INTELLIGENT RISK knowledge for the PRMIA community
November 2020 ©2020 - All Rights Reserved Professional Risk Managers’ International Association
PROFESSIONAL RISK MANAGERS’ INTERNATIONAL ASSOCIATION CONTENT EDITORS
INSIDE THIS ISSUE
Steve Lindo
003
Editor introduction
Principal, SRL Advisory Services and Lecturer at Columbia University
005
PRM spotlight - Lindsey Jane Louw
Dr. David Veen
006
Operational risks in times of a global pandemic: the ever increasing risk of cyber crime by Alex Marinov
010
Risk Implications of the COVID-19 pandemic by Søren Agergaard Andersen
013
Impact of COVID-19 on structured finance by Kishore K. Yalamanchili
016
Change in the sectoral structure of the American stock market due to COVID-19 as an additional risk factor by Aleksei Kirilov & Valeriy Kirilov
022
COVID-19 - fueling acceleration in digital transformation, and why we need it - by Faheem Ali
027
ERM lessons learned from the pandemic crisis for addressing the climate change risks - by Peter Plochan
033
Hallmarks of a data-driven business - by Matt Baker
036
The changing climate of audit committees by Rachael Johnson
038
Risk management – the transformation - by John Thackeray
042
Evolution of risk management post COVID-19 by Vivek Seth
047
Risk management practice changes due to COVID-19 by Fatema AlSaad
050
Operational risk frameworks in the age of COVID-19: in data we trust! - by Thibaud de Barmon
054
PRMIA volunteer profile - Kathryn Kerle
056
Calendar of events
Director, Evaluation Services - IT at Western Governors University
Nagaraja Kumar Deevi Managing Partner | Senior Advisor DEEVI | Advisory | Research Studies Finance | Risk | Regulations | Digital
SPECIAL THANKS Thanks to our sponsors, the exclusive content of Intelligent Risk is freely distributed worldwide. If you would like more information about sponsorship opportunities contact sponsorship@prmia.org.
FIND US ON
prmia.org/irisk
002
@prmia
Intelligent Risk - November 2020
editor introduction
Steve Lindo Editor, PRMIA
Dr. David Veen Editor, PRMIA
Nagaraja Kumar Deevi Editor, PRMIA
In this October issue, we continue to focus on addressing the COVID-19 pandemic. PRMIA’s Sustaining Members, as well as our sponsors, contributed a diverse set of articles, as the global economy continues to struggle from the crisis, with increasing numbers of people getting infected all over the world, rising fatalities, and Phase 3 of clinical trials for evaluating an experimental vaccine still underway. This issue covers a wide range of articles, from the operational risk of ever-increasing cyber-crime in times of a global pandemic, to risk implications of the COVID-19 pandemic, the impact of COVID-19 on structured finance, change in the sectoral structure of the American stock market due to COVID, COVID-19 fueling acceleration in digital transformation, ERM lessons learned from the pandemic for addressing climate change risks, the changing climate of audit committees, hallmarks of a data-driven business, the transformation of risk management, the evolution of risk management post COVID-19, risk management practice changes due to COVID-19, and operational risk frameworks in the age of COVID-19. We continue to acknowledge the valuable contributions from our authors, for taking time out of their personal and professional experiences during these challenging times to share their thoughts. We thank this issue’s authors for their thoughtful contributions and extend this wish to the PRMIA community for the upcoming holidays: continue to be cautious and follow all health safety guidelines. We hope that PRMIA’s members will find the articles published in this issue interesting and enjoy reading them as much as we did reviewing and editing them.
Intelligent Risk - November 2020
003
our sponsors
The Association of Chartered Certified Accountants is the world’s most forward-thinking accountancy body. We believe that accountancy is vital for economies to grow and prosper, which is why we work worldwide to promote the profession and make society fairer and more transparent. We’re a thriving community of more than 227,000 fully qualified members and 544,00 future members across 176 countries, who are among the most qualified and sought-after financial professionals working in every sector you can imagine. Because we’re a not-for-profit organisation, we re-invest our surplus to develop the profession for the next generation through our qualifications, research and CPD. Visit www.accaglobal.com for more information.
