Enterprise Risk Management

Enterprise / functional lay on the take out way IT Audit Manager city National stick California State Polytechnic University, Pomona Enterprise run a happen watchfulness (ERM) is a comparatively new discipline that focuses on fall uponing, analyzing, monitoring, and controlling all major lay on the line crystalizees (e. g. , credit, market, liquidity, usable bump classes). Operational hazard management (ORM) is a sub find of ERM that focuses on identifying, analyzing, monitoring, and controlling in operation(p) jeopardy.The purpose of this paper is to explain what initiative danger management is and how functional guess management fits into the ERM framework. In our conclusion, we discuss what is likely to happen in the ERM / ORM environment over the future(a) 5 years. Introduction As the Internet has come of age, companies progress to been rethinking their p argonntage models, core strategies, and tar give node bases. Getting wired, provides businesses with new opportunities, but brings new take chancess and uncertainty into the equation. Mismanagement of assay can carry an enormous cost.In new-make years, business has experienced numerous, related essay reversals that collect resulted in considerable financial injury, decrease in stockholder value, damage to company reputations, dismissals of senior management, and, in some cases, the very dissolution of the business. This increasingly risky environment, in which risk mismanagement can redeem dire consequences, mandates that management adopt a new more proactive perspective on risk management. What is Enterprise / Operational put on the line anxiety? Clearly, on that point is a correlation between efficient risk management and a headspring-managed business.Over time, a business that cannot manage risk effectively get out not prosper and, perhaps fail. A disastrous product recall could be the companys last. scamp traders lacking oversight and adequate controls have de stroyed old well-established institutions in a very suddenly time. But, historically, risk management in even the most successful businesses has tended to be in silosthe insurance risk, the engineering science risk, the financial risk, the environmental risk, all managed independently in separate compartments.Coordination of risk management has usually been non-existent, and appellation of emerging risks has been sluggish. This paper espouses a recent concept initiative- wide-cut risk managementin which the management of risks is interconnected and coordinated across the entire governing. A culture of risk aw arness is created. Companies across a wide crosssection of industries are beginning to implement this effective new methodology. 1 Enterprise / Operational luck Management At first glimpse, there is much similarity between operational risk management and other(a) classes of risk (e. . , credit, market, liquidity risk, etc. ) and the tools and techniques applied to them. I n fact, the principles applied are nearly identical. Both ORM and ERM essential identify, measure, mitigate and monitor risk. However, at a more detailed level, there are numerous differences, ranging from the risk classes themselves to the skills directed to work with operational risk. Operational risk management is just beginning to define the conterminous phase of evolution of corporate risk management.Should firms be able to develop successful ORM programs, the beside tonus pass on be for these firms to integrate ORM with all other classes of risks into truly enterprise-wide risk management frameworks. See submit 1 for an example of an ERM / ORM organizational structure representative of the banking industry ERM Organization Chart CEO host guess Director (ERM) Economic Capital (Planning) & Risk Transfer Group Risk executive director military commission Change Program Credit Risk * Market Risk* Operational Risk (ORM)* Corporate accordanceIT Security and Business Conti nuity Corporate Risk Evaluation (Audit) Note the major categories of risk to which financial run firms expose themselves are credit risk, market risk and operational risk. Not surprisingly, financial services firms largest risk concentrationscredit risk and market risk are most effectively managed. Exhibit 1 2 Why Enterprise / Operational Risk Management? There are many reasons ERM / ORM functions are being established within corporations. quest are a few of the reasons these functions are being established.organisational Oversight Two groups have recently emphasized the importance of risk management at the organizations highest levels. In October 1999, the National draw of Corporate Directors released its Report of the Blue Ribbon Commission on Audit directions, which recommends that audit committees define and use timely, focused information that is responsive to important performance measures and to the place risks they oversee. The enunciate states that the chair of the audit committee should develop an agenda that take ons a periodic review of risk by each remarkable business unit. In January 2000, the Financial Executives contribute released the results of a survey on audit committee effectiveness. Respondents, primarily chief financial officers and corporate controllers, ranked key battlegrounds of business and financial risk as most important for audit committee oversight. In light of events surrounding recent corporate scandals (e. g. , Enron, etc. ), and the increasing