPRISE RISK MANAGEMENT AUDIT
· Pöyry Enterprise Risk Management Audit is a structured way to diagnose current status, identify need for change, redesign and implement ERM improvements.
· Supplementary examples:· Enterprise Risk Management - FrameworksFrameworks are nothing but frameworks they all need tailormade implementation. Putting it all togheter depends on KPI & KRI library quality and several other factors.
· Enterprise Risk Management - CompliancePoint of no return is reached. Transition from Energy Act to EU regulation will be a gamechanger. We are moving from intention based frameworks to detailed regulations.
· Enterprise Risk Management - Tailor made implementation
Several issues to look at depending on company. Provided examples are meant as ideas for scoping with clients.
Todays agenda:
20
RISK MANAGEMENT COMPLIANCEBoth external & internal compliance are important
• External:• Regulations
– Increasing regulatory risk in a rapid changing regulation regime.
– MAD & REMIT are at the top of regulators agenda.
• Internal:• Business Culture: Googles definition of Knaves
«Knaves "lie, cheat, steal, and take credit for other people's work"»
ACER and NRA users of Nasdaq OMX Smarts
21
· Regulations• EU 713/2009 ACERs role• EU 714/2009 X-Border (NC CACM, NC FCA...)• EU 543/2013 Transparency• EU 1227/2011 (REMIT) Commodity Market abuse &
Insider trading• Directive 2004/39/EC (MiFID)• EU 1287/2006 (MiFID IA)• EU 648/2012 (EMIR) Central Clearing Party• EU 596/2014 (MAD) Derivatives Market abuse &
Insider trading
· Compliance Risk:• Reputational• Sanctions
• Worst case: unlimited based on harm
RISK MANAGEMENT COMPLIANCERegulations
22
Derivative regulations
MiFID: Investor protection, MP classification (fin, non fin +/-)Contract definition and exemptions
EMIR: Central Counterparties (CCP)Contract definition from MiFID
MAD: Market abuse & inside tradingContract definition from MiFID
REMIT: Market abuse & inside tradingOwn contract definition, Transparency data = inside information (certain criteria)
Transparency regulation: Mandatory disclosure of data.Definition of data and data owner.
MAD and REMIT => Complimentary regulation with the same intention => Prohibition of market abuse and inside trading
Commodity regulations
Cross border: EC 714/2009
NC EB: Electricity Balancing
NC CACM: Capacity & Congestion
NC FCA: FWD Capacity
23
Derivative regulations
MiFID: Investor protection, MP classification (fin, non fin +/-)Contract definition and exemptions
Commodity regulations
Exemption- Must be physically settled- Traded on OTF not RM- Regulated by REMIT
Nordic design European design
European market design exemption from derivatives?Nordic market design «cannot escape».
24
Derivative regulations
MiFID: Investor protection, MP classification (fin, non fin +/-)Contract definition and exemptions
Commodity regulations
Bilateral leakage
- Must be physically settled- Traded on OTF not RM- Regulated by REMIT
Nordic design European design
• Increased cost under EMIR could possible increase bilateral trading.• Nordic market design «cannot escape».• Physical EFET FEMA with operational netting may be exempted• If Transition to physical => Financial capital may pull out (inc. cost, complexity)
25
PÖYRY ENTERPRISE RISK MANAGEMENT AUDIT
· Pöyry Enterprise Risk Management Audit is a structured way to diagnose current status, identify need for change, redesign and implement ERM improvements.
· Supplementary examples:· Enterprise Risk Management - FrameworksFrameworks are nothing but frameworks they all need tailormade implementation. Putting it all togheter depends on KPI & KRI library quality and several other factors.
· Enterprise Risk Management - CompliancePoint of no return is reached. Transition from Energy Act to EU regulation will be a gamechanger. We are moving from intention based frameworks to detailed regulations.
· Enterprise Risk Management - Tailor made implementation
Several issues to look at depending on company. Provided examples are meant as ideas for scoping with clients.
Todays agenda:
26
RISK MANAGEMENT TAILOR MADE IMPLEMENTATION Risk Management : A process of continuous improvement.
· Risk Management is not a one shot exercise
· Ajustment of objectives· Continuous Risk
Assesment• Identify• Analyse• Evaluate
· Risk treatment• Create/adjust control
enviroment• Control the activities• Inform/Communicate• Monitor
· Start over....
27
RISK MANAGEMENT TAILOR MADE IMPLEMENTATIONRisk management function positioning
· Risk committee· Chief Risk Officer (CRO)· Both
· Keys to success- CRO peer with business line leaders- CRO reporting line to the board (or Risk
Committee)- CRO has a broader risk focus than compliance- CRO position and interaction with senior
management clearly defined- Managing risk is everyone’s job- Management values RM as an equal discipline to
opportunities pursuit
28
RISK MANAGEMENT TAILOR MADE IMPLEMENTATIONKPI & KRI: Assumptions, benchmarking and backtesting performance
· Performance evaluation & Hurdle rates:- CAPM «nice tool» for companies quoted on an
exchange with relevant peers.- Most companies are not quoted on an exchange- What is your Market Cap, Beta or Small Cap premium?
