Enterprise Risk Management

try / operable danger centering IT canvass Manager City National rely atomic offspring 20 State Polytechnic University, Pomona opening move chance worry (ERM) is a relatively young discipline that focuses on identifying, analyzing, monitoring, and controlling any major chance classes (e. g. , cr rationalise, foodstuff, liquidity, operable lay on the line classes). Operational attempt steering (ORM) is a subset of ERM that focuses on identifying, analyzing, monitoring, and controlling operative put on the lineiness of exposure.The purpose of this paper is to explain what enterprise assay anxiety is and how available bump oversight fits into the ERM framework. In our conclusion, we discuss what is belike to happen in the ERM / ORM environment oer the neighboring 5 divisions. founding As the Internet has come of age, companies suck been rethinking their pipeline organization models, core strategies, and laughingstock customer bases. Getting wired, t enders jobes with new opportunities, besides brings new encounters and hesitation into the equation. misdirection of bump behind carry an enormous cost.In new years, assembly line has experienced numerous, related risk reversals that necessitate resulted in considerable monetary liberation, decrease in shargonh antiquateder value, damage to play along reputations, dismissals of senior foc apply, and, in several(prenominal) cases, the very dissolution of the work. This increasingly risky environment, in which risk mis centering can have dire consequences, mandates that management adopt a new more proactive perspective on risk management. What is Enterprise / Operational pretend counseling? Clearly, there is a correlation surrounded by effective risk management and a come up-managed line of work.Over time, a military control that cannot manage risk effectively testament not prosper and, mayhap fail. A disastrous product recall could be the lodges last. Rogue traders lacking oversight and adequate controls have destroyed old well-established institutions in a very short time. But, historically, risk management in even the most successful businesses has tended to be in silosthe insurance risk, the technology risk, the monetary risk, the environmental risk, all managed independently in separate compartments.Coordination of risk management has usually been non-existent, and identification of emerging risks has been sluggish. This paper espouses a recent conceptenterprise-wide risk managementin which the management of risks is integrated and merged crossways the constitutional organization. A culture of risk aw arness is created. Companies crosswise a wide crosssection of industries ar beginning to implement this effective new methodology. 1 Enterprise / Operational endangerment Management At startle glimpse, there is much similarity between operational risk management and former(a) classes of risk (e. . , cr geld, market, liquidit y risk, and so on ) and the tools and techniques utilize to them. In fact, the principles applied are nearly identical. Both ORM and ERM must identify, measure, mitigate and monitor risk. However, at a more detailed level, there are numerous differences, ranging from the risk classes themselves to the skills look ated to work with operational risk. Operational risk management is tho beginning to fasten the next phase of evolution of corporate risk management.Should substantials be able to bourgeon successful ORM programs, the next step bequeath be for these firms to integrate ORM with all opposite classes of risks into truly enterprise-wide risk management frameworks. See Exhibit 1 for an example of an ERM / ORM organizational structure instance of the banking industry ERM Organization Chart CEO Group pretend managing director (ERM) Economic Capital (Planning) & run a risk take away Group take a chance administrator Committee Change Program assurance take a chance * Market Risk* Operational Risk (ORM)* Corporate ComplianceIT Security and descent tenacity Corporate Risk Evaluation (Audit) Note the major categories of risk to which financial services firms expose themselves are credit risk, market risk and operational risk. Not surprisingly, financial services firms medium-largest risk concentrationscredit risk and market risk are most effectively managed. Exhibit 1 2 Why Enterprise / Operational Risk Management? There are galore(postnominal) reasons ERM / ORM functions are being established within corporations. following are a few of the reasons these functions are being established.Organizational Oversight cardinal groups have recently emphasized the importance of risk management at the organizations highest levels. In October 1999, the National Association of Corporate Directors released its taradiddle of the Blue Ribbon Commission on Audit Committees, which recommends that canvas committees define and use timely, foc employ informa tion that is responsive to important performance measures and to the find out risks they oversee. The report states that the chair of the size up committee should develop an agenda that includes a periodic re heap of risk by each significant business unit. In January 2000, the Financial Executives Institute released the results of a survey on audit committee effectiveness. Respondents, primarily chief financial officers and corporate controllers, ranked severalize areas of business and financial risk as most important for audit committee oversight. In