risk monitoring - dmhl4ur684aqh.cloudfront.net

Risk Monitoring

© 2020 American Bankers Association

Risk Monitoring

ABA course content is not a substitute for professional legal advice.

Version 1

Risk Monitoring


Menu

Introduction

Overview

Role and Importance of Risk Monitoring

Report Metrics and Frequency

Designing Effective Reports

Key Risk Indicators

Targeting Reports to the Audience

Control Design and Effectiveness

Evaluating First Line Controls

Wrap Up

Risk Monitoring


Introduction

About the Instructor

Tally Ferguson SVP/Director of Enterprise Risk Management BOK Financial

Bio Tally Ferguson is currently the Director of Enterprise-wide Risk Management with BOK Financial (BOKF). As such, he works with four teams critical to the success of the company’s enterprise-wide risk management: Risk Governance, Market Risk, Model Analytics, and Operational Risk. Tally has served at BOK Financial for over 20 years, having responsibilities ranging from dealer and capital markets compliance to the corporate insurance program.

Prior to joining BOKF in 1996, Tally was a regulatory consultant for Ernst & Young and helped clients implement numerous regulatory initiatives including comprehensive risk management programs and interest rate risk initiatives. Tally got his introduction to banking as an examiner with the Federal Reserve Bank of New York, where he began in 1985 and progressed to Supervising Examiner by March of 1994.

Tally has an undergraduate degree in Economics and Mathematics from Yale University and an Executive MBA from the Wharton School. He is a CFA charterholder, CERP certified, and carries Series 7, 24, 63, 4, and 53 licenses. Tally is also an adjunct instructor of finance at the University of Tulsa.

Page 1

Risk Monitoring


Introduction

Course Description

Risk Monitoring explains the importance of monitoring within a risk management framework, provides you with standards for effective monitoring, and uses examples to highlight key concepts.

The following key topics are discussed in the course:

Approaches for designing and producing standardized and ad hoc reporting

Techniques for effectively summarizing and communicating risk information

Methods to assist in identifying and defining key risk indicators (KRIs)

Logical steps to analyze report output

Evaluating controls for design and operating effectiveness

Evaluating the quality of the business line monitoring performance

ABA course content is not a substitute for professional legal advice.

Page 2

Risk Monitoring


Introduction

Objectives

By the end of Risk Monitoring, you will be able to

Describe the importance of monitoring within an effective risk management program

Identify the role of line managers, senior executives, and the board in risk monitoring

Identify metrics to include in monitoring reports and how often metrics should be reported

Describe approaches for designing effective monitoring reports

Identify appropriate measurement techniques for types of risk

Describe the level of monitoring detail to include for each audience

Describe the process for evaluating control effectiveness

Identify the tools and documentation available for evaluating first line controls

Page 3

Risk Monitoring


Overview

Introduction

In this lesson, you will learn where monitoring fits within the enterprise risk management (ERM) framework.

You will also learn about characteristics of effective risk monitoring.

Note: Complete the Introduction to Enterprise Risk Management course in this Certificate Program for a deep dive into the components of an effective ERM framework.

Page 4

Risk Monitoring


Overview

Introduction, continued

This section discusses where monitoring fits within the ERM framework and compares effective and ineffective risk monitoring approaches.

Monitoring is not just looking at exposures and comparing to limits. Monitoring is an oversight process with many parts, a deficiency in any one of which can lead to a broken monitoring system.

Page 5

Risk Monitoring


Overview

Monitoring and the ERM Framework

Committee of Sponsoring Organizations (COSO) COSO highlights the role of monitoring within enterprise risk management (ERM) as follows:

“The entirety of enterprise risk management is monitored and modifications made as necessary. Monitoring is accomplished through ongoing management activities, separate evaluations, or both.”

— COSO Enterprise Risk Management – Integrated Framework, September, 2004

Office of the Comptroller of the Currency (OCC) The OCC includes monitoring prominently in the following ERM expectations:

Integrated framework structured to identify, aggregate, measure, monitor, and control risks across the firm. Risk assessments and monitoring systems (e.g. actual outcomes, key performance and key risk indicators) that promote a continual and forward-looking view of risk

Risk limits and concentration limits established and monitored consistent with the appetite statement and defined risk tolerance

Business lines identify, measure, monitor and control risk in accordance with bank risk management framework and establish and maintain an effective system of internal controls

Robust, timely, accurate, and forward-looking management information systems (MIS) designed to proactively identify, measure, monitor, and control risks

— OCC ERM Program Expectations for $10-50bn banks & thrifts

Page 6

Risk Monitoring


Overview

Monitoring and the ERM Framework, continued

The diagram illustrates that risk monitoring fits within an ERM Framework. It is not apart like some objective, indifferent watcher—it is imbedded.

Click each characteristic of risk monitoring to learn more.

Dynamic A monitoring program must adjust as business lines, products and services, even the economy changes. Monitoring today’s environment with yesterday’s monitoring is inadequate.

Transparent Monitoring does not hide its light under a bushel. All stakeholders need to know the results of monitoring and what they mean. Moreover, stakeholders must react to monitoring results and not ignore them. As part of transparency, each bank should have a well-known and practiced escalation protocol in place before monitoring finds exposures beyond tolerances.

Consistent A moving target (different measure, new assumptions, changed limits) prevents evaluation over time and across business lines. That is not to say that monitoring programs should become stagnant and report for reporting’s sake, irrespective of changes to the system.

Shared Finally, monitoring is shared responsibility, not just the responsibility of the first line, second line, auditors, or examiners.

Page 7

Risk Monitoring


Overview

Effective vs. Ineffective Monitoring

Click each box in this table to compare effective with ineffective monitoring.

Effective Monitoring

Tracks risk measures Effective monitoring tracks risk measures over time and across divisions. For example, it alerts monitors when system outages grow unusually high BEFORE the system fails.

Frequent and current Effective monitoring gives information in time to address issues, and frequently enough to proactively recognize trends.

Follows clear reporting protocol

Effective monitoring incorporates a well-known and standard reporting process. Little time is wasted figuring out who must review monitoring reports, nor explaining what they mean.