Dell Technologies is a unique family of businesses that helps small businesses, startups and individuals build their digital future and transform how they work and live. Dell provides customers with the industry’s broadest and most innovative technology and services portfolio spanning for edge to core to cloud. Visit www.Dell.com/PRMIA to speak with a dedicated Small Business Advisor & access your member benefits.
004
Intelligent Risk - November 2020
PRM spotlight - Lindsey Jane Louw When results matter, Lindsey Jane Louw is glad she has her PRM™ Designation. “The PRM matched to IT knowledge has been a powerful combination when I need to prove that my results are correct to fellow stakeholders.” While working in treasury market systems implementation, Lindsey decided she wanted to find a course she could take online for increasing her risk skills. “I found the PRM offered a great insight into risk while offering the flexibility I wanted.” Lindsey studied on weekends and evenings, completing the PRM courses in just 18 months. “The PRM is internationally recognized among risk professionals, and many organizations see that having certification specifically in risk or finance is very beneficial. I know they find it valuable, as I have become a trusted consultant in our business. Lindsey’s confidence of knowledge allows her to challenge the business when they are looking for a new technology, and then help them identify the best solutions because of the deeper understanding and IT context. Her role as principle consultant in IT risk means she is the subject matter expert and is relied upon to analyze, build and support risk implementations onto Murex for the business. “I have recommended the PRM to many colleagues in risk and know that it is a major leap for many. The PRMIA Associate PRM certificate provides a great foundation to risk for those in IT, and I feel it really allows people to get a brilliant introduction to risk. For IT people supporting a risk function, I think it offers a nice alternative to the PRM.” Lindsey has seen the firsthand the opportunities PRMIA and the PRM provide. “I recently moved to London and am looking forward to attending PRMIA events often, as the chapter is very active compared to Johannesburg, my last assignment. Along with a new geography comes some new challenges. “Initially, I was very focused on market risk with very little exposure to credit risk, but after studying the PRM and credit risk and CVA concepts, it really showed me a different take on the risk world.”
Intelligent Risk - November 2020
005
operational risks in times of a global pandemic: the ever increasing risk of cyber crime
by Alex Marinov Cyber-crime has always been a very hot topic for financial institutions, ever since the rise of the internet. Technology has advanced so much since those early days and has completely transformed our daily lives. Nowadays one can make bank transfers, exchange currencies, take out a loan and many other banking actions with a click of button on their smartphone. We have come a long way since the early days of banking.
However, one clear and present danger that has increased over the last 20 years is the risk of cybercrime. Cyber-crime is one of the most serious risks, not just for banks but for any institution as it can have dire financial effects and consequences. As technology advanced, so did the many ways that criminals would try to exploit the gaps of security. The risks of Cyber-crime can be very costly and detrimental to the operational effectiveness of any enterprise and pose significant challenges. Nowhere has this risk been more prevalent than during the current global pandemic caused by the coronavirus – SARS Cov 2, which presented a unique opportunity for those willing to exploit it based on most recent data from security agencies.
the Coronavirus strikes and so do the criminals When SARS Cov 2 gripped the world, millions of people were forced to work from the comfort of their own homes. This was done at the behest of governments in order to limit the social interactions of people, reduce the number of infections, decrease the number of sick individuals and preserve vital hospital capacity. However, companies that lagged with respect to their preparedness for cyber-crime suddenly found themselves stretched to the limit in order to make sure that their employees had access to company files, client information, and bank details- all prime targets for criminal organizations. This situation also presented a unique opportunity for criminals. With millions of workers now working from home this presented a golden opportunity for such criminals and presented numerous operational risks for many organizations. According to Interpol’s private sector partners during the four-month period from January to April there were 907,000 spam messages, 737 incidents related to malware and 48,000 malicious URLs – all related to COVID-19. Large scale data breaches increased by 273% compared to the same period last year.