light of events surrounding recent corporate scandals (e. g. , Enron, etc. ), and the increasing executive and restrictive focus on risk management, the part of companies with formal ERM methods is increasing and audit committees are becoming more manifold in corporate oversight.The UK and Canada have set forth specific lawful requirements for audit committee oversight of risk evaluation, mitigation, and management which are wi de accepted as top hat practices in the U. S. Magnitude of Problem The order of magnitude of loss and impact of operational risk and losses to date is effortful to ignore. base on years of industry loss record-keeping from public sources, large operational risk-related financial services losses have averaged well in excess of $15 zillion annually for the past 20 years, but this only reflects the large public and visible losses. investigate has yielded nearly snow individual relevant losses greater than $500 million each, and over 300 individual losses greater than $100 million each. 1 Exhibit 2 is a listing of major operational losses. interestingly enough, the mass of these losses have occurred in financial services, which explains the industrys leading focus on operational risk management especially in the area of asset-liability modeling and treasury management models to manage risks in the highly volatile capital markets exercise of derivative trading and speculation. The 1 Hoffman, Douglas G. , Managing Operational Risk ( sassy York John Wiley & Sons, 2002), p. xvi. 3 transgress Operational Risk Losses Company Numerous Financial Institutions and Others BCCI Sumitomo Corporation Tokyo Shinkin stick Banca Nazionale del Lavoro Daiwa Bank Barings Non-Financial Institutions LTCM Texaco, Inc. Cendant Corporation Dow Corning St. Francis Assisi Foundation Mettlgesellschaft Owens Corning Fiber Glass Orange County Atlantic Richfield Kashima Oil Showa Shell Prudential Securities Drexel Burnham Lambert General Motors Phar Mor Loss sum $20 million. Initial Estimates $17 jillion $2. 9 billion $2. 3 billion $1. 8 billion $1. 1 billion $1 billion $4 billion $3 billion $2. 9 billion $2 billion $2 billion $1. billion $1. 7 billion $1. 6 billion $1. 5 billion $1. 5 billion $1. 5 billion $1. 4 billion $1. 3 billion $1. 2 billion $1. 1 billion Date 2001 1991 1996 19901991 1992 19831995 1995 1998 1984 19851998 1994 1999 19911993 1980s1990s 1994 19861990 1994 1989199 3 1994 19981993 1996 1992 Description Terrorists hijacked four commercial airliners and crashed them into the World slew Center. Over 2000 lives lost. Countless businesses impacted. Regulators seized about 75 percent of The Bank of Credit and Commerce Internationals $17 billion in assets in a major twaddle. Sumitomo Corporation incurred huge losses through high-spirited trading of copper.The manager of the Imasato branch forged 19 deposit certificates, which were utilise to raise money for stock deals. Former employees plead guilty to conspiring to ordinate $5 billion in unaccredited loans to Iraq. Loss due to unauthorized trading by an employee. This blasting loss has bend a benchmark for operational risk. Losses due to lack of dual control and checks and balances. considerable market losses due to scant(p) model management and inadequate controls at Long Term Capital Management. Pennzoil sued Texaco alleging that Texaco wrongfully interfered in its nuclear fusion reply deal with Getty.Largest and longest-running accounting fraud in history. Former executives conspired to inflate earnings. The attach to agreed to pay settlements to 18 women who indicated breast implants made them ill. insurance fraud case in which Martin Frankel allegedly stole as much as $2 billion from this foundation. Loss due to liquidation of oil interpret contracts. Settlement of asbestos-related claims. Largest people risk class case in financial history. Largest investment loss ever registered by a municipality. Settlement of northward Slope oil royalties dispute with Alaska. Disguised losses on FX preceding contracts.Major oil refiner in Japan faced losses from forward currency contracts. Settled charges of securities fraud with state and federal regulators. Former employees filed a class action suit charging the lodge with fraud, breach of duty and negligence. intemperate losses suffered due to 3 strikes. A former president of the firm defrauded in an embezzlement scheme. Exhibit 2 Source Hoffman Managing Operational Risk 4 Increasing Business Risks With the increasing speed of change for all companies in this new era, senior management must deal with many complex risks that have substantial consequences for the organization.A few forces currently creating uncertainty are Technology and the Internet Increased worldwide competition drop trade and investment worldwide Complex financial instruments Deregulation of reveal industries Changes in organizational structures from downsizing, reengineering, and mergers Increasing customer expectations for products and services More and bigger mergers Collectively, these forces are stimulating considerable change and creating an increasing risk in the business environment.Regulatory The international regulators clearly intend to encourage banks to develop their own proprietary risk measurement models to assess restrictive, as well as economic, capital. The advantage for banks should be a subs tantial reduction in regulatory capital, and a more accurate allocation of capital