One way to help understand enterprise risk management is to use case studies. These can illustrate the issues faced in real organisations, and the causes of a range of risk management failures. It is, unfortunately, the failures that make up the majority of case studies. This is mainly because no-one ever hears about many successful risk management initiatives. If an investment banker fails to make increasingly desperate trades because it is impossible to hide any resulting losses in a hidden trading account, then the good design of the risk management protocols will attract little attention; however, the absence of such protocols and the bankruptcy of the banker's employer will make the news and can give valuable insights into how things should not be done.
The majority of the case studies here relate to financial institutions, since these are the ones that can be related most closely to the principles in this book. However, some non-financial examples are also included, since they highlight risk management issues that face all organisations, not just those in the financial services sector.
The information for this chapter is distilled from a number of books on the various episodes described. I recommend that you read these books, not only to understand risk management more fully but also because the stories are often compelling in themselves.
The 2008 Global Financial Crisis
The 2008 global financial crisis had repercussions that still persist. The problems in the United States housing market spread to the real estate market in Europe, and to the banks with exposures to this market. Governments bailed out banks, cut spending and borrowed heavily. As of 2016, interest rates around the world are still low, and sustained economic growth seems elusive.
The financial crisis was characterised by a lack of liquidity – particularly funding liquidity – and a corresponding fall in the creditworthiness of firms and governments. Whilst the popular view is that the crisis is the fault of ‘the bankers’, it is important to understand both the background to the crisis and the particular risk management failures that caused it.
Causes of the Crisis
The Role of China
A key role in the build-up to the crisis was played by China. Over the last few decades, the Chinese economy has grown very quickly. Much of this growth has been driven by exports to theWest.
Many of the approaches described in earlier chapters are used directly to quantify particular types of risk. These applications are described in this chapter, together with some specific extensions that can also be used to determine levels of risk. Since different risks can affect different types of institutions in different ways, several approaches are sometimes needed to deal with a single risk. The links between various risks and the implications for quantification are also discussed.
When quantifying particular risks, it is important that these risks are modelled consistently with each other. In particular, it is important that assets and liabilities are modelled together, so that their evolution can be mapped. This is the basic principle of asset-liability modelling.
As part of this process, it is also important to consider the level of assets and liabilities throughout the projection period, not just at the ultimate time horizon. If the modelling suggests that action should be taken at points within the projection time horizon, then the projection should be re-run taking these actions into account. This is known as dynamic solvency testing or dynamic financial analysis.
Market and Economic Risk
Characteristics of Financial Time Series
Before discussing the way in which market and economic risks can be modelled, it is worth considering some important characteristics of financial time series, particularly in relation to equity investments.
In spite of the assumptions in many models to the contrary, market returns are rarely independent and identically distributed. First, whilst there is little obvious evidence of serial correlation between returns, there is some evidence that returns tend to follow trends over shorter periods and to correct for excessive optimism and pessimism over longer periods. However, the prospect of such serial correlation is enough to encourage trading to neutralise the possibility of arbitrage. In other words, serial correlation does not exist to the extent that it is possible to make money from it – the expected return for an investment for any period is essentially independent from the return in the previous period, and for short periods is close to zero.
Whilst there is no apparent serial correlation in a series of raw returns, there is strong serial correlation in a series of absolute or squared returns: groups of large or small returns in absolute terms tend to occur together. This implies volatility clustering.
Whilst ERM can be applied to any organisation, this book focusses on financial institutions, concentrating on the following four broad categories of organisation:
• insurance companies;
• pension schemes; and
• foundations and endowments.
There is, of course, an enormous range of financial institutions, many of which are not covered in as much detail as those above. For example, investment (or asset) managers are an important feature of the financial landscape. However, their involvement with financial markets does not involve taking significant balance sheet risk in relation to the investment decisions made; rather, investment managers are responsible for investing assets on behalf of institutions and individuals. As such, their main role is as agent. A similar argument can be made for brokers, whose aim is typically to act on behalf of clients when trading securities.