006
Intelligent Risk - November 2020
Ransomware - a situation where criminals compromise a database or system and ask for ransom in the form of untraceable cryptocurrencies - had also increased dramatically1. Phishing remained one of the most popular ways for compromising systems. In addition, Interpol and its partners were able to detect that there was an increased interest in registering domains containing the words “Covid” or “Corona” of which 40,261 were classified as high risk. Furthermore, Google had reported on the 17th of April that scammers were sending out 18 million phishing emails per day by posing as reputable organizations2. According to Interpol, these categories had the most target campaigns and were often the top phishing scheme: • Emails from national or global health authorities; • Government orders and financial support initiatives; • Fake payment requests and money reimbursements; • Offers of vaccine and medical supplies; • COVID-19 tracking apps for mobile phones; • Investments and stock offers; • COVID-19 related charity and donation requests. A novel way of attack was to mail malicious USB devices as gifts, thereby getting access to key company data. The current situation has evolved dramatically and has pushed cyber security teams to new heights of monitoring and prevention. The change is because the organizations have to manage a workforce working from home and potentially deal with mass layoffs, which makes data retrieval and security extremely difficult. Companies have little choice as the costs associated with cyber-crime are significant, but how high are they?
1 / https://www.interpol.int/en/content/download/15217/file/Global%20landscape%20on%20COVID-19%20cyberthreat.pdf https://www.riskiq.com/blog/analyst/covid19-cybercrime-update/ https://www.interpol.int/content/download/15217/file/Global%20landscape%20on%20COVID-19%20cyberthreat.pdf https://www.interpol.int/content/download/15526/file/COVID-19%20Cybercrime%20Analysis%20Report-%20August%202020.pdf https://www2.deloitte.com/ch/en/pages/risk/articles/covid-19-cyber-crime-working-from-home.html https://www.comparitech.com/vpn/cybersecurity-cyber-crime-statistics-facts-trends/ https://us.norton.com/internetsecurity-online-scams-coronavirus-phishing-scams.html 2 / https://www.interpol.int/Crimes/Cybercrime/COVID-19-cyberthreats/Global Landscape on COVID-19 cyberthreat.pdf https://www.interpol.int/content/download/15217/file/Global%20landscape%20on%20COVID-19%20cyberthreat.pdf https://www.interpol.int/content/download/15526/file/COVID-19%20Cybercrime%20Analysis%20Report-%20August%202020.pdf
Intelligent Risk - November 2020
007
what are the costs associated with cyber-crime? It is estimated that cybercrime costs per financial institution start anywhere from $13-18 million per year3 and can reach hundreds of millions of dollars to prevent and mitigate such risks. Banking is especially susceptible to this type of crime as it holds vital information for its clients-banking details, addresses, phones, emails and a lot of private information that could be used for illicit purposes with huge scope for detriment to the individual client4. Obviously, these risks are significant. Estimates range in the billions for different sectors, where banks are estimated to lose as much as $347 billion, insurers lose around $305 billion, and capital markets lose close to $47 billion5.
how to prevent cyber-crime? Cyber-crime is the number 1 priority for many organizations in the 21st century, as security breaches can easily turn into a cost of more than a billion of dollars per year with dire consequences for both companies and their clients. How easy is it to prevent security breaches? There is no universal cure, rather a constant improvement and augmentation by each organization to keep ahead of the criminals. The most important things that have to be taken into account are 6: • Having a robust IT infrastructure with checks and balances • Detecting, investigating, containment and recovery are key themes that have to be addressed in any cyber-crime prevention framework, where the operational challenges are addressed and appropriate investment is given • A pro-active process for the organization as cyber-threats are constantly being created which require a great deal of oversight and attention from seasoned professionals • Cyber-crime prevention should be a key topic in any organization and should be seen as an investment rather than as an underlying cost
3 / https://newsroom.accenture.com/news/cost-of-cybercrime-continues-to-rise-for-financial-services-firms-according-to-report-from-accenture-andponemon-institute.htm https://www.accenture.com/us-en/insights/financial-services/cost-cybercrime-study-financial-services 4 / https://www.accenture.com/us-en/insights/security/cost-cybercrime-study 5 / https://www.accenture.com/us-en/insights/financial-services/cost-cybercrime-study-financial-services https://www.wisbusiness.com/2020/bank-of-america-cyber-crime-specialist-talks-hacker-prevention-amid-covid-19-scams/ https://www.accenture.com/_acnmedia/PDF-96/Accenture-2019-Cost-of-Cybercrime-Study-Final.pdf#zoom=50 http://www3.weforum.org/docs/WEF_Global_Risk_Report_2020.pdf 6 / https://www.interpol.int/Crimes/Cybercrime/Cyber-capabilities-development https://blog.iomart.com/cost-of-a-data-breach
008
Intelligent Risk - November 2020
in conclusion The global pandemic of 2020 has posed numerous challenges for many organizations and has pushed their IT infrastructure to the brink. During this time period, it was perfect for cyber-criminals to take advantage of the situation and cause significant losses by directing numerous sophisticated attacks. International police organizations and cyber-security experts have worked around the clock to minimize these disruptions. Organizations must prepare in the present and need to recognize that in the 21st century cyber-security is a key topic in order to prevent such risks.