executive and regulatory focus on risk management, the percentage of companies with prescribed ERM methods is increasing and audit committees are becoming more involved in corporate oversight.The UK and Canada have tick forth specific legal requirements for audit committee oversight of risk evaluation, mitigation, and management which are wide accepted as best practices in the U. S. Magnitude of Problem The magnitude of difference and impact of operational risk and loss es to date is difficult to ignore. Based on years of industry loss record-keeping from customary sources, large operational risk-related financial services losses have averaged well in excess of $15 gazillion annually for the past 20 years, but this only reflects the large public and visible losses. research has yielded nearly 100 individual relevant losses greater than $500 million each, and over three hundred individual losses greater than $100 million each. 1 Exhibit 2 is a listing of major operational losses. Interestingly enough, the majority of these losses have occurred in financial services, which explains the industrys leading focus on operational risk management especially in the area of asset-liability mannikin and treasury management models to manage risks in the highly volatile smashing markets activity of derivative barter and speculation. The 1 Hoffman, Douglas G. , Managing Operational Risk (New York tooshie Wiley & Sons, 2002), p. xvi. 3 Top Operational Risk Losses friendship Numerous Financial Institutions and Others BCCI Sumitomo Corporation Tokyo Shinkin intrust Banca Nazionale del Lavoro Daiwa Bank Barings Non-Financial Institutions LTCM Texaco, Inc. Cendant Corporation Dow Corning St. Francis Assisi Foundation Mettlgesellschaft Owens Corning Fiber trumpery Orange County Atlantic Richfield Kashima Oil Showa Shell Prudential Securities Drexel Burnham Lambert General Motors Phar Mor Loss Amount $20 million. Initial Estimates $17 gazillion $2. 9 one million million million $2. 3 billion $1. 8 billion $1. 1 billion $1 billion $4 billion $3 billion $2. 9 billion $2 billion $2 billion $1. billion $1. 7 billion $1. 6 billion $1. 5 billion $1. 5 billion $1. 5 billion $1. 4 billion $1. 3 billion $1. 2 billion $1. 1 billion Date 2001 1991 1996 19901991 1992 19831995 1995 1998 1984 19851998 1994 1999 19911993 1980s1990s 1994 19861990 1994 19891993 1994 19981993 1996 1992 Description Terrorists hijacked four commercial airliners and crash ed them into the World Trade Center. Over 2000 lives lost. non-finite businesses impacted. Regulators seized ab appear 75 percent of The Bank of Credit and Commerce Internationals $17 billion in assets in a major fraud. Sumitomo Corporation incurred huge losses through excessive merchandise of copper.The manager of the Imasato branch forged 19 deposit certificates, which were used to raise money for stock deals. agent employees plead guilty to conspiring to arrange $5 billion in unauthorised loans to Iraq. Loss collectable to unauthorized trading by an employee. This catastrophic loss has decease a benchmark for operational risk. Losses ascribable to lack of dual control and checks and balances. Huge market losses due to inadequate model management and inadequate controls at Long Term Capital Management. Pennzoil sued Texaco alleging that Texaco wrongfully interfered in its merger deal with Getty.Largest and longest-running chronicle fraud in history. origin executives consp ired to inflate requital. The company agreed to pay settlements to 18 women who indicated breast implants made them ill. Insurance fraud case in which Martin Frankel allegedly stole as much as $2 billion from this foundation. Loss due to liquidation of oil supply contracts. Settlement of asbestos-related claims. Largest people risk class case in financial history. Largest investment loss ever registered by a municipality. Settlement of atomic outcome 7 Slope oil royalties dispute with Alaska. Disguised losses on FX forward contracts.Major oil refiner in Japan faced losses from forward currency contracts. Settled charges of securities fraud with state and federal regulators. Former employees filed a class action suit charging the company with fraud, breach of duty and negligence. Heavy losses suffered due to 3 strikes. A former president of the firm defrauded in an embezzlement scheme. Exhibit 2 seminal fluid Hoffman Managing Operational Risk 4 increase Business Risks With the in creasing speed of change for all companies in this new era, senior management must deal with many complex risks that have meaning(a) consequences for the organization.A few forces currently creating uncertainty are technology and the Internet Increased worldwide competition bare(a) trade and investment worldwide Complex financial instruments Deregulation of key industries Changes in organizational structures from downsizing, reengineering, and mergers Increasing customer expectations for products and services More and larger mergers Collectively, these forces are stimulating considerable change and creating an increasing risk in the business environment.Regulatory The international regulators clearly intend to encourage banks to develop their own proprietary risk measurement models to assess regulatory, as well as economic, capital. The advantage for banks should be a substantial reduction in regulatory capital, and a more accurate allocation of capital vis-a-vis the cer tain risk confronted. In