It is also important to note that there are links between the four institutions listed above. Insurance companies will frequently sell policies to pension schemes, sometimes even taking on all liability for pension scheme members. Furthermore, banks will have both insurance companies and pension schemes as clients.
Before looking at the risks that these four organisations face, it is important to understand their nature. By looking at the business that they conduct and the various relationships they have, the ways in which they are affected by risk can be appreciated more fully. This is the first – and broadest – aspect of the context within which the risk management process is carried out.
A direct line can be drawn to current commercial banks from the merchant banks that originated in Italy in the twelfth century. These organisations provided a way for businessmen to invest their accumulated wealth: bankers lent their own money to merchants, occasionally supplemented by additional funds that they had themselves borrowed. The provision of funds to commercial enterprises remains a core business of commercial banks today.
By the thirteenth century, bankers from Lombardy in Italy were also operating in London. However, a series of bankruptcies resulted in the Lombard bankers leaving the United Kingdom towards the end of the sixteenth century, at which point they were replaced by Tudor and Stuart goldsmiths. These goldsmiths had moved away from their traditional business of fashioning items from gold, starting instead to take custody of customers’ gold for safekeeping.
When managing risks, it is important to be aware of the range of risks that an institution might face. The particular risks faced will differ from firm to firm, and new risks will develop over time. This means that no list of risks can be exhaustive.
It is possible to describe the main categories of risk, and the ways in which these risks affect different types of organisation. However, even this is not without risks. Risks can be categorised in any number of different ways, and the definitions given below are not the only ‘right’ ones. It is more important that the taxonomy used in any institution is itself internally consistent, and that this taxonomy is widely understood and agreed within the institution.
Market and Economic Risk
Market risk is the risk inherent from exposure to capital markets. This can relate directly to the financial instruments held on the assets side (equities, bonds and so on) and also to the effect of these changes to the valuation of liabilities (long-term interest rates and their effect on life insurance and pensions liabilities being an obvious example). Closely related to market risks are economic risks, such as price and salary inflation. Whilst these risks often affect different aspects of financial institutions – market risk tends to affect the assets and financial risk the liabilities – there is some overlap and both can be modelled in a similar way.
Banks face market risk in particular in two main areas. The first is in relation to the marketable securities held by a bank, where a relatively straightforward asset model will suffice; however, this risk must be assessed in conjunction with market risk relating to positions in various complex instruments to which many banks are counter-parties. It is important both to include all of the positions but also to ensure that any offsetting positions between different risks (for example, long and short positions in similar instruments) is allowed for.
Market risk for non-life insurance companies again relates to the portfolios of marketable assets held, but may also be related to assumptions used for claims inflation. The extent to which this is true will depend on the class of insurance, as in many cases claims inflation will be driven by idiosyncratic factors such as medical expense growth.
Having not only identified and analysed risks but also compared the risks faced with the stated risk appetite, the next stage is to respond to those risks. The responses to risk are generally placed into one of four categories:
• transfer; or
There is little point in trying to fit every potential risk response into one of these categories, since there is often ambiguity about where a particular treatment belongs. The main purpose of detailing these four groups is to ensure that all potential responses are considered in relation to a risk as it arises.
Risk reduction involves taking active steps to limit the impact of a risk occurring. This group of risks includes approaches such as diversification. Diversification involves combining a risk with other uncorrelated risks, or at least with one or more risks whose correlation with the original risk is less than one. At the extreme, it can involve taking on risks which have a high negative correlation with the original risk faced, in which case it becomes hedging rather than just risk reduction. Whilst this approach is most obviously connected to investments, it can also relate to the choice of projects on which a firm embarks. Risk reduction can also involve the creation of more robust systems and processes, in order to reduce the chance of a risk emerging, or to limit the impact of a risk if it does emerge.