author Alex Marinov Alexander Marinov has been working in the financial services industry since 2013. He has worked at Deloitte, Barclays Investment Bank, and BNY Mellon. Mr. Marinov has a MSc in Economics and International Financial Economics from the University of Warwick and Bachelor’s in Economic and Social Studies from the University of Manchester. He is a PRM holder since 2015.
Intelligent Risk - November 2020
009
risk Implications of the COVID-19 pandemic
by Søren Agergaard Andersen temporary crisis, or new normal? The ongoing COVID-19 crisis situation has had an enormous effect on almost all industries. In the span of a very short timeframe, many businesses had to take huge measures to accommodate a new reality where, among other things, colleagues were prevented from coming into the office and, where possible, had to conduct their work from home. All good business continuity plans can manage this in the short term, but with the crisis continuing well into the autumn, one could argue that we should no longer see this as only a temporary crisis, but also as a new normal. Some firms have proven very ready for this situation. They have been used to remote working and have processes and procedures, as well as a culture, that support a scattered workforce. Others have struggled much more and have had to expeditiously accept risks which they wouldn’t under normal circumstances.
risks which have increased Among the risks that have increased are especially IT and Information Security. With people sitting outside the office, their equipment and the data that they process is suddenly much more exposed. Home offices are established in kitchens, living rooms, summerhouses, etc. and, as such, a big part of information security controls is side-lined. Each individual internet connection is suddenly a potential weak link and the criticality of good security measures has increased. In order for businesses to keep running, remote access to critical applications has had to be opened and confidential information – electronic or physical – is suddenly not as protected as it would be in a safer, office environment. Most critical processes can in theory be run from anywhere with an internet connection, but some of them have deliberately been restricted to only work on premises. By opening up for remote access, the network is – ceteris paribus – more exposed, and people are able to remotely access and process data which they previously couldn’t.
010
Intelligent Risk - November 2020
Operational risks in processes and controls have also increased. Daily routines where colleagues sit close together and can interact quickly are now broken up, causing some less formal processes and controls to suffer. Efficiency will potentially deteriorate, causing an increase in residual risks. This in turn will also lead to an increase in fraud risk. With both control environment and efficiency being challenged, the risk of falling victim to fraudulent behavior increases. The important power of proximity is also challenged. Managers will have less overview of the ongoing work in their departments and longer reaction times, causing colleagues who need daily interaction to lose motivation, even though tools like Zoom, Skype and Teams, as well as frequent communication (townhalls, intranet, webcasts, etc.), can mitigate this.
risks which have decreased On the flipside, the new normal also has the attribute of lowering some risks, either directly or indirectly, by forcing firms to re-prioritize. The pandemic outbreak has served as an excellent chance to live-test and improve business continuity plans. If the plans didn’t have sufficient quality before, they certainly should have now, and with a more decentralized workforce the potential impact from catastrophes, pandemics and such is much lower. The COVID-19 outbreak has also led to a stronger focus on the risk stemming from third parties. Firms need to be observant to any fragilities with their vendors and service providers, and make sure they have a plan B and C, which can be implemented quickly in case these are suddenly incapacitated.