December 2001, the Basel Committee on Banking Supervision submitted a paper Sound Practices for the Management and Supervision of Operational Risk for comment by the banking industry.In developing these sound practices the Committee recommended that banks have risk management systems in place to identify, measure, monitor and control operational risks. While the guidance in this paper is intended to apply to internationally active banks, plans are to eventually apply this guidance to those banks deemed significant on the basis of size, complexity, or systemic importance and to smaller, less complex banks. Regulators bequeath eventually cope regular independent evaluations of a banks strategies, policies, procedures and practices addressing operational risks.The paper indicates an independent evaluation of operational risk go forth incorporate a review of the following six bank areas2 dish up for assessing overall capital adequacy for operational risk in relation to its risk profile and its informal capital targets Risk management process and overall control environment effectiveness with respect to operational risk exposures 2 Basel Committee on Banking Supervision, Sound Practices for the Management and Supervision of Operational Risk, (Basel, Switzerland Basel Committee on Banking Supervision, 2001), p. 1. 5 Systems for monitoring and reporting operational risk exposures and other data quality considerations Procedures for timely and effective resolution of operational risk exposures and events Process of inherent controls, reviews and audit to ensure integrity of the overall risk management process and Effectiveness of operational risk mitigation efforts. Market Factors Market factors also tactic an important role in motivating organizations to consider ERM / ORM. Comprehensive stockholder value management and ERM / ORM are very much linked.Todays financial markets place substantial premiums for consistently meeting ea rnings expectations. Not meeting expectations can result in severe and rapid decline in shareholder value. enquiry conducted by Tillinghast-Towers Perrin found that with all else being equal, organizations that achieved more consistent earnings than their peers were rewarded with materially higher(prenominal) market valuations. 3 Therefore, for corporate executives, managing key risks to earnings is an important element of shareholder value management. The handed-down view of risk management has often focused on property and iability related issues or internal controls. However, tralatitious risk events such(prenominal) as lawsuits and natural disasters may have little or no impact on destroying shareholder value compared to other strategic and operational exposuressuch as customer demand shortfall, free-enterprise(a) pressures, and cost overruns. One explanation for this is that traditional risk hazards are relatively well understood and managed todaynot that they dont matter. M anagers straight have the opportunity to apply tools and techniques for traditional risks to all risks that affect the strategic and financial objectives of the organization.For non-publicly traded organizations, ERM / ORM is valuable for many of the same reasons. Rather than from the perspective of shareholder value, ERM / ORM would provide managers with a comprehensive overview of other important items such as cash flow risks or stakeholder risks. Regardless of the organizational form, ERM / ORM can be an important management tool. Corporate Governance Defense against operational risk and losses flows from the highest level of the organizationthe board of directors and executive management. The board, the management team that they hire, and the policies that they develop, all set the tone for a company.As guardians of shareholder value, boards of directors must be acutely attuned to market reaction to ostracise news. In fact, they can find themselves castigated by the public if the reaction is severe enough. As representatives of the shareholders, boards of directors are answerable for(p) for policy 3 Tillinghast-Towers Perrin, Enterprise Risk Management Trends and Emerging Practices. (The Institute of Internal Auditors Research Foundation, 2001), p. xxvi. 6 matters relative to corporate governance, including but not limited to setting the stage for the framework and foundation for enterprise risk management.Right now, operational risk management is a hot topic of discussion for regulators and in boardrooms across the US. In the wake of the 2001 releases from the Basel Risk Management Committee, banks now have further insight as to the regulatory position on the need for regulatory capital for operational risk. Meanwhile, shareholders are aware that there are means to identify, measure, manage, and mitigate operational risk that add up to billions of dollars every year and include frequent, low-level losses and also infrequent but catastrophic losses tha t have positively wiped out firms, such as Barings, and others.Regulators and shareholders have already signaled that they allow for hold directors and executives greenbackable for managing operational risk. Best-Practice Senior managers need to encourage the development of integrated systems that aggregate various market, credit, liquidity, operational and other risks generated by business units in a consistent framework across the institution. Consistency may become a necessary jibe to regulatory approval of