love seat the actual risk confronted. In December 2001, the Basel Committee on Banking surveillance submitted a paper punishing Practices for the Management and inadvertence of Operational Risk for comment by the banking industry.In developing these sound practices the Committee recommended that banks have risk management systems in straddle to identify, measure, monitor and control operational risks. While the guidance in this paper is intended to apply to internationally active banks, plans are to eventually apply this guidance to those banks deemed significant on the basis of size, complexity, or systemic importance and to smaller, less complex banks. Regulators impart eventually conduct regular independent evaluations of a banks strategies, policies, procedures and practices addressing operational risks.The paper indicates an independent evaluation of operational risk allow incorporate a re pull in of the following six bank areas2 Process for assessing overall capital adequacy for operational risk in relation to its risk profile and its inborn capital targets Risk management cover and overall control environment effectiveness with respect to operational risk exposures 2 Basel Committee on Banking Supervision, Sound Practices for the Management and Supervision of Operational Risk, (Basel, Switzerland Basel Committee on Banking Supervision, 2001), p. 1. 5 Systems for monitoring and reporting operational risk exposures and other data quality considerations Procedures for timely and effective answer of operational risk exposures and events Process of internal controls, re surveys and audit to ensure rectitude of the overall risk management process and Effectiveness of operational risk mitigation efforts. Market Factors Market factors also play an important usance in motivating organizations to consider ERM / ORM. Comprehensive shareholder value management and ERM / ORM are very much linked.Todays financial markets place substantial premiums for agreeablely meeting earnings expectations. Not meeting expectations can result in severe and rapid decline in shareholder value. Research conducted by Tillinghast-Towers Perrin found that with all else being equal, organizations that achieved more consistent earnings than their peers were rewarded with materially higher market valuations. 3 Therefore, for corporate executives, managing account risks to earnings is an important element of shareholder value management. The conventional view of risk management has often focused on property and iability related issues or internal controls. However, traditional risk events much(prenominal) as lawsuits and cancel disasters may have little or no impact on destroying shareholder value compared to other strategic and operational exposuressuch as customer demand shortfall, competitive pressures, and cost overruns. One explanation for this is that tradit ional risk hazards are relatively well understood and managed todaynot that they dont matter. Managers now have the opportunity to apply tools and techniques for traditional risks to all risks that affect the strategic and financial objectives of the organization.For non-publicly traded organizations, ERM / ORM is valuable for many of the very(prenominal) reasons. Rather than from the perspective of shareholder value, ERM / ORM would provide managers with a comprehensive overview of other important items such as cash flow risks or stakeholder risks. regardless of the organizational form, ERM / ORM can be an important management tool. Corporate brass section Defense against operational risk and losses flows from the highest level of the organizationthe carte of directors and executive management. The board, the management team that they hire, and the policies that they develop, all set the tone for a go with.As guardians of shareholder value, boards of directors must be acutely a ttuned to market reply to negative news. In fact, they can find themselves castigated by the public if the reaction is severe enough. As representatives of the shareholders, boards of directors are responsible for policy 3 Tillinghast-Towers Perrin, Enterprise Risk Management Trends and Emerging Practices. (The Institute of inborn Auditors Research Foundation, 2001), p. xxvi. 6 matters relative to corporate governance, including but not limited to setting the stagecoach for the framework and foundation for enterprise risk management.Right now, operational risk management is a hot topic of discussion for regulators and in boardrooms across the US. In the wake of the 2001 releases from the Basel Risk Management Committee, banks now have yet insight as to the regulatory position on the need for regulatory capital for operational risk. Meanwhile, shareholders are aware that there are room to identify, measure, manage, and mitigate operational risk that add up to billions of dollars every year and include frequent, low-level losses and also infrequent but catastrophic losses that have actually wiped out firms, such as Barings, and others.Regulators and shareholders have already signaled that they will hold directors and executives accountable for managing operational risk. Best-Practice Senior managers need to encourage the development of integrated systems that aggregate various market, credit, liquidity, operational and other risks generated by business units in a consistent framework across the institution. Consistency may become a necessary condition to regulatory