Removing a risk means ensuring that an institution is no longer exposed to that risk at all. To achieve this, a firm can choose to avoid a project or an investment altogether, or can decide to achieve its aims differently. For example, a firm concerned about counter-party risk from over-the-counter OTC swaps could instead use exchange traded derivatives.
Risk transfer is a key response to risk. It involves, as the name suggests, transferring the consequences of a risk event to another party. Two important categories are non-capital market and capital market risk transfer.
The external risk management environment refers to everything that can affect the risks faced by an institution and the way those risks are managed. These factors are not uniform, and vary by industry and geographical location. Even within a particular industry in a particular country, different types of firms might find themselves in different environments. Small firms might be treated differently from large ones, and privately held ones will certainly be treated differently from publicly quoted ones. The list of potential firm-specific factors is extensive – but the important point here is that it is not sufficient simply to look at the industry and location and decide that all firms will be treated the same; rather, it is important every time to consider the nature of the firm and how this affects the external context.
Since it was established in the previous chapter that the number of internal stakeholders was small, it follows that the number of external stakeholders that might exist is large. All principals except the owner-managers are external to the institutions. This means that the other holders of bank and insurance company debt and equity are external, as are pension scheme sponsors; all customers, policyholders, pensioners and other beneficiaries are external; and clearly the government, the markets and any statutory insurance arrangements are external.
By contrast, the agents are generally the insiders. This is particularly true for banks and insurance companies, where only trade unions and external auditors can be considered external; however, for pension schemes, foundations and endowments, where more facilities are likely to be outsourced, then functions such as investment management and benefit administration are also frequently external.
Professional and industry bodies and regulators are also external to the organisations considered here, and both have an important impact on the environment in which they operate. In particular, professional bodies and regulators have an impact on the way in which individuals within organisations must behave, whereas industry bodies and regulators influence the way in which the organisations themselves act.
Advisers to financial organisations also contribute to the environment in which those organisations operate. To a large extent this is through the context of the regulatory and professional regime in place; however, it can also be more broadly about the way in which various types of advisers have developed in a particular region or industry, or in relation to particular types of firm.
The calculation of economic capital brings together many of the principles discussed throughout this book, covering risk measures and aggregation in particular detail. The issue of economic capital is also important to a number of departments within a financial organisation. One way to see the extent to which this is true is to consider why economic capital might be calculated. However, it is important first to understand exactly what economic capital is.
Definition of Economic Capital
There are a number of ways that economic capital can be defined, but most definitions contain three similar themes:
• they refer to additional assets or cash flows to cover unexpected events;
• they refer to an amount needed to cover these unexpected events to a specified measure of risk tolerance, with risk being measured in some way; and
• they consider the risk over a specified time horizon.
A common definition of economic capital is the additional value of funds needed to cover potential outgoings, falls in asset values and rises in liabilities at some given risk tolerance over a specified time horizon. It can also be defined as the funds needed to maintain a particular level of solvency (ratio of assets to liabilities) or the excess of assets over liabilities, again at some given risk tolerance over a specified time horizon.
Risk tolerance can also have a number of meanings, referring to a percentile of the results, a value of loss or the result of some other key indicator.
Economic Capital Models
Economic capital is calculated using an economic capital model. This is used to create simulations of the future financial state of an institution so that the range of potential outcomes can be analysed. These outcomes are then used in the calculation of some measure of risk that allows for an assessment of the level of capital that should be held, given a pre-specified risk tolerance and time horizon.
Economic capital models can be internal or generic. Each type is discussed below.
Internal Capital Model
An internal capital model allows a firm to determine how much capital it should hold to protect it against adverse events. It not only gives a better understanding of the financial implications of the current strategy, but also allows the implications of any potential change in strategy to be assessed.
Once the context within which risks are being analysed is clear, and a full risk taxonomy available, it is time to start identifying risks. The point of the risk identification process is to decide which of the many risks that might affect an organisation currently do so, or may do so in future. Part of the risk identification process also involves determining the way in which risks will then be analysed, in particular whether a qualitative or quantitative approach will be used. These, and other factors, are included in a risk register, discussed in Section 8.5.