internal risk management models.An environment where each business unit calculates their risk separately with different rules will not provide a meaningful oversight of firm-wide risk. The increasing complexity of products, linkages between markets, and emf benefits offered by overall portfolio effects are pushing organizations toward receivedizing and integrating risk management. finding It seems clear that ERM / ORM is more than another management fad or academic theo ry. We believe that ERM / ORM will become part of the management process for organizations in the future.Had ERM / ORM processes been in place during the past two decades, a number of the operational risk debacles that took place may not have occurred or would have been of lesser magnitude. Companies are beginning to see the benefit of protecting themselves from all types of potential risk exposures. By identifying and mapping risk exposures throughout the organization, a company can concentrate on mitigating those exposures that can do the most damage. With an judgement of risks, their severity, and their frequency, a company can turn to solutions be it retaining, transferring, sharing, or avoiding a particular risk.Our thoughts on what will happen in the ERM / ORM environment in the next 5 years are In the next 5 years, it is likely that companies will no longer view risk management as a specialized and isolated activity the management of insurance or foreign exchange risks, for instance. The new start will 7 keep managers and employees at all levels sensitized to and concerned about risk management. Risk management will be coordinated with senior management oversight and everyone in the organization will view risk management as part of his or her job. The risk management process will be continuous and extensively focused.All business risks and opportunities will be covered. In the next 5 years, the use of bottom-up risk sagaciousnesss will be a standard process used to identify risks throughout the organization. The self-assessment process will involve everyone in the company and require individual units to focus and report on the threats to their individual business objectives. Through the selfassessment process, the organization will be able to understand loss potential and risk control by business, by profit center and by product. The individual line manager will begin to understand the loss potential in his or her own process system.In the next 5 ye ars, the use of top-down scenario analysis will be another standard method used to identify risks throughout the organization. Top down scenario analysis will determine the risk potential for the entire firm, the entire business, organization, or portfolio of business. By its very nature, it is a high-level representation and cannot get into the bottom-up transaction-by-transaction risk analysis. For example, because Microsoft has a campus of more than 50 buildings in the Seattle area, earthquakes are a risk. 4 In the past, Microsoft looked at silos of risk.For example, they would have looked at property insurance when they considered the risks of an earthquake and thought about protecting equipment and buildings. However, victimization scenario analysis they are now taking a more holistic perspective in considering the risk of an earthquake. The Microsoft risk management group has analyzed this disaster scenario with its advisors and has attempted to quantify its real cost, taking into account how risks are correlated. In the process, the group identified risks in addition to property damage, such as the following 4Director and officer liability if some people think management was not flop prepared. Key personnel risk Capital market risk because of the firms inability to trade. doer compensation or employee benefit risk. Supplier risk for those in the area of the earthquake. Risk related to loss of market share because the business is interrupted. Michel Crouhy, Dan Galai, and Robert Mark, Making Enterprise Risk Management Payoff (New York McGraw-Hill, 2001), pp 132-133. 8 Research and development risks because those activities are interrupted and product delays occur.Product support risks because the company cannot respond to customer inquiries. By using scenario analysis, management has identified a number of risks that it might not have otherwise and Microsoft is now in a better position to manage these risks. The future ERM / ORM tools such as r isk assessment and scenario analysis will assist companies in identifying and mitigating the majority of these risks. In the next 5 years, companies will be using internal and external loss databases to capture occurrences that may cause losses to the company and the actual losses themselves.This data will be used in quantitative models that will project the potential losses from the various risk exposures. This data will be used to manage the amount of risk a company may be willing to take. In the next 5 years, companies will share capital to individual business units based on operational risk. By linking operational risk capital charges to the sources of that risk, individuals with risk optimizing behavior will be rewarded and those without proper risk practices will be penalized.In the next 5 years, internal audit will become even more focused on how risks are managed and controlled throughout the company on a continuous basis. Internal audit will be responsible for reporting on