Leads to escalation when needed

Effective monitoring is acted upon using a documented exception response protocol. Little time is wasted figuring out who must make the decision to accept, transfer or reduce out of tolerance conditions.

Hits the appropriate audience

Effective monitoring goes to people and committees with knowledge and authority to act.

Ineffective Monitoring

More false positives than true exceptions

Ineffective monitoring just regurgitates a list of outages and has so many false positives that monitors ignore the results.

Systemic false negatives Ineffective monitoring is too slow to act on and leads to false negatives—essentially missing out of tolerance conditions.

Reports inactionable situations

Ineffective monitoring reports metrics about which management can do nothing. For example, measuring the change in interest rates is ineffective measuring the projected net interest income impact of such change is helpful. That said, management may still choose to monitor metrics about which they can do nothing if such metrics inform actions that they can take.

Risk Monitoring


Limited to historical and not forward looking metrics

Ineffective monitoring looks backwards, like driving and looking only in the rear-view mirror.

Metrics with no analysis Credit metrics don’t go to operating committees. Ineffective monitoring presents raw data with no meaningful analysis.

Page 8

Risk Monitoring


Overview

Self Check Quiz

Which two items are characteristics of effective monitoring?

Select the correct answer and click Submit.

A) Leads to escalation when needed B) Reports inactionable situations C) Includes metrics with no analysis D) Tracks risk measures

A and D are correct.

B and C are incorrect because they are characteristics of ineffective monitoring.

Page 9

Risk Monitoring


Overview

Review

In this lesson, you learned where monitoring fits within the ERM framework and the characteristics of effective risk monitoring. Risk monitoring should be imbedded in a bank’s day-to-day risk management activities.

You also learned about the characteristics of effective risk monitoring. For example, effective risk monitoring tracks risk measures, follows clear reporting protocol, and leads to escalation when needed.

Page 10

Risk Monitoring



Introduction

In this lesson, you will learn about the importance of risk monitoring in an effective ERM program.

You will also learn about the role of line managers, senior executives, and the board in risk monitoring.

As you review this section, pay attention to the terms that we introduced earlier, like risk tolerance relative to exposure and continuing and iterative processes. Also focus on the role each management level plays in an effective risk monitoring process.

Page 11

Risk Monitoring



Determines if Exposure is Within Tolerance

Risk monitoring is essential for determining that exposure is within risk tolerance. Risk monitoring accomplishes the following three objectives.

Click each item to learn more.

Detects exposures Absent risk monitoring, changes in risk exposure will go undetected until they result in deviations from expectations that are outside of management’s risk tolerance.

Finds stale risk responses Control activities may no longer be performed or a bank’s objectives may change. This can be due to the arrival of new personnel, changes in entity structure or direction, or the introduction of new processes.

Identifies ineffective controls An entity’s enterprise risk management changes over time. Risk responses that were once effective may become irrelevant or control activities may become less effective. In the face of such changes, management needs to determine whether the functioning of enterprise risk management continues to be effective.

Page 12

Risk Monitoring



Provides Protocol for Escalation

Monitoring effectiveness stems from its role in the ERM process. Knowing our risks is of no use unless they are monitored with a firm protocol for escalating exceptions. What do we do about the risk, and does it matter which risk? Which product? Which business lines? To whom must risks be escalated? Who can say excesses are ok? Who can second guess that decider? Compare the images, where monitoring is imbedded in the continuing evaluation of risk on the left, but off to the side as an after thought for examiners or auditors on the right.

Page 13

Risk Monitoring



Enables Focus on Issues and Follow Up

Monitoring effectiveness stems from its role in the financial institution’s organization. Ongoing monitoring activities differ from control activities embedded in “business as usual” processes. For example, approvals of transactions, reconciliations of account balances, and verifying the accuracy of changes to master files, are best defined as control activities. Checking that such activities are performed constitutes monitoring.

By focusing on relationships, inconsistencies, or other relevant implications, line managers raise issues and follow up with other personnel as necessary to determine whether corrective or other action is necessary.

Click the graphic to learn more.

Ongoing monitoring activities differ from control activities embedded in “business as usual” processes. For example, approvals of transactions, reconciliations of account balances, and verifying the accuracy of changes to master files, are best defined as control activities. Checking that such activities are performed constitutes monitoring.

Note the role of monitoring at the executive and board level as shown in the graphic. A key idea is the filtering of information from granular at the lower levels to high level but consistent at the higher levels. The board has responsibility to ask for and review sufficient level of reporting to affirm that the bank is operating within its risk tolerance. Executive management is responsible for delivering on this and for making sure it is the information requested and that it is accurate.

Page 14

Risk Monitoring



Self Check Quiz

Which level in the bank has the responsibility to ask for and review sufficient level of reporting to affirm that the bank is operating within its risk tolerance?


A) Board of directors B) Executive management C) Line operating or functional support managers

A is correct.

B is incorrect because executive management is responsible for delivering the information requested and for making sure it is accurate. C is incorrect because ongoing monitoring activities are generally performed by line operating or functional support managers.

Page 15

Risk Monitoring



Review

In this lesson, you learned about the importance of risk monitoring in an effective ERM program. For example, risk monitoring is essential for determining that exposure is within risk tolerance.

You also learned about the role of line managers, senior executives, and the board in risk monitoring. For example, senior line managers own monitoring report production, accountability, and response.

Page 16

Risk Monitoring



Introduction

It is considerably easier to describe an effective monitoring program than it is to build and implement one. In this lesson, you will learn about approaches for developing monitoring reports, including what to measure and how often to report.

You will also learn about the types of measures—risk indicators and performance indicators.

Page 17

Risk Monitoring



What Do You Report?

What should be reported? This differs by recipient. There is not one monitoring report that serves all needs., but there are guiding parameters we can use.

First, at the top of this pyramid, all identified enterprise risk management deficiencies that affect an entity’s ability to develop and implement its strategy and to set and achieve its objectives should be reported. Call these “material risk metrics.”

How do we filter from the blue to the yellow to the red? The monitoring report designer should ask these questions:

(1) What authority does my report audience have to deal with circumstances that arise?

