Building a Modern Risk Management Department Seminar Financial Services Volunteer Corps (FSVC) January 19 – 22, 2009 Tripoli, Libya
Day One Period 9:50 to 11:00 AM
Core Objectives of Risk Management • Maintenance of solvency: constrain losses to within acceptable levels at all points through the economic cycle • Ensure risks are transparent and well understood, both internally and externally (owners must understand the risks they are investing in; government/regulators should understand important and systemic risks) • Ensure risks taken are consistent with organizational capability and risk appetite • Risk Management as a source of competitive advantage
The “Vicious Cycle” of Risk Take Uneconomic Risks Drive Growth Aggressively Incur Large Losses Clamp Down on Lending/Risk Taking Lose Market Share/Profits Forego Economic Risks
Some principles about banking and risk Since the future is uncertain, you can’t generate returns without taking risk: • Capital and expenses come first, and are certain – revenues come later (and are uncertain) • You can’t divorce the level of risk from the expected level of return: the higher the desired return, the more risk you must be willing to take • Half the time you can expect the mean return or more, and half the time the mean return or less • Diversification is necessary to lower the average total risk
Some principles about banking and risk (Cont.) • That said, banks need to be low-risk: • Society relies on the effective functioning of the banking system • The system is based on confidence and trust • The main source of funding in most countries is customer deposits • Banks are the main mechanism for domestic and international payments • Banks are the main vehicle for storing non-real estate wealth • In many countries banks raise most of the country’s external debt… • … hence the importance of reputation and confidence Reputation follows behavior; thus need to build and sustain trust
Some principles about banking and risk (Cont.) There is a finite limit to the level of risk a commercial bank can take • Fundamentally businesses depend on their ability to fund themselves and generate cash • Companies go bust when they run out of cash. They run out of cash when they are not viable economically, or lose confidence • Failure usually happens when you get the basics wrong, not the subtleties • The amount of risk that is acceptable is fundamentally determined by the need to raise funding (and, where applicable, to preserve credit ratings) • Banking is a cyclical business: • Leveraged to the economic cycle • High financial leverage • High operating leverage – fixed costs often approximate 50% of revenues • Average margins on assets and liabilities are often very low so financial risk tolerance must also be low, so high confidence levels are used in risk measurement
Some principles about banking and risk (Cont.) • To be successful banks must remain successful and viable at every point on the economic cycle. • If you take all the opportunities on the way up… • You get all the losses on the way down!
Some principles about banking and risk (Cont.) • Fundamentally the level of risk is determined by: • the decision to be in a business, • the extent to which you participate, • the capability and culture of the organization, and • the quality of the people you put in charge of the business • This governs 80% of the outcome • The balance is in how this is executed • Note: Culture is a dominant factor in risk outcomes, including incentives • Strong leadership from the top on risk matters is essential to ensure a strong “risk culture”
Components of an Effective Risk Management Process • Governance • Risk Identification • Risk Measurement • Risk Management: Policy and Process • Risk Reporting • Policy and Process Compliance (Internal Audit; Legal / External Audit; Regulatory Compliance; Supervisory Examinations; etc)
Some principles about banking and risk (Cont.) • History shows that banks periodically get it materially wrong (eg early 1990’s in USA, UK, Australia; Currently in the U.S., Europe and globally) • Until recently, advances in risk management (especially credit risk) have borne fruit • e.g. very few bank failures in the USA, UK and Europe during the economic downturn of 2001 - 2002 • But the current crisis has brought a lot of bank failures. Have the recent advances in risk management bred complacency, misguided quantification and modelling, or did they encourage inappropriate risk appetites?
The Risk Management and Control Framework defines the key elements necessary for effective risk management & control Organization and Culture • Organizational structure • Accountability • Authority levels • Staffing and capability • Ethics and integrity • Risk Management philosophy & culture • Risk limits Objective Setting • Strategic planning and budgeting process • Measurability and alignment of objectives • Communication and understanding of objectives Monitoring • Business performance monitoring • Risk measurement and analysis • Management control self-assessment • Independent evaluations Risk Assessment Process Information and Communication • Self-assessment planning • Risk (event) identification • Risk assessment • Risk response Ongoing Control Activities • Information infrastructure • Common reporting metrics • Information reports • Communication channels and methodologies • Business process controls • IT controls • Physical controls • Control documents – policies, procedures, standards and guides
Five criteria define excellence in risk management • Business areas take ownership, and risk management is an ingrained, actively managed process • External stakeholder expectations are met • We operate in a no-surprise environment • Each type of risk, and risk experience in the aggregate, is within our risk appetite • We know where we are
Risk philosophy guides development and action • Governance • Board Awareness – of risks and related strategies • Senior Management Accountability – for risks in their respective areas, within policy • Independent Risk Management – apart from the business areas and Audit • Decision-Making • Business Plan Integration – of risks and required mitigation strategies • Cost/Benefit Analysis – for consideration of alternate risk strategies and/or risk acceptance
Risk Philosophy (cont.) • Infrastructure • Explicit Capital Charge – to measure risk exposure and create incentives • Self-Assessment Performed by Each Business/Functional Area – following enterprise methodology • Loss Data – collected, quantified and reported by all business areas • Formalized Policies & Governance – document policies, procedures, and guidelines • Culture • Explicit Risk Performance Goals – define an acceptable level of risk appetite and performance measures • Transparency and Openness – sharing and reporting of risk exposures, weaknesses and events
Governance Elements Framework consists of: • Board oversight & involvement • Organizational structure • Independence of each of three functions • MIS and reporting • Culture
Risk Management Framework – Summary • A sound governance structure is essential for establishing an appropriate framework and implementing effective risk management • Banks have flexibility in creating organization structures so long as the required elements – and independence – are incorporated • The governance process should continuously monitor existing risk measurement and management processes (risk architecture) and development and implementation of a framework for newer risk types using sound project management and oversight methodologies
Board Board Risk &/or Audit Committee CEO etc. Internal Audit Business Head Chief Risk Official “Independent Risk” Management Line of Business Risk Management
“Independence” Hierarchy Constituencies Rating Agencies Capital Markets Debt & Equity Markets Other Stakeholders Owners R Government Board of Directors External Audit Regulatory Supervision Internal Audit “Independent Risk Management” Business Risk Management
Factors • Flawed risk decisions • Statistical • Judgmental • Extreme leverage • Mismatched book: Short finances long • Mismatched book: • Off-balance sheet assets & liabilities were actually on balance sheet liabilities • Sold risk participations circled back to seller upon default • Weak due-diligence (trust, but verify) • Lax regulation / Complacent regulation • Poor rating-agency performance • Moral hazards • Misguided macro-economics • Risk types misunderstood so not analyzed or analyzed by wrong skill sets Is it a Financial Crisis or an Economic Crisis – or both?
Libya • Small participant in the global economy • Vulnerable to oil price volatility (a significant factor in the global economy and in the current crisis) • But … • “Libyan Energy Fund to acquire minority stake in Italy's Eni and might push for representation on Eni’s board” (WSJ 12/8/08) • “Libyan Investment Authority has agreed to buy a large office building in the City of London” (FT – 12/10/08) • As Libya becomes more externally focused (and if it becomes more welcoming of internal investment and travel) it will become more subject to the global economy.