· Other evaluation methods based on risk adjusted performance:- RORAC: Return On Risk Adjusted Capital- RAROC: Risk Adjusted Return On Capital- RARORAC: Risk Adjusted Return On Risk Adjusted
Capital - Sharp Ratio: Actual return – Risk free rate / Volatility- V2 Ratio – Actual return vs. Benchmark return
· Bonus programs & performance based incentives- Relation to KPI & KRI- Size, Downside risk, Watermark
29
RISK MANAGEMENT TAILOR MADE IMPLEMENTATION
· Must be sound based in corporate G’SOT· Example:
- KPI = max (Actual Price/DA Price)
· Does not say anything about the potential or the risk:- Bearish scenario:
- No hedge: KPI = 1, highest risk, 100% lost potential- Hedge A: KPI = 1.8, lowest risk, 20% lost potential- Hedge B: KPI = 1.2, high risk, 80% lost potential
- Bullish scenario- No hedge: KPI = 1, highest risk, 0% lost potential- Hedge A: KPI = 0.6, lowest risk, 80% lost potential- Hedge B: KPI = 0.9, high risk, 20% lost potential
· Hedging close to delivery gives higher probability of maximizing KPI at the price of a higher risk:- A good strategy for a lazy trader with P&L incentives
only?- Perhaps not that good for the company?
KPI & KRI selection
30
RISK MANAGEMENT TAILOR MADE IMPLEMENTATION
· Standardized process· Tailormade content· A non-summative drill down
exercise
· Define risk apetite:- Reward risk mitigation on some
risks?- Reward risk adjusted P&L on
some risks?
KPI & KRI Selection and calibration based on G’SOT & Risk Assessment
𝑔𝑒𝑛𝑒𝑟𝑎𝑡𝑖𝑜𝑛= 𝑓 ¿
𝑚𝑎𝑟𝑘𝑒𝑡𝑝𝑟𝑖𝑐𝑒= 𝑓 ¿𝑖𝑛𝑓𝑙𝑜𝑤= 𝑓 ¿
31
RISK MANAGEMENT TAILOR MADE IMPLEMENTATIONKPI & KRI: Risk owner & portfolio framework
· Creating an efficient library of KPI & KRI is highly dependent on portfolio structure
· Separation of Preformance & Risk related to key elements crucial:
· Forecast· Inflow· Constraints· Regulations
· Basis· Profile· Bidding Zone
· Market· Xtra· Static· Dynamic
32
RISK MANAGEMENT TAILOR MADE IMPLEMENTATIONKPI & KRI: Risk owner & portfolio framework
· Efficient portfolio structure makes it easier to adjust risk according to objectives using KPI & KRI triggers
33
RISK MANAGEMENT TAILOR MADE IMPLEMENTATIONKPI & KRI: Assumptions, benchmarking and backtesting market input
34
· Standardized & Cleared:
· ..or Bilateral OTC- Counterparty Credit Risk
- Based on Basel II/III– A-IRB– IRB– Standard
- Internal models
RISK MANAGEMENT TAILOR MADE IMPLEMENTATIONCounterparty Credit Risk: Bilateral OTC vs. Central Counterparties
35
PÖYRY ENTERPRISE RISK MANAGMENT AUDIT
· ERM Quality is dependent on implementation rather than the choice of policy framework school.
· RM Quality is dependent on implementation. No closed form solution/equation
· Missing link between RM components can be devastating in reaching the objectives.
· External Compliance Risk worst case: unlimited based on harm
· ERM is dependent on implementation. There are no closed form solutions. Mistakes can be devastating in reaching the objectives. Consequences could worst case be unlimited.
ERM Presentation red ink summary:
· External mandatory audit is based on accounting legislation – vague on risk management.
· Use Pöyry Enterprise Risk Management Audit to fill the gap.
36
PÖYRY ENTERPRISE RISK MANAGEMENT AUDIT
…most black swans are white. Controlling your risks gives you confidence within the confidence interval.
Contacts:
Heine RønningenEmail: [email protected] Telefon: +47 90 60 87 74
Michel MartinEmail: [email protected] Telefon: +47 xxxxxxxx
Cathrine TorvestadEmail: [email protected] Telefon: +47 xxxxxxxx
38
PÖYRY ENTERPRISE RISK MANAGEMENT AUDITPutting it all togheter...
RM:StrategicComplianceReputationalFinancialOperational
Mission & Vision_Goals__ Strategies___Objectives____Tactics
39
KPI = MAX (ACTUAL PRICE/DA PRICE)Bearish scenario:
40
KPI = MAX (ACTUAL PRICE/DA PRICE)Bullish scenario:
41
RISK ASSESSMENT
· When in doubt.....• Decompose
• Identify, analyse, evaluate• Adjust for covariance• Aggregate
Identify, Analyse, Evaluate
42
(P) Hedged Item:
Forecast
(T) Tax:= 31% of P
(S) Spot:= x% of P-T
(H) Hedge Total:
= P - T – S(Hstd) Hedge Total
Standard = (H) MWh mapped to
standard hedging instruments
(Hx) Hedge Xtra:
= max (Hstd)
(Hs) Hedge Static:
= Hstd - Hx
(Hd) Hedge Dynamic:
= Hstd - Hs
RISK OWNER & PORTFOLIO FRAMWORK
Value@Risk focus
CashFlow@Risk focus
43
RISK OWNER & PORTFOLIO FRAMWORK(P) Hedged itemEmpirical analysis & forecasts
44
RISK OWNER & PORTFOLIO FRAMWORK(S) SpotA natural hedge if price and generation are negatively correlated
45
RISK OWNER & PORTFOLIO FRAMWORK(Hs) Hedge staticStatic programs could work both for actual hedging and benchmark
46
RISK OWNER & PORTFOLIO FRAMWORK(Hd) Hedge dynamicClose to trading activity, stronger demand for KPI & KRI
47
HEDGED ITEM VS. HEDGING INSTRUMENT, HEDGING COST
48
NORMAL DISTRIBUTED PRICE CHANGE VS. ACTUAL
49
VOLATILITY MARKET VS. OWN
50
VALUE AT RISK OUTLIERS
51
BASEL II/IIIIRB