(2) What are the implications of findings? Reporting a list of transaction or event errors is less useful than summarizing potentially faulty procedures that led to these results.

(3) How significant is the metric reported?

(4) How interconnected is the metric reported?

This schematic offers characteristics of reporting metrics by level of recipient.

The Board needs metrics showing company is within risk appetite.

Executive Management also needs metrics showing company is within its risk appetite, but this audience needs metrics specific enough to know which risk categories are out of tolerance.

Business line leaders need metrics showing business line is functioning within tolerances and expectations. These metrics must be sufficiently granular to know what will keep line from being successful.

Let’s discuss significance. It can be argued that no problem is so insignificant as to make investigation of its implications unwarranted. An employee taking a few dollars from a petty cash fund for personal use, for example, would not be significant in terms of that particular event, and probably not in terms of the amount of the entire petty cash fund. Thus, investigating it might not be worthwhile. However, such apparent approval of personal use of the entity’s money might send the wrong message to employees.

Risk Monitoring


Finally, we tend to focus on what “went or could go wrong.” A fully effective monitoring system also identifies opportunities to increase the likelihood that the entity’s objectives will be achieved. For example, as customers demand more digital access to financial services, a company might measure “degree of digital access” as a metric.

Page 18

Risk Monitoring



What is Reported at Each Level

Granularity example Below is an example of different degrees of granularity by level. Note the same pattern of fewer metrics as we move up the corporate hierarchy.

Lending Exposure Example

Lender Manager CRE Commercial Business Executive Board Credit Committee

Balance of book by loan Portfolio balance by type of borrower/loan

Balance by industry according to concentration limits

Balance by industry according to concentration limits

Aging (past due) by loan Aging by portfolio Trend in portfolio past due Composition by credit grade and classification

Policy exceptions by borrower Policy exceptions by lender

Trend in portfolio policy exceptions

Composition by credit grade and classification



Pipeline aging by borrower Pipeline aging by lender

Page 19

Risk Monitoring



Types of Measures

This diagram shows the overlap of the following three dimensions of measures:

Risk indicators vs. performance indicators

Actionable

Quantitative vs. qualitative

Risk is forward looking and measures the size of deviation from expectation. Risk indicators tell us what risk we must manage now to reduce future deviations from expectations.

Performance measures history. Performance indicators tell how well we managed risk in the past.

Actionable means we can do something about it. And, a measure is either quantitative or qualitative.

Page 20

Risk Monitoring



Types of Measures—Examples

Highlighted in the diagram are the following four examples of measures:

Regulatory changes

Net interest income at risk

Charge-offs

Information security maturity level

Click each measure in the diagram to learn more.

Regulatory changes Regulatory changes cannot be quantified other than as a list, but the list of changes and trend in frequency and detail serve as good risk indicators. There is nothing management can do to prevent regulatory changes, other than, perhaps lobby and write your congressperson.

Net interest income at risk In contrast, net interest income at risk is a risk indicator that we can measure and take action upon.

Charge-offs Of the two performance indicators, charge-offs can be measured, but the only action we can take to mitigate them is recovery efforts. It is too late to manage that risk.

Information security maturity level Information security maturity level is more a state of being than a quantifiable measure. One determines this based on a number of subjective factors. As with charge-offs, this level reflects the results of risk management actions taken in the past. It might inform where we need to focus efforts in the future, but of itself it is not actionable.

Page 21

Risk Monitoring



Frequency of Monitoring

Consider the following characteristics when determining reporting frequency:

Function of the risk being monitored

Reflects how frequently metric is calculated

Dependent upon how swiftly management can respond

Measures over relevant history

Page 22

Risk Monitoring



Frequency of Monitoring, continued

Shown here is a frequency attribution for a set of metrics. This is not a complete list of metrics, but it compares metrics that require different reporting frequencies to be effective.

Note that all the daily metrics can move significantly overnight. These are worth tracking daily.

In contrast, the metrics listed under the quarterly column take a good deal of transactions and time to change. These offer little value if tracked more frequently than quarterly.

Note: Complete the Enterprise Risk Management Reporting and Risk Evaluation and Measurement courses in this Certificate Program for a deep dive into risk management reporting and metrics.

Page 23

Portfolio asset quality

IS maturity level

Capital ratios

Asset/revenue concentration

Rating agency evaluations

Examination/ audit results

Quarterly

Net interest income at risk

Industry concentrations

Funding ratios

Complaint trends

P&L based measures

Monthly

Trading positions

System outage

Suspicious transactions

Overdraft levels

Funding levels

Daily

Risk Monitoring



Self Check Quiz

Which three statements about risk indicators are correct?


A) Risk indicator metrics are forward looking B) Risk indicator metrics tell us what risk we must manage now to reduce future deviations C) Risk indicator metrics tell how well we managed risk in the past D) Risk indicator metrics are typically actionable

A, B, and D are correct.

C is incorrect because risk indicators are forward looking. Performance indicators tell how well we managed risk in the past.

Page 24

Risk Monitoring



Review

In this lesson, you learned about approaches for developing monitoring reports, including what to measure and how often to report. For example, the board will want to see measures showing that the bank is operating with the risk appetite. In terms of frequency, metrics that can change overnight, such as trading positions, should be tracked daily. In contrast, the metrics tracked quarterly take a good deal of transactions and time to change.

You also learned about the two broad categories of metrics—risk indicators and performance indicators. Risk indicators are forward looking and tell us what risk we must manage now to reduce future deviations from expectations. Performance indicators tell how well we managed risk in the past.

Page 25

Risk Monitoring



Introduction

In this lesson, you will learn about approaches for designing effective monitoring reports.

You will also learn about techniques for getting your message across.

Page 26

Risk Monitoring




This section discusses how to prepare effective monitoring reports.

Effective monitoring reports are designed with the following characteristics in mind:

Separates wheat from chaff

Backed by detailed, granular data

Instant recognition of problem areas

Tailored to audience

Page 27

Risk Monitoring



Deconstructing Risk Information—Not All Metrics Are Equal

Let’s explore the “wheat from the chaff”—one of the sine qua nons of good reporting. The pyramids illustrate this important characteristic of effective reporting. Each color inverted pyramid is a different business line. The red pyramid is the commercial lending segment. The blue is the trading and derivatives function. Green is Vendor Management and Yellow is Finance.