integrity, accuracy, and reasonableness of the companys entire risk management process. In addition, Internal Audit will be involved in ensuring the appropriateness of the companys capital assessment and allocation processes. Furthermore, audit will bend continual improvement of risk management and controls through the sharing of best practices.In the next 5 years, management will be looking for individuals who are skilled in risk management. Professional designations such as the Bank Administration Institutes manifest Risk Professional (CRP) and the Information and Audit and Control Associations Certified Information Security Manager (CISM) will demonstrate proficiency in the risk management area and will be in demand. In the next 5 years, external auditors will be essential to report on the efficiency and effectiveness of a companys risk management program.These companies will be required to disclose the scope and nature of risk reporting and/or measurement systems in their an nual reports. Overall, companies will be better positioned in the next 5 years to deal with the broad scope of enterprise-wide risks. By implementing the ERM / ORM process now, companies will begin to maximize their overall risk profile for competitive advantage. 9 Bibliography Barton, Thomas L. Shenkir, William G. Walker, Paul L. Making Enterprise Risk Management Pay Off. New island of Jersey Financial Times / Prentice Hall, 2002. Basel II Mandates a Nest http//web2. infotrac. galegroup. co Egg for Banks US Banker. (July 1, 2002) 48. July 2002. BITS. BITS Technology Risk Transfer Gap Analysis Tool. Washington, D. C. BITS, 2002. Bock, Jerome T. , The Strategic Role of Economic Capital in Bank Management, Wimbledon, London MidasKapiti International, 2000. Business Banking Board. RAROC and Operating Risk. Washington, D. C. Corporate Executive Board, 2001. Business Banking Board. Risk Management Structure. Washington, D. C. Corporate Executive Board, 2001. Consultative Document Op erational Risk. 2001.Bank for International Settlements and Basel Committee on Banking Supervision. July 2002. http//www. bis. org/publ/bcbsa07. pdf Crouhy, Michel Galai, Dan Mark, Robert, Risk Management. New York McGraw-Hill, 2001. Elements of a Successful IT Risk Management Program. Gartner. (May 2002. ) 9. July 2002. http//www. gartner. com/gc/webletter/bindview/issue1/ggarticle1. html Ernst & Young, Integrated Risk Management Practices. unpublished PowerPoint slides, Ernst & Young 2000. Hively, Kevin Merkley, Brian W. Miccolis, Jerry A. Enterprise Risk Management Trends and Emerging Practices.Florida The Institute of Internal Auditors Foundation, 2001. Hoffman, Douglas G. Managing Operational Risk. New York John Wiley & Sons, Inc. , 2002. In Brief Ferguson Urges Investing in Risk Control. American Banker. (March 5, 2002) 1. July 2002. http//0proquest. umi. com. opac. library. csupomona. edu James, Christopher, RAROC Based Capital Budgeting and act Evaluation A Case Study of B ank Capital Allocation. Pennsylvania The Wharton School, 1996. Jameson, Rob Walsh, John, The Leading Contenders, Risk Magazine, (November 2000). 6. July 2002. http//www. financewise. om/public/edit/riskm/oprisk/opr-soft00. htm Insurance Industry Participating companies Allianz, AXA, Chubb, Mitsui Sumitomo, Munich Re, Swiss Re, Tokio leatherneck and Fire, Xl, Yasuda Fire and Marine and Zurich. Insurance of Operational Risk Under the New Basel Accord. Insurance Industry, 2001. Lam, James, Top Ten Requirements for Operational Risk Management Risk Management (November 2001) July 2002. http//0-proquest. umi. com. opac. library. csupomona. edu Marks, Norman, The New Age of Internal Auditing The Internal Auditor (December 2001) 5. July 2002. http//0-proquest. mi. com. opac. library. csupomona. ed McNamee, David Selim, George M. Risk Management Changing the Internal Auditors Paradigm. Florida The Institute of Internal Auditors Research Foundation, 1998. National Association of Financial S ervices Auditors. Enterprise Risk Management, National Association of Financial Services Auditors. Spring 2002. 12-13. netForensics is a Web site that discusses those regulations that govern information security in financial services, healthcare and government. http//www. netforensics. com/verticals. html 10 Ong, Michael Why bother? Risk Magazine, (November 2000). 6. July 2002. http//www. financewise. com/public/edit/riskm/oprisk/oprcommentary00. htm Practice Advisory 2100-3 Internal Audits Role in the Risk Management Process. March 2001. The Institute of Internal Auditors. July 2002. http//www. theiia. org/ecm/guide-frame. cfm? doc_id=73 Santomero, Anthony M. , commercial-grade Bank Risk Management an Analysis of the Process. Wharton School, 1997. Pennsylvania The Sound Practices for the Management and Supervision of Operational Risk. 2002. Bank for International Settlements and Basel Committee on Banking Supervision.July 2002. http//www. bis. org/publ/bcbs86. htm The Financial Se rvices Roundtable, Guiding Principles in Risk Management for U. S. mercenary Banks. Washington D. C. The Financial Services Roundtable, 1999. Verschoor, Curtis C. Audit Committee Briefing 2001 Facilitating New Audit Committee Responsibilities. Florida The Institute of Internal Auditors, 2001. Working Paper on the Regulatory Treatment of Operational Risk. 2001. Bank for International Settlements and Basel Committee on Banking Supervision. July 2002. http//www. bis. org/publ/bcbs_wp8. pdf 11