approval of internal risk management models.An environment where each business unit calculates their risk separately with different rules will not provide a meaningful oversight of firm-wide risk. The increasing complexity of products, linkages between markets, and potential drop benefits offered by overall portfolio effects are pushing organizations toward standardizing and integrating risk man agement. Conclusion It seems clear that ERM / ORM is more than another management fad or academic theory. We believe that ERM / ORM will become part of the management process for organizations in the future.Had ERM / ORM processes been in place during the past two decades, a number of the operational risk debacles that took place may not have occurred or would have been of lesser magnitude. Companies are beginning to see the benefit of protect themselves from all types of potential risk exposures. By identifying and mapping risk exposures passim the organization, a political party can concentrate on mitigating those exposures that can do the most damage. With an ascertaining of risks, their severity, and their frequency, a company can turn to solutions be it retaining, transferring, sharing, or avoiding a particular risk.Our thoughts on what will happen in the ERM / ORM environment in the next 5 years are In the next 5 years, it is likely that companies will no longer view risk m anagement as a specialized and isolated activity the management of insurance or foreign exchange risks, for instance. The new admittance will 7 keep managers and employees at all levels sensitized to and implicated about risk management. Risk management will be integrated with senior management oversight and everyone in the organization will view risk management as part of his or her job. The risk management process will be continuous and broadly focused.All business risks and opportunities will be covered. In the next 5 years, the use of bottom-up risk assessments will be a standard process used to identify risks throughout the organization. The self-assessment process will involve everyone in the company and require individual units to focus and report on the threats to their individual business objectives. Through the selfassessment process, the organization will be able to understand loss potential and risk control by business, by profit bosom and by product. The individual line manager will begin to understand the loss potential in his or her own processing system.In the next 5 years, the use of top-down scenario analysis will be another standard method used to identify risks throughout the organization. Top down scenario analysis will determine the risk potential for the entire firm, the entire business, organization, or portfolio of business. By its very nature, it is a high-level standard and cannot get into the bottom-up transaction-by-transaction risk analysis. For example, because Microsoft has a campus of more than 50 buildings in the Seattle area, earthquakes are a risk. 4 In the past, Microsoft looked at silos of risk.For example, they would have looked at property insurance when they considered the risks of an earthquake and thought about protecting equipment and buildings. However, using scenario analysis they are now taking a more holistic perspective in considering the risk of an earthquake. The Microsoft risk management group has study this disaster scenario with its advisors and has attempted to quantify its real cost, taking into account how risks are correlated. In the process, the group identified risks in addition to property damage, such as the following 4Director and officer liability if some people think management was not properly prepared. Key force play risk Capital market risk because of the firms unfitness to trade. Worker compensation or employee benefit risk. Supplier risk for those in the area of the earthquake. Risk related to loss of market share because the business is interrupted. Michel Crouhy, Dan Galai, and Robert Mark, Making Enterprise Risk Management net profitoff (New York McGraw-Hill, 2001), pp 132-133. 8 Research and development risks because those activities are interrupted and product delays occur.Product support risks because the company cannot respond to customer inquiries. By using scenario analysis, management has identified a number of risks that it might not have othe rwise and Microsoft is now in a better position to manage these risks. The future ERM / ORM tools such as risk assessment and scenario analysis will assist companies in identifying and mitigating the majority of these risks. In the next 5 years, companies will be using internal and external loss databases to capture occurrences that may cause losses to the company and the actual losses themselves.This data will be used in quantitative models that will project the potential losses from the various risk exposures. This data will be used to manage the amount of risk a company may be willing to take. In the next 5 years, companies will allocate capital to individual business units base on operational risk. By linking operational risk capital charges to the sources of that risk, individuals with risk optimizing behavior will be rewarded and those without proper risk practices will be penalized.In the next 5 years, internal audit will become even more focused on how risks are managed and controlled throughout the company on a continuous basis. Internal audit will be responsible for