Here, the larger section of each pyramid reflect “core” limits recorded in the Risk Appetite statement. The smaller triangle segments reflect granular limits.

All the limits shown should be recorded, but for illustrative purposes here, I separate the highest level from the most granular.

Take the Commercial lending triangle for example. Note the Prudential lending limits. Violating those limits leads to corrective action by regulators.

In contrast, going over a single facility limit might just be a comment on a lenders’ performance evaluation. Note the similar differences for the other three departments. This helps direct us how to format our monitoring report.

Here you can see a box that is built from the highest-level limits, or “Core Limits”, and a circle I refer to as Desk level metrics.

The company’s regulatory capital minima will likely be unchanged for years at a time. However, business line capital will adjust with activity, possibly as often as quarterly.

Page 28

Risk Monitoring



Wheat vs. Chaff—Example

This table shows how limits compare to exposures across business lines. Columns on the left reflect core metrics, or the “wheat”. These go to the executive level and the board. In contrast the “chaff” on the right stops at the senior management level. Executive and board metrics need to be backed by granular data.

Core Limit Core Exposure Desk Limit Desk Exposure

Prudential Lending Limit

$300 million

Joe’s Garage exposure

$320 million

Joe’s Garage Derivatives line

$60 million

Joe’s Garage swaps exposure

$70 million

Regulatory Capital Minimum

7% T1 Common

T1 Common/risk weighted assets

6.5%

Capital allocated to Mortgage

$600 million

Actual Mortgage Business Capital

$650 million

Corporate VAR Limit

$100 million

Highest VAR Usage

$110 million

Muni Desk VAR limit

$20 million

Muni Desk VAR usage

$30 million

Percent employees working at capacity from home

>=75%

Two-week rolling average WFH with no reported problems

62%

Main City Department Percent employees working at capacity from home

>75%

Main City Department Two-week rolling average WFH with no reported problems

Wheat—Escalate, correct and analyze Chaff—React according to business line priorities or regulatory developments

Sidebar

Executive and board metrics

Risk Monitoring


Core metrics on the left (wheat) columns should be consistent, if not made up of aggregates from, the (chaff) metrics on the right.

Page 29

Risk Monitoring



Escalation vs. Crying Wolf

An effective monitoring program avoids “crying wolf”, unless we are confident the wolf is there. To gain that confidence, we must first know what the wolf is. A “wolf” is exposure in excess of risk tolerance and “crying wolf” means a false alarm that may result because of:

Bad data or exposure calculation

A tolerance position that is already under resolution

Now that you can identify a “wolf” verses a false alarm, we can discuss appropriate escalation and reporting protocols, commonly comprised of color-coded assessments:

Red: means we are outside of our tolerance

Yellow: means we are outside normal, but within our tolerance

Green: means we are within our normal operating range

Banks should not understate the value of the “yellow” zone. For example, let us imagine the traffic light near your house has a yellow light that lasts two seconds. You interpret it as a red and always stop, however, your neighbor interprets it as a green light and always proceeds through the intersection. In this example, the light does not serve its function as a warning that exposure is about to change. The yellow danger zone needs to last longer than the two second traffic light example because it is useful only if it gives room to act.

Page 30

Risk Monitoring



Getting Your Message Across—Ineffective Reporting

Is this report helpful in determining whether the desk is in tolerance? Of course not. You might not even know what these column headings mean. This is probably helpful for a trader, but not for her manager, executive, or the board. You cannot readily see what our excess exposure is, nor where it is.

Page 31

Risk Monitoring



Getting Your Message Across—Effective Reporting

This example shows more effective monitoring. Can you identify which area faces the highest risk in this hypothetical bank?

Note that only one radial dial is red—the information security vulnerability. The reader quickly sees that the vulnerabilities measure is too high for our tolerance, but that it is getting better. This is an excerpt of a profile similar to what midsize banks use.

Page 32

Risk Monitoring



Getting Your Message Across—Risk By Colors

Color coding is effective and informative if the color code is clear.

Click each color code to see examples of business activities in each risk category.

Red Risk tolerance exceeded

Exposure too high

Controls ineffective

Borrower funded for more than their line

Sales practice complaints triple beyond peer average

Cyber vulnerabilities unaddressed

Yellow Risk above normal

Recent increasing trend

Approaching risk tolerance

Borrower draws down to 90% of their line

Sales practice complaints show sustained, increasing trend

Cyber vulnerability cure plan on schedule

Green Risk at normal levels

Borrower draw downs remain at 60% of line

Sales practice complaints remain within a range

No material cyber vulnerabilities identified

Page 33

Risk Monitoring



Getting Your Message Across—Heat Maps

Heat maps are another effective technique for getting your message across. Heat maps quickly show pockets of risk—red warranting attention, and green suggesting all is well.

Click each heat map to learn more.

Heat map This heat map dashboard shows pockets of risk. Ideally, readers are not surprised by these reports. For this hypothetical bank, the first and second lines should expect credit to be high in commercial, market to be high in capital markets, and compliance and reputational risk to be high in consumer. This heatmap also gives insight to enterprise risk. We can look across credit risk to see globally if we have high, medium, or low credit risk. We can also aggregate by business line across risks. In this example, consumer boasts the most high-risk categories, but wealth management has almost all moderately high risks and may warrant the most risk management resources.

Trend heat map The trend heat map gives more insight into each business line. Note that something appears to have occurred in the third or fourth quarter when a number of risk evaluations popped up.

Page 34

Risk Monitoring



Getting Your Message Across—Interactive Dashboards

Affordable technology today allows for interactive dashboards which allow users at different levels to view the same dashboard but drill down to the level of detail appropriate for them. These reduce operational risk by sourcing the same data rather than having one data source for the executives and a second data source for the business line managers. Click each report type to see an example of data in an interactive dashboard.