Risk identification should be done as part of a well-defined process. This ensures not only that as many risks as possible are identified, but also that they are properly recorded.
There are four broad areas to risk identification. The first concerns the tools that can be used, whilst the second concerns the ways in which the tools are employed. Identification also includes an initial assessment of the nature of the risk, and also the way in which the risk is recorded. Each of these aspects is discussed in turn.
Risk Identification Tools
In this section, a range of potential risk identification tools is discussed. These can generally be used in a number of ways and simply describe the starting point for the generation of ideas. Some common tools are described below.
SWOT – standing for strengths, weaknesses, opportunities and threats – analysis is one of the best known techniques for strategy development. However, it can also be used to identify risks. Having said this, its scope is much broader, covering not just the negative aspects of the risks but the positive prospects for future strategies.
Strengths and weaknesses are internal to the organisation whilst opportunities and threats are external. In this way, SWOT analysis ensures that both the internal and external risk management contexts of an organisation are considered.
It is important to recognise what constitutes a strength or a weakness. In particular, strengths only matter if they can be used to take advantage of an opportunity or to counter a weakness; conversely, weaknesses are important only if they result in exposure to a threat.
Some broad categories for SWOT analysis are given in Table 8.1.
I found myself writing the first edition of this book during a time of crisis for financial institutions around the world. The global financial crisis was under way, and it was clear that poor risk management had played a part – both within firms and on a macro-economic scale. As a result, regulations were strengthened. For banks, Basel III was introduced. This brought capital requirements that were stronger yet more flexible, and a new focus on liquidity. For insurance companies, planning for a new regulatory regime was already well underway. However, the financial crisis meant that Solvency II included measures to provide some protection for insurance companies from capital market volatility.
In the years since the crisis, the stability of financial institutions has largely been maintained. However, we are still in a time of enormous uncertainty. With interest rates reaching new lows around the world, the efficacy of monetary policy is now being questioned. And from a local perspective, the decision of the United Kingdom to leave the European Union could have global implications, both economic and political, even if the nature of these implications remains to be seen.
On a smaller scale, the issue of cyber risk is of growing importance. Hackers seem regularly able to gain access to supposedly secure account information through attacks on firms’ IT systems. Individuals are also at risk from phishing emails, which can lead them to infect their computers with malware, or even to hand over personal data explicitly. These and other forms of cyber risk are causing ever growing losses for individuals and for financial institutions.
But risk management techniques are also developing. For example, Bayesian approaches are being used increasingly to model complex networks of risks, even extending to the calculation of capital requirements.
In this second edition, I have tried to address these changes as well as updating the book more generally. I have also added questions at the end of each chapter, to try to help understanding of the various topics covered. More questions can be found at http://www.paulsweeting.com; a QR code for this site is given at the end of this preface.
Despite these changes, the principle behind the way in which these risks should be approached remains the same – in particular, all risks should be considered together.
The previous chapters have outlined the stages that comprise a risk management process. However, as well as following these stages a number of activities should be carried out on a continuous basis. These can be summarised as:
• communication; and
Documentation refers to the process by which all aspects of the risk management process are recorded, whilst communication refers to collation and circulation of information, both within an organisation and between that organisation and outside agencies. The final process, audit, covers the ongoing validation of the risk management process.
Whilst the scope of documentation and audit are relatively straightforward, communication covers a wide range of overlapping areas. The systems used to keep track of information could be described as monitoring, whilst the circulation of key items of risk information is also referred to as reporting. However, rather than try to separate these items arbitrarily, they are included in the same section.
Risk registers and their roles in the identification of risk have already been discussed in Chapter 8. However, it is important to document the risk management process much more broadly. This means that the reasoning behind the process as a whole should be documented. However, there should also be adequate documentation of all decisions taken, and the reasons for those decisions.