consequences for risk management No one can argue that they couldn’t imagine this pandemic scenario – COVID-19 was not a black swan. Hence, it’s fair to assume that firms with strong risk cultures and a focus on discipline in processes, controls, continuity plans and resilience in general have come through with the fewest and smallest challenges. Other firms have suffered more, but they now have an excellent chance of making the necessary improvements. The pandemic has shown us all very precisely which risks are most important for our firm, and what are the impacts. This is helpful in the work of extending and improving the risk framework, as we can be more precise. In the aftermath of the pandemic, and what we could call new normal, risk management needs to increase/ develop its capabilities around IT risk, especially concerning temporary risk acceptances within technology, information and security. The important risks that are being accepted or increased need to be stringently monitored, and plans for swift actions in case of breaches need to be in place.
Intelligent Risk - November 2020
011
Risk management also needs to ensure the business’s focus on awareness training. The new way of working results in new habits, and everyone needs to be sufficiently trained and reminded. IT and Information Security, in particular, need to dedicate resources to push out information and training, but also risk management and compliance have important roles. The pandemic has shown us the impact of well-known risks and reminded us of risk disciplines that we already know. Now they are more important than ever.
author Søren Agergaard Andersen Søren Agergaard Andersen is the Chief Risk Officer for Nordea Asset Management, the biggest asset manager in the Nordics with around € 235bn AuM. Søren is responsible for the overall risk function, managing a team of risk professionals in Denmark, Sweden and Luxembourg. Prior to this Søren was subsidiary CRO in SEB Denmark. Søren is a holder of the PRM™ certification.
012
Intelligent Risk - November 2020
impact of COVID-19 on structured finance
by Kishore K. Yalamanchili introduction The shutdown of the economy due to COVID-19 is causing more widespread and rapid dislocation than in the 2008/09 Financial crisis. While the great recession of 2007-08 was triggered by large scale defaults within the residential sector, spreading widespread chaos later to other sectors, the current crisis is due to the healthcare pandemic impacting economic activity worldwide. Unlike the previous crises, the monetary and fiscal authorities have been quite aggressive in dealing with the current situation. The Federal Reserve cut the benchmark Fed Funds rate cut by 1.5% to 0-0.25% and launched several bond buying programs and credit facilities. In particular, the central bank launched the TALF program to provide funding for buyers of eligible structured finance bonds. On the fiscal side, the Federal government passed the CARES act which includes the PPP program for small businesses, $600/week in additional assistance to unemployed persons, and a moratorium on foreclosures and evictions on properties with agency mortgage loans. In addition, GSEs and private lenders are offering forbearance programs for mortgage borrowers. Consumer lenders are offering deferred payments and other support to borrowers.
impact on structured finance sectors As COVID-19 spread in the US, structured finance credit spreads moved wider in sympathy with broader markets. Spreads tightened back close to pre-pandemic levels in senior tranches due to monetary and fiscal stimulus programs. Subordinate bond spreads also rallied from the highs, but remain somewhat wide to pre-pandemic levels. New issue activity initially slowed down but resumed later. There is a bifurcation between up in capital structure tranches considered safe and lower rated (BBB and below) that are at risk of losses should the pandemic situation continue for a longer period. While RMBS and CMBS collateral pools experienced an increase in delinquencies and other credit metrics, ABS sector has performed better. Consumer credit performance has been better than what would have been expected, which is likely attributable to the stimulus programs. The RMBS sector was the epicenter of the Great Recession of 2007-08. However, this time it is different, as the housing market is performing well due to low mortgage rates.