Credit concentration

Executives see three industries and their proportion of capital

Business lines can drill down to the customer(s) leading to that concentration

Complaint severity

Executives see corporate-wide trend

Business lines can drill down to the branches or causes leading to the complaint

Branch 1 Branch 1

Branch 2

Branch 2 Complaint 1

Industry Capital Percentage Hotels 200%

Star Hotel 15%

Major Hotel 10%

Global Hotel 10%

B&B Inc. 9%

CRE 180%

C & I 150%

Risk Monitoring



Branch 4 Branch 3 Complaint 3


Quarter 1 Quarter 2

Page 35

Risk Monitoring



Exercise

Review the heat map and answer the two questions below.

1. Which one of the following divisions has the highest operational risk?

Commercial

Consumer

Wealth

Capital Markets

2. What does this report suggest at the enterprise-wide level that is less obvious at the business line level?

Type your answers in the field. When finished, click the Suggested Results button to view possible responses.

Suggested Results

1. Consumer has the highest operational risk. Consumer seems tied with Wealth, but recall what we learned about indirect risks. With Consumer’s high compliance and reputational risk, we can safely assume there is indirect operational risk in that division that does not exist in Wealth.

2. Some market or compliance driven risk even occurred in the first quarter. Management thought this was addressed, but it came back to impact credit and reputational risk in the third and fourth quarter.

Page 36

Risk Monitoring



Self Check Quiz

Which limits are least likely to change from quarter to quarter?


A) Joe’s Garage credit line B) Tier 1 capital ratio C) Municipal trading desk VaR D) ACH returns

B is correct.

A is incorrect because credit lines should change according to the credit quality of the borrower, which could change monthly. C is incorrect because management will change the desk-level value at risk to take advantage of market circumstances, year-to-date results, or perceived customer demand. D is incorrect because standards for ACH returns may change with volume. At higher volumes, management may choose a lower exception rate.

Page 37

Risk Monitoring



Review

In this lesson, you learned about approaches for designing effective monitoring reports. The level of detail should be tailored to the audience. You also learned about techniques for getting your message across. For example, using color coding and heat maps to quickly show problem areas and pockets of risk.

Page 38

Risk Monitoring


Key Risk Indicators

Introduction

In this lesson, you will learn about the broad categories of metrics, which include risk indicators and performance indicators.

You will also learn how monitoring risk and performance indicators enable a bank to determine whether it is operating within its risk tolerance.

Page 39

Risk Monitoring


Key Risk Indicators


An effective risk monitoring program involves the right metrics. This section will cover the core definitions of key risk indicators, key performance indicators, and controls.

Pay particular attention to the types of measures that you can select, and get familiar with types of controls that effectively mitigate these categories of risk. Also, look for how the monitoring system fits into the risk appetite.

Page 40

Risk Monitoring


Key Risk Indicators

Terminology

Risk indicators are forward-looking in nature and can be managed before tolerance is exceeded.

Performance indicators are complete and cannot be undone. Performance indicators are great for evaluation, but not for managing risk.

Control activities are the policies and procedures that help ensure that management’s directives are carried out.

Risk Indicators

Forward-looking

Reflect exposure

Can be measured

Ideally allow action to be taken

Performance Indicators Measure past activity

Provide benchmarks on how well we did

Comparable to Service Level Agreements

Controls Actions or processes in place to mitigate risks

Preventative and detective

Implicit in determining residual risk

Example The board has indicated they have a low risk tolerance for wire transfer losses, and there are controls in place such as ensuring good funds are available and funds for the outgoing wire are withdrawn from the sender’s account prior to sending the wire, yet you are made aware of a $5,000 loss because the funds used for the wire were not collected. These are issues that must be promptly investigated and corrected to avoid issues in the future. This could be a training issue or point to a more serious problem.

Page 41

Risk Monitoring


Key Risk Indicators

Types of Measures

Listed here are several broad categories of metrics.

Click each category to view examples. Note that some examples are risk indicators and some are performance indicators.

Position limits (absolute size)

Net market value

Lending limit

Net foreign currency position

Potential exposure

Settlement limit

Value at risk limit

Relative size

Capital ratio

Concentration limit

Past due percentage guidelines/HUD compare ratio

Risk-adjusted return on capital (RAROC)

Time constraints

Maximum/minimum holding period

Maturity limit

Maximum past due aging

Retention period

Risk Monitoring


Standards

Loan processing service level agreement (SLA)

Vendor application service provider (ASP) downtime maximum

Information security standards

Customer information protection standards

Compliance exception percentage guidelines

Policy exception guidelines

Page 42

Risk Monitoring


Key Risk Indicators

Connection to Risk Appetite and Tolerance Levels

As illustrated here, monitoring connects to risk appetite.

Start at the top with risk trait. This is what can lead to deviations from expectations.

Next is risk measure followed by limits—the two items included in a monitoring report. Note how this needs to be consistent with business line strategy and the attendant risk appetite component. This is a continual process.

Next, you will see some examples.

Page 43

Risk Monitoring


Key Risk Indicators

Key Risk Indicator Applications—Example 1

Take a look at an example of the continual process using a municipal trading desk. Start by looking at the appetite components.

Click Appetite Components to begin your review of this cycle.

Appetite components

The following four risk appetite components are applicable to this desk:

Price

Compliance

Operational

Strategic

Once you complete the cycle, you will return to these appetite components with insight into newly determined tolerances.

Categories

The following are categories of risk measures:

Absolute size

Potential exposure

Time constraint

Standards

From these categories, we select the specific measures that will find their way into a monitoring report.

Measures

Measures include the following:

Position size

Value at risk (VaR)

Holding periods

Risk Monitoring


Municipal securities rulemaking board (MSRB) reporting

Risk adjusted return on capital (RAROC)

Underwriting metrics

Recall that measurement is ineffective without a limit to compare it to, so we need to establish limits.

Limits

Limits might include the following factors:

XX million position limit

$YY thousand VaR

30 day holding limit

Report trades within 15 minutes

Investment quality standards

Strategy implications

Remember that monitoring is not stagnant, but changes with the business and environment—we need to consider strategy implications. For example:

Does potential loss of tax-exempt status, or reduced tax benefit, threaten holding period?

Does Basel III definition of public sector entity lower risk adjusted return on capital (RAROC) or mandate change

to allowable inventory?