reporting on integrity, accuracy, and reasonableness of the companys entire risk management process. In addition, Internal Audit will be involved in ensuring the appropriateness of the companys capital assessment and allocation processes. Furthermore, audit will solve continual improvement of risk management and controls through the sharing of best practices.In the next 5 years, management will be looking for for individuals who are skilled in risk management. Professional designations such as the Bank Administration Institutes Certified Risk Professional (CRP) and the Information and Audit and Control Associations Certified Information Security Manager (CISM) will face proficiency in the risk management area and will be in demand. In the next 5 years, external auditors will be required to report on the efficiency and effectiveness of a companys risk management program.These companies will be required to unwrap the scope and nature of risk reporting and/or measurement systems in their annual reports. Overall, companies will be better positioned in the next 5 years to deal with the broad scope of enterprise-wide risks. By implementing the ERM / ORM process now, companies will begin to maximize their overall risk profile for competitive advantage. 9 Bibliography Barton, Thomas L. Shenkir, William G. Walker, Paul L. Making Enterprise Risk Management Pay Off. New Jersey Financial Times / Prentice Hall, 2002. Basel II Mandates a Nest http//web2. infotrac. galegroup. co Egg for Banks US Banker. (July 1, 2002) 48. July 2002. BITS. BITS Technology Risk Transfer Gap Analysis Tool. Washington, D. C. BITS, 2002. Bock, Jerome T. , The Strategic Role of Economic Capital in Bank Management, Wimbledon, London MidasKapiti International, 2000. Business Banking Board. RAROC and Operating Risk. Washington, D. C. Corporate Executive Board, 2001. Business Banking Board. Risk Ma nagement Structure. Washington, D. C. Corporate Executive Board, 2001. Consultative Document Operational Risk. 2001.Bank for International Settlements and Basel Committee on Banking Supervision. July 2002. http//www. bis. org/publ/bcbsa07. pdf Crouhy, Michel Galai, Dan Mark, Robert, Risk Management. New York McGraw-Hill, 2001. Elements of a Successful IT Risk Management Program. Gartner. (May 2002. ) 9. July 2002. http//www. gartner. com/gc/webletter/bindview/issue1/ggarticle1. html Ernst & Young, compound Risk Management Practices. Unpublished PowerPoint slides, Ernst & Young 2000. Hively, Kevin Merkley, Brian W. Miccolis, Jerry A. Enterprise Risk Management Trends and Emerging Practices.Florida The Institute of Internal Auditors Foundation, 2001. Hoffman, Douglas G. Managing Operational Risk. New York John Wiley & Sons, Inc. , 2002. In Brief Ferguson Urges Investing in Risk Control. American Banker. (March 5, 2002) 1. July 2002. http//0proquest. umi. com. opac. library. csupomo na. edu James, Christopher, RAROC Based Capital Budgeting and Performance Evaluation A Case Study of Bank Capital Allocation. Pennsylvania The Wharton School, 1996. Jameson, Rob Walsh, John, The Leading Contenders, Risk Magazine, (November 2000). 6. July 2002. http//www. financewise. om/public/edit/riskm/oprisk/opr-soft00. htm Insurance Industry Participating companies Allianz, AXA, Chubb, Mitsui Sumitomo, Munich Re, Swiss Re, Tokio Marine and sack, Xl, Yasuda Fire and Marine and Zurich. Insurance of Operational Risk Under the New Basel Accord. Insurance Industry, 2001. Lam, James, Top Ten Requirements for Operational Risk Management Risk Management (November 2001) July 2002. http//0-proquest. umi. com. opac. library. csupomona. edu Marks, Norman, The New Age of Internal Auditing The Internal Auditor (December 2001) 5. July 2002. http//0-proquest. mi. com. opac. library. csupomona. ed McNamee, David Selim, George M. Risk Management Changing the Internal Auditors Paradigm. Florida The Institute of Internal Auditors Research Foundation, 1998. National Association of Financial Services Auditors. Enterprise Risk Management, National Association of Financial Services Auditors. Spring 2002. 12-13. netForensics is a web site that discusses those regulations that govern information security in financial services, health care and government. http//www. netforensics. com/verticals. html 10 Ong, Michael Why bother? Risk Magazine, (November 2000). 6. July 2002. http//www. financewise. com/public/edit/riskm/oprisk/oprcommentary00. htm Practice Advisory 2100-3 Internal Audits Role in the Risk Management Process. March 2001. The Institute of Internal Auditors. July 2002. http//www. theiia. org/ecm/guide-frame. cfm? doc_id=73 Santomero, Anthony M. , commercialized Bank Risk Management an Analysis of the Process. Wharton School, 1997. Pennsylvania The Sound Practices for the Management and Supervision of Operational Risk. 2002. Bank for International Settlements and Basel Committee on Banking Supervision.July 2002. http//www. bis. org/publ/bcbs86. htm The Financial Services Roundtable, Guiding Principles in Risk Management for U. S. Commercial Banks. Washington D. C. The Financial Services Roundtable, 1999. Verschoor, Curtis C. Audit Committee Briefing 2001 Facilitating New Audit Committee Responsibilities. Florida The Institute of Internal Auditors, 2001. Working Paper on the Regulatory Treatment of Operational Risk. 2001. Bank for International Settlements and Basel Committee on Banking Supervision. July 2002. http//www. bis. org/publ/bcbs_wp8. pdf 11