Intelligent Risk - November 2020
013
While delinquencies rose rapidly during 1Q 2020, the growth rate has slowed down recently due to the various forbearance plans offered by lenders. The CMBS sector is at the center of the current crisis, with retail and hotel sectors severely impacted. Multifamily sector is also showing signs of weakness in some areas. Credit performance has deteriorated after the shutdown started, with delinquencies rising as many property owners are asking for relief from lenders. Leveraged loans credit quality deteriorated heading in to 2020, and the current economic slowdown is putting significant pressure on the companies issuing the loans. An increase in loan defaults and downgrades resulted in deterioration of key CLO deal metrics such as IC and OC ratios, and an increase in CCC buckets. Since the deals are actively managed, some managers actively traded to improve deal metrics. There is some stabilization in credit metrics in recent months as loan prices recovered. The rating agencies were quick to act as credit performance weakened. They have placed a large number of structured finance ratings on watch.
future prospects The sector’s future performance will be dictated by: • How the COVID-19 crisis is resolved. Likely scenarios are: (i) An effective vaccine arrives and everything goes back to pre-crisis normal (ii) New normal – Virus is only partially contained. Travel and other activities resume in a limited way (iii) Vaccine delayed – Social distancing is the new norm. Travel, shopping and other activities remain restricted • How the underlying assets evolve in a post-pandemic world. Some sectors of the economy will have to undergo significant restructuring. • How much additional monetary and fiscal stimulus will be deployed going forward. The central bank is in this for the long haul, but fiscal side is a concern due to political divide and the upcoming election A renewed wave of infections may see new lockdowns, further impacting economic activity and markets. Credit performance is likely to deteriorate now that the additional Federal assistance to unemployed persons expired in July, and it is being replaced by a lower level of assistance. Banks and other lenders may have to extend forbearance and deferment programs to borrowers.
014
Intelligent Risk - November 2020
implications for risk management The widespread dislocation in the economy calls for an examination of existing credit models. The modelers need to carefully consider the impact of deferments, and modifications on future defaults as the true status of the collateral may be masked by these actions. Large scale forbearance activity has significant impact on deal cash flows, and servicer’s ability to advance payments to investors. They have to account for possible structural changes in sectors like retail, office, and multifamily as well. Risk managers should take a close look to review and revise collateral assumptions, stress scenarios, and risk charges as appropriate. Particular attention should be paid to lower rated subordinate bonds and rating actions, as the agencies have been quite active. Overall, this is the time for increased vigilance on all fronts for risk managers.
author Kishore Yalamanchili Kishore Yalamanchili is currently a Managing Director at NewOak Capital, providing consulting services for the asset management industry. Before NewOak, he held senior portfolio management positions at BlackRock, Karya Capital and Prudential. Kishore has a Ph.D. in Engineering from Clemson University, and an MBA from the University of Chicago, and he holds the Chartered Financial Analyst designation.
Intelligent Risk - November 2020
015
change in the sectoral structure of the American stock market due to COVID-19 as an additional risk factor
by Aleksei Kirilov & Valeriy Kirilov The events in the US stock market in the first half of 2020 provide a unique opportunity to study the dynamic characteristics of the market. This strong and sharp decline and subsequent highly uneven recovery provided a resilience test of risk management approaches for many investors and lenders. This article examines the dynamics of changes in sectoral structure of the stock market due to the COVID-19 pandemic. An understanding of the prospects for the development of a particular industry is necessary for both investors and lenders in order to correctly assess investment risk and risk of lending to a company from this industry. This article is to some extent a continuation of the study of the American stock market, which we began in [1] and [2]. Note that earlier we had predicted the market correction for March - April 2020, see [2]. But the pandemic has brought this correction closer and much stronger. To compare the behavior of stocks of various companies, we used the dimensionless value of the relative weight of these companies in the S&P 500 index. To do this, we used the ratio of the company’s daily share price to the value of the S&P500 index. Then the results were normalized to the value of the company’s weight in the index, which was on February 19, 2020. This is the date of the maximum rise of the market before the fall. Thus, it is possible to analyze the change in the weight of the company in the index, i.e. compare the change in the capitalization of a given company with the behavior of the entire market. For calculations, the data of the service https://finance.yahoo.com were used from January 1, 2020 to September 30, 2020 inclusive. Consider the dynamics of shares in consumer sector companies (FMCG) using the example of CL, KMB and PG. Fig. 1 shows the graphs of changes in the weight of these companies and there is also a graph of changes in the S&P 500.