To respond to these changes, we may need to lower RAROC, or mandate change to allowable inventory. When you return to the appetite components, you may now have newly determined tolerances.

Page 44

Risk Monitoring


Key Risk Indicators


This second example uses a mortgage desk.

Start at the top with the five risk appetite components applicable to this desk: operational, compliance, price, credit, and strategic.

Next note the categories of risk measures: absolute size, potential exposure, time constraint, standards.

From these, we select the specific measures that will find their way into a monitoring report. The measures include pipeline size, Mortgage Servicing Rights stress value, secondary marketing performance, repurchase loans percent, warehouse age, and RAROC.

Measurement is ineffective without a limit to compare it to, so we establish limits. Limits here include: hedge coverage limits, repurchase loan percent, MSR/capital, delinquency rate, HUD compare ratio, and investor defect percentage.

Monitoring isn’t stagnant, but changes with the business and environment—we need to consider strategy implications. For example

Does BCFP definition of qualified mortgage change our customer base?

Does Basel III treatment of MSRs warrant change in valuation approach or MSR/capital limits?

This brings us back to the appetite, with our newly determined tolerances.

Page 45

Risk Monitoring


Key Risk Indicators


Our third example uses commercial lending.

Start at the top with the risk appetite components applicable to this desk. There are four: credit, compliance, operational, and strategic.

Next note the categories of risk measures: absolute size, potential exposure, time constraint, and standards

From these, we select the specific measures that will find their way into a monitoring report. For example: position size, stress internal performance, and economic variables such as interest rates, housing price indexes, and unemployment.

Note we introduce outside economic factors here! This is an increasingly common practice in risk monitoring as we better understand the interconnectedness of financial institutions and economic trends.

Measurement is ineffective without a limit to compare it to, so we establish limits. $XX million total concentration, __% required price hurdle, underwriting standards, and capacity ability over stress conditions.

Monitoring is not stagnant, but changes with the business and environment—we need to consider strategy implications. For example

Potential commercial property bust potential to erode collateral value?

Regulatory changes to acquisition development credits hurt return on capital?

Do these developments mandate change to concentration limits or tenors?

This brings us back to the appetite, with our newly determined tolerances.

Page 46

Risk Monitoring


Key Risk Indicators

Self Check Quiz

Capital ratio is an example of which broad category of metrics?


A) Position limits B) Potential exposure C) Relative size D) Time constraints

C is correct.

A, B, and D are incorrect because capital ratio is not an example of these broad metric categories.

Page 47

Risk Monitoring


Key Risk Indicators

Review

In this lesson, you learned about the broad categories of metrics, which include risk indicators and performance indicators. For example, two of the broad categories are position limits and potential exposure.

You also learned how monitoring risk and performance indicators enable a bank to determine whether it is operating within its risk tolerance.

Page 48

Risk Monitoring



Introduction

In this lesson, you will learn about the level of monitoring detail to include for each audience.

You will also learn about follow-up needed for ERM deficiencies.

Page 49

Risk Monitoring




In this section, we will discuss examples of what level of monitoring detail goes to which level of management.

Notice the emphasize we place on responding to monitoring reports.

Page 50

Risk Monitoring



Reporting Operating Activities

Information generated in the course of operating activities usually is reported through normal channels to immediate superiors. This is a granular monitoring report. These report upstream or laterally in the organization, so that the filtered information ends up with those in authority who can and should act on it. Alternative communications channels also should exist for reporting sensitive information such as illegal or improper acts.

Goes to department manager and their second line function frequently, with significant detail.

First line should initiate the process.

Desk level metrics and limits can change as tactics change

Page 51

Risk Monitoring



Reporting ERM Deficiencies

Findings of enterprise risk management deficiencies usually should be reported not only to the individual responsible for the function or activity involved, but also to at least one level of management above that person. This higher level of management provides needed support or oversight for taking corrective action and is positioned to communicate with others in the organization whose activities may be affected. Where findings cut across organizational boundaries, the reporting should cross over as well and be directed to a sufficiently high level to ensure appropriate action. The ERM department plays a role in determining content for board report and for compiling reports, but the first line should be the initiators of such reporting.

Goes to executive leader and their second line function (ERM department). Done as changes occur OR as tolerances are breached. Presented as heat maps, radial dials, or pithy tables.

First line should initiate the process.

Core metrics and limits should seldom change

Page 52

Risk Monitoring



ERM Deficiencies—Reporting is Not Enough

Providing needed information on enterprise risk management deficiencies to the right audience is critical. Protocols should be established to identify what information is needed at a particular level for effective decision-making. Such protocols should differ based on the level of authority.

Click each audience to learn more.

Managers A manager should receive information that affects activity within their responsibility, as well as information needed to achieve specific objectives.

Senior managers In the middle, senior managers should see reports showing risk management and control deficiencies affecting their units. Examples include circumstances where assets with a specified monetary value are not adequately protected, where the competence of employees is lacking, or where important financial reconciliations are not performed correctly. Managers should be informed of deficiencies in their units in increasing levels of detail, as one moves down the organizational structure.

Executive officers and CEO An executive officer normally wants to know of serious infractions to policies and procedures, including supporting information on matters that may have significant financial impacts, strategic implications, or effect the entity’s reputation. Documented protocols should establish: (1) which infractions need to be reported; (2) to who these should be reported, and (3) how infractions were, or will, be resolved.

Page 53

Risk Monitoring



ERM Deficiencies—Reporting is Not Enough, continued

Keep the following considerations in mind when addressing ERM deficiencies:

For risks large enough to warrant executive and board reporting, advising of a breach is not sufficient

Executives see too much information each day to prioritize alerts that they do not work with daily

Banks should have an escalation protocol mandating some form of follow up, often by the second line

There will be instances where executives might not share a second line’s discomfort with an out of tolerance position—that is what the board is for

Page 54

Risk Monitoring



Self Check Quiz

Which audience should receive information on matters that could have significant financial impacts or strategic implications or that could affect the entity’s reputation?


A) Managers B) Senior managers C) Executive officers including the CEO

C is correct.