The development of all systems should also be documented in detail, so that any future development can be carried out more easily. This is also true for financial models, the assumptions that they use and the data employed in calculations. As well as recording this information, the reasons for the choices made should also be clearly set out.
Finally, information on risk management failures should also be recorded in a risk incident log. This should refer to the nature of the failure and the financial implication. Information on whether it was caused by a failure to follow process or despite the controls that were in place should also be recorded. This is partly to help assess the effectiveness of the risk management process, but also to inform future developments.
Not absolutely every detail can be recorded, but there should be sufficient information to understand the background to any decisions made.
Definitions and Concepts of Risk
The word ‘risk’ has a number of meanings, and it is important to avoid ambiguity when risk is referred to. One concept of risk is uncertainty over the range of possible outcomes. However, in many cases uncertainty is a rather crude measure of risk, and it is important to distinguish between upside and downside risks.
Risk can also mean the quantifiable probability associated with a particular outcome or range of outcomes; conversely, it can refer to the unquantifiable possibility of gains or losses associated with different future events, or even just the possibility of adverse outcomes.
Rather than the probability of a particular outcome, it can also refer to the likely severity of a loss, given that a loss occurs. When multiplied, the probability and the severity give the expected value of a loss.
A similar meaning of risk is exposure to loss, in effect the maximum loss that could be suffered. This could be regarded as the maximum possible severity, although the two are not necessarily equal. For example, in buildings insurance, the exposure is the cost of clearing the site of a destroyed house and building a replacement; however, the severity might be equivalent only to the cost of repairing the roof.
Risk can also refer to the problems and opportunities that arise as a result of an outcome not being as expected. In this case, it is the event itself rather than the likelihood of the event that is the subject of the discussion. Similarly, risk can refer to the negative impact of an adverse event.
Risks can also be divided into whether or not they depend on future uncertain events, on past events that have yet to be assessed or on past events that have already been assessed. There is even the risk that another risk has not yet been identified.
When dealing with risks it is important to consider the time horizon over which they occur, in terms of the period during which an organisation is exposed to a particular risk, or the way in which a risk is likely to change over time. The link between one risk and others is also important. In particular, it is crucial to recognise the extent to which any risk involves a concentration with or can act as a diversifier to other risks.
The nature of an organisation is important to the risk management context. However, none is a simple, featureless institution; nor does any operate in a vacuum. The nature of each organisation and what surrounds it influences its operation fundamentally.
Understanding the internal environment is crucial for understanding the way in which risk management should be approached. An analysis of the various aspects of an organisation's internal risk environment helps risk managers within an organisation to appreciate what they need to do to carry out their roles effectively. It also helps external analysts to determine the risks that an organisation is taking – even if the organisation itself does not appreciate these risks
The only internal stakeholders that have a principal relationship with an organisation are owner-managers – all other internal stakeholders are agents, acting on behalf of an organisation's shareholders, customers, clients and so on. Their views of risk form an important aspect of the risk management environment, and they are discussed together with external stakeholders in Chapter 5. However, as well as their individual views of risk, the ways in which they interact are an important determinant of the way in which organisations behave. At the head of a firm, this means the board of directors. This group includes executive directors who have a day-to-day role in managing the firm and who are led by the chief executive, and non-executives who are responsible for representing the interests of shareholders. The board of directors is led by the chairman.
The executive directors delegate much of the running of the firm to managers, and ultimately to employees. Depending on the industry, the employees may be represented to a greater or lesser extent by trade unions. This, too, will affect the internal environment of the firm.
There are also issues for pension schemes through the structure of trustee bodies. The inclusion of member-nominated trustees can lead to a better reflection of the interests of members, whilst trustee boards dominated by employer-nominated trustees can at times give too great an emphasis to the interests of the sponsor. Using independent trustees can add valuable expertise to the trustee group. The trustees of endowments and foundations are similarly affected.
Email your librarian or administrator to recommend adding this to your organisation's collection.