016
Intelligent Risk - November 2020
The weight of all three companies in the index instantly began to rise when the market fell, i.e. investors almost immediately realized that the sales of these companies should grow in a pandemic. Therefore, the quotes of their shares fell much less than the market as a whole and their weight in the market capitalization increased significantly. The rate of growth is comparable to the rate of decline of the S&P 500. The change in the weight of stocks and the change in the S&P 500 occur in different directions, and with a fairly high correlation. Later, as the market recovers, the proportion of these shares in the index gradually decreases. However, as of the end of September, the weight of these companies is still slightly higher than before the market fell. The situation is completely different for large banks such as BAC, USB and WFC, see Fig. 2. The weight of these banks’ shares in the index is almost constantly decreasing, both during a sharp decline in the market and during its recovery. And in the end of September it is 20 - 30% below the initial value of February 19. Apparently investors are distrustful of the business prospects of these banks. In other words, investors believe that many of these banks’ borrowers will have problems.
Let’s look at the stocks of companies in the high-tech sector. We have chosen companies DOCU, NET and ZM, see Fig. 3. They are united by the fact that their services and products are created on their own cloud platforms. The weights of these companies in the S&P 500 are almost constantly growing, both during a sharp decline in the market and during the recovery period. And by the end of September, more than double the baseline values before the market crash. This indicates that investors appreciate the prospects of their business. Intelligent Risk - November 2020
017
We have considered several cases for companies from different industries. Based on these, it can be assumed that there is some regularity in the change in the sectoral structure of the American stock market. To identify this regularity, let’s consider the change in the capitalization of the entire market and its main sectors. As the initial data, the values of capitalization of the main sectors of the American stock market from the Finviz were used: https://finviz.com. Table 1 shows data on the capitalization of various sectors and the market as a whole in billions of US dollars from September 17, 2019 to September 30, 2020.
For further analysis, it will be more convenient to use the share of each sector relative to the total capitalization of the stock market, as shown in Table 2.
018
Intelligent Risk - November 2020
Figure 4 shows the results for February 19 and September 30, 2020. The sectors were divided into two groups. Four sectors have significantly decreased their share in the capitalization of the entire market: Financial, Basic Materials, Utilities and Industrial Goods. And the other four sectors, on the contrary, increased their share in the total market capitalization: Healthcare, Services, Consumer Goods and Technology.
Let’s now take a closer look at the dynamics of changes in the quantities under consideration. We will take the values of the capitalization of each sector as of February 19, 2020 as 100%, and calculate the corresponding values for other dates. Build a graph of changes in the relative capitalization of sectors that have lost their share in market capitalization: Basic Materials, Industrial Goods, Financial and Utilities, see Fig. 5. Here is a graph of changes in the relative capitalization of the entire market also. At the initial stage of the fall, all four sectors declined more than the market or like the market. During the recovery phase, these sectors are growing noticeably slower than the market, i.e. their relative share is still decreasing.
Intelligent Risk - November 2020
019
Let’s look at the graph of changes in the relative capitalization of the “grown sectors”. These are the Consumer Goods, Healthcare, Services and Technology sectors, see Fig. 6. The behavior of these sectors is the opposite of the “loser sectors”. Initially, they all fell less than the market. And during the recovery phase, everyone except Healthcare is growing faster than the market. This means that their relative share in the American stock market continues to grow.
Analysis of the data presented in this paper allows us to draw several conclusions. First, amid the collapse of quotations in February - March, most investors correctly assessed the potential of different market sectors and reacted quickly. Second, there is indeed a change in the sectoral structure in the stock market, but the scale of these changes can be finally assessed no earlier than one or two quarters after the economy returns to a “calm” state. Third, the COVID-19 pandemic appears to have only intensified and accelerated trends that had begun to form earlier. Apparently, the change in the sectoral structure of the stock market is due to the formation of a new economic order. It should be noted that with such sharp market fluctuations due to a shock in the economy, the use of the P/E parameter is beside the purpose, since it can lead to a distorted assessment of the potential of a particular industry or stock. The matter is that the change in the P/E is caused not only by the degree of recovery in stock prices, but also to a sharp change in the earning of companies in the past period due to the lockdown. In such cases, it may be better to use the weight of a company’s stock or industry in the capitalization of the entire market. A correct assessment of the potential of various market sectors, in our opinion, is extremely important for improving risk management approaches. In order to take into account the changing structure of the stock market, risk management units of banks and companies will have to review their investment policies, limit policies, including industry limits, asset and liability management, stress testing scenarios, internal credit rating models, and so on.