A is incorrect because managers typically receive information that affects activity within their responsibility, as well as information needed to achieve specific objectives. B is incorrect because senior managers should see reports showing risk management and control deficiencies affecting their units.

Page 55

Risk Monitoring



Review

In this lesson, you learned about the level of monitoring detail to include for each audience. Metrics for operating activities are usually reported through normal channels to immediate superiors. Core metrics and limits are reported to the individual responsible for the function or activity involved, and also to at least one level of management above that person.

You also learned about follow-up needed for ERM deficiencies. Banks should have an escalation protocol mandating some form of follow up, often by the second line.

Page 56

Risk Monitoring



Introduction

In this lesson, you will learn about the role of controls in risk monitoring.

You will also learn about the process for evaluating control effectiveness.

Page 57

Risk Monitoring




This section explains the role controls play in a risk monitoring environment, and provides a process for identifying and assessing controls.

Note: Complete Risk Management Control Frameworks in this Certificate Program for a deep dive into developing an effective control framework.

Page 58

Risk Monitoring



Role of Controls

The composition of residual risk is illustrated here, and is often reported at the executive and board levels. Evaluations of enterprise risk management vary in scope and frequency, depending on the significance of risks and importance of the risk responses and related controls in managing the risks. Higher-priority risk areas and responses tend to be evaluated more often.

Evaluation of the entirety of enterprise risk management—which generally will be needed less frequently than the assessment of specific parts—may be prompted by for following reasons:

Major strategy or management change

Acquisitions or dispositions

Changes in economic or political conditions

Changes in operations

Changes in methods of processing information

Click Inherent Risk and Control Effectiveness to learn more about the role of controls.

Inherent risk Measure of potential loss to a financial institution's earnings and capital absent controls, e.g. size of a fraudulent wire absent validation controls. Measurement could be in dollar amount or in a relative risk score that maps to dollar amount.

Control effectiveness Measure of how much inherent risk is mitigated by controls. This measures both the design and effectiveness of controls. E.g., “Call back customer on large wires” may be a control that turns a high inherent risk of wires to a low residual risk. Keep in mind if a control is NOT effective (e.g., control owners do not call customer), then it does not mitigate inherent risk well.

Sidebar

Measuring residual risk is dependent on the effectiveness of your controls. The method used to calculate residual risk may differ depending on the bank.

Risk Monitoring


Sidebar

Evaluations

When a decision is made to undertake a comprehensive evaluation of an entity’s enterprise risk management, attention should be directed to addressing its application in strategy setting as well as with respect to significant activities. The evaluation scope also will depend on which objectives categories—strategic, operations, reporting, and compliance—are to be addressed.

Page 59

Risk Monitoring



Evaluating Control Effectiveness

Often, evaluations take the form of self-assessments, where persons responsible for a particular unit or function determine the effectiveness of enterprise risk management for their activities. For example, the chief executive of a division directs the evaluation of its enterprise risk management activities. He or she personally assesses the risk management activities associated with strategic choices and high-level objectives as well as the internal environment component.

Individuals in charge of the division’s various operating activities assess the effectiveness of enterprise risk management components relative to their spheres of responsibility.

Click each step in the process for evaluating control effectiveness to learn more.

Risk and Control Library A list of material risks and their attendant controls along with an evaluation of both. Risks are commonly evaluated as “high,” “moderate,” or “low.” Controls are commonly evaluated as “strong,” “satisfactory,” or “weak.” Ideally high risks are mitigated with strong controls.

Risk and Control Self Assessment (RCSA) A process conducted by business line management and often facilitated by second line enterprise-wide risk experts. This process identifies material risks, maps controls to these, and evaluates the level of risk and effectiveness of controls. This process is best done when business lines start with their business objectives.

Control Effectiveness Testing A discipline conducted by control owners who are generally senior management in business lines. The discipline identifies important controls, checks documentation (digital or manual) showing that controls steps are completed, and assesses whether the controls still mitigate the risks for which they were designed.

Self Identified Weakness Reporting A process whereby control owners report controls that are no longer effective or operating as designed. This reporting is to a second line function and needs to be accompanied with a plan for correcting the weakness. Note that if control owners find no control weakness, they do not complete this or the next step.

Retest Control Effectiveness For self identified weaknesses, repeats the control effectiveness testing.

Risk Monitoring


Sidebar

Line managers focus on operations and compliance objectives, and the divisional controller focuses on reporting objectives. The division’s assessments are then considered by senior management, along with evaluations of the company’s other divisions. Internal auditors normally perform evaluations as part of their regular duties, or at the specific request of senior management, the board, or subsidiary or divisional executives. Similarly, management may utilize input from external auditors in considering the effectiveness of enterprise risk management. A combination of efforts may be used in conducting whatever evaluative procedures management deems necessary.

Page 60

Risk Monitoring



Documenting Results of Control Testing

Different banks will have different monitoring standards, but they should all have the following components:

Describe the control in sufficient detail for an independent party to know what is being testing and how to know it has been tested

Establish some degree of materiality; the example below identifies “Sox” controls and “key” controls as “more equal” than other controls

Describe the documentation evidencing that the control is effective. Again, this needs to be done at sufficient detail for a third party to know the documentation is complete

Click the image to enlarge and view a sample log used to document the results of control testing.

Page 61

Risk Monitoring



True or False?

Evaluations of control effectiveness often take the form of self-assessments, where persons responsible for a particular unit or function determine the effectiveness of enterprise risk management for their activities.

Select the correct answer.

True False

The statement is true.

Page 62

Risk Monitoring



Review

In this lesson, you learned about the role of controls in risk monitoring. Effective controls mitigate inherent risk.

You also learned about the process for evaluating control effectiveness. For example, the risk and control library is a list of material risks and their attendant controls along with an evaluation of both.

Page 63

Risk Monitoring



Introduction

In this lesson, you will learn about the tools and documentation available for evaluating first line controls.

You will also learn about the sources of information for identifying deficiencies in a bank’s enterprise risk management program. In addition, you will learn about the control evaluation work done by first, second, and third lines of defense.

Page 64

Risk Monitoring




This section discusses what an evaluator needs to know about the bank’s activities, and the conclusions the evaluator needs to draw from that information.

Also covered are the groups within the bank that should perform the evaluation and the standards that define “credible challenge.”

Page 65

Risk Monitoring



The Evaluation Process

Here is a continual cycle of three components to ensure control design works and controls are effective.

A variety of evaluation methodologies and tools are available, including checklists, questionnaires, and flowcharting techniques. As part of their evaluation methodology, some companies compare or benchmark their enterprise risk management process against those of other entities.

Evaluating enterprise risk management is a process in itself. While approaches or techniques vary, a discipline should be brought to the process, with certain basics inherent in it.

— COSO

Warning: When conducting comparisons, consider differences that always exist in objectives, facts, and circumstances. All enterprise risk management components, as well as the inherent limitations of enterprise risk management, need to be kept in mind.

Control Owner

Monitoring Certification

Control Testing

Risk and Control Self- Assessments

Risk Monitoring


Sidebar

An entity may, for example, measure its enterprise risk management against those companies with reputations for having particularly good enterprise risk management. Comparisons might be done directly with another company or under the auspices of trade or industry associations. Other organizations may provide comparative information, and peer review functions in some industries can help a company evaluate its enterprise risk management against its peers.

Page 66

Risk Monitoring



Documentation

The extent of documentation of an entity’s enterprise risk management varies with the entity’s size, complexity, and similar factors. Larger organizations usually have written policy manuals, formal organization charts, written job descriptions, operating instructions, information system flowcharts, and so forth. Smaller entities typically have considerably less documentation.

Many aspects of enterprise risk management are informal and undocumented, yet are regularly performed and highly effective. These activities may be tested in the same ways as documented activities. The fact that elements of enterprise risk management are not documented does not mean that they are not effective or that they cannot be evaluated. However, an appropriate level of documentation usually makes evaluations more effective and efficient.

Sidebar

The evaluator may decide to document the evaluation process itself. He or she usually will draw on existing documentation of the entity’s enterprise risk management. Typically, this will be supplemented with additional documentation, along with descriptions of the tests and analyses performed in the evaluation. Where management intends to make a statement to external parties regarding enterprise risk management effectiveness, it should consider developing and retaining documentation to support the statement. Such documentation may be useful if the statement subsequently is challenged.

Page 67

Risk Monitoring



Identifying Deficiencies

Deficiencies in a bank’s enterprise risk management program may surface from many sources, including the institution’s ongoing monitoring procedures, separate evaluations, and external parties.

Click each source of information to learn more.

Ongoing risk monitoring activities One of the best sources of information on enterprise risk management deficiencies is enterprise risk management itself. Ongoing monitoring activities of an enterprise, including managerial activities and everyday supervision of employees, generate insights from those who are directly involved in the entity’s activities. These insights are gained in real time and can provide quick identification of deficiencies.

Separate evaluations Other sources of deficiencies are the separate evaluations of enterprise risk management. Evaluations performed by management, internal auditors, or other functions can highlight areas in need of improvement.

External parties External parties frequently provide important information on the functioning of an entity’s enterprise risk management. These include customers, vendors and others doing business with the entity, external auditors, and regulators. Reports from external sources should be carefully considered for their implications for enterprise risk management, and appropriate corrective actions should be taken.

Sidebar

A deficiency is a condition within enterprise risk management worthy of attention that may represent a perceived, potential, or real shortcoming, or an opportunity to strengthen enterprise risk management to increase the likelihood that the entity’s objectives will be achieved.

Page 68

Risk Monitoring



Credibly Challenging the First Line

The first line has primary responsibility and accountability for designing and implementing controls and monitoring their effectiveness.

When evaluating the effectiveness of first line controls, take the following factors into consideration:

First line has potential conflict, trading off revenue generation for risk mitigating controls

Second line has no such conflicts and can prove to be effective credible challenge to first line monitoring

Second line does not bear the loss if controls prove ineffective, and may lack the urgency for testing first line control monitoring

Third line comes behind the second line to ensure their first line testing is sufficient

Page 69

Risk Monitoring



Credibly Challenging the First Line, continued

Below are examples of the control evaluation work done by the first, second, and third lines of defense.

First line

Design control

Monitor effectiveness of controls

Self-identify weaknesses and correct

Second line

Review 1st line risk assessment

Facilitate 1st line self assessments

Secure input from 2nd

line risk monitoring functions

Third line

Check 1st line documentation of control monitoring

Determine if scope of 2nd

line testing provides reliable assurance

Page 70

Risk Monitoring



Self Check Quiz

Which line of defense has primary responsibility for designing and implementing controls and monitoring their effectiveness?


A) First line B) Second line C) Third line D) Fourth line

A is correct.

B is incorrect because the second line’s role is to provide effective challenge to monitoring effectiveness. C is incorrect because the third line’s role is to make sure the second line’s testing of control effectiveness is sufficient. D is incorrect because there is no fourth line of defense.

Page 71

Risk Monitoring



Review

In this lesson, you learned about the tools and documentation available for evaluating first line controls. For example, tools include checklists, questionnaires, and flowcharting techniques.

You also learned about the sources of information for identifying deficiencies in a bank’s enterprise risk management program. Sources of information include the institution’s ongoing monitoring procedures, separate evaluations, and external parties.

In addition, you learned about the control evaluation work done by first, second, and third lines of defense. For example, the third line of defense checks the first line’s documentation of control monitoring and determines if the scope of second line testing provides reliable assurance.

Page 72

Risk Monitoring


Wrap Up

Absent effective risk monitoring, the most sophisticated and detailed ERM program will fail. Financial institutions, indeed all companies, make profits by taking risks. Companies fail when they take risks outside of their tolerance.

Effective risk monitoring tells the appropriate people in a company when risk nears and exceeds tolerance.

By completing Risk Monitoring, you now know the standards for an effective risk monitoring program. You have examples of how to effectively communicate out of tolerance positions, what the responsibilities for enforcing a good monitoring program are, and how those responsibilities should be allocated.

Click Exit to close this course.

Page 73

risk monitoring - dmhl4ur684aqh.cloudfront.net

Documents