020
Intelligent Risk - November 2020
references 1. Aleksei Kirilov, Valeriy Kirilov. High business concentration as a source of strategic risk. Intelligent Risk (PRMIA), July 2019, https://issuu.com/prmia/docs/intelligent_risk_july_2019_issuu 2. Aleksei Kirilov, Valeriy Kirilov. US stock market: growth potential or risk of falling? Intelligent Risk (PRMIA), January 2020, https://issuu.com/prmia/docs/intelligent_risk_-_jan_2020_-_issuu
authors Valeriy Kirilov General manager at Conflate LLC Conflate is a Russian management consulting company specialized in strategy, risk management, asset management and venture investment. Valeriy has 15+ years’ experience in risk management and management consulting (BDO, Technoserv, then at Conflate). Besides he previously worked in the nuclear power industry (safety of Nuclear Power Plants). Valeriy has an MBA from London Metropolitan University as well as a financial degree from Moscow International Higher Business School MIRBIS and an engineering degree from Moscow Engineering Physics Institute. He holds the PRM and FRM certifications and the certificate of Federal Commission for Securities Market of series 1.0. Valeriy was a member of the Supervisory board of the Russian Risk Management Society in 2009 – 2010.
Aleksei Kirilov Partner at Conflate LLC As the partner of Conflate, Aleksei is responsible for asset management and venture investment. He specializes in the US stock and debt markets. Aleksei has more than 15 years of experience in financial services including development of financial strategy and financial KPI, liquidity management; controlling system, allocation of expense on business unit, financial modeling and debt finance. He has cross industries experience: banks, oil & gas manufacturing, real estate. Aleksei has an MBA from Duke University (Fuqua School of Business), a financial degree from Russian Plekhanov Economic Academy and an engineering degree from Moscow Engineering Physics Institute.
Intelligent Risk - November 2020
021
COVID-19 - fueling acceleration in digital transformation, and why we need it
by Faheem Ali
Digital transformation is a leading force in business today. Experts say that, in the wake of COVID-19, there is an urgent need for many enterprises to digitalize and tap into enormous opportunities. Whether based upon employing a shrewd offense or cautious defense, this change will impact all companies. But What is digital really? Who should own it within the enterprise? What processes and technologies are necessary to bring it to life? Digital transformation may seem like a new buzzword for an old topic.
the digital revolution Firstly, it’s necessary to digitize your culture. This requires hiring for and encouraging learning agility among your employees. New technologies and techniques emerge much faster than in the past. The technology that one is comfortable with today may be obsolete tomorrow. Will your employees be willing to retrain in the use of more modern technologies and techniques?
022
Intelligent Risk - November 2020
Secondly, it’s necessary to use modern solutions, such as cloud and mobile-enabled technology, rather than mainframe technology of the past. Not taking these first steps can mean that you’ll be a victim of your own success, unable to reap the rewards that higher demand might bring. Thirdly, it’s necessary to develop or hone an edge-based innovation function. This entails developing or recasting an existing research and development arm, seeking new business opportunities that exploit digital technologies at the edge of current product or service offerings, or perhaps in adjacent spaces to the current offerings. Fourthly, the rest of the business should think further about how digital opportunities can transform the core business. An eye toward better customer experience through digital channels should be paramount, as customers expect easier, intuitive, and compelling digital experiences when they become more sophisticated. The digital revolution that’s upon us is an enormous threat to a lot of businesses, but it also can be a tremendous opportunity for those who leverage the new ways of operating. Remember, digital transformation is the coordinated digitization of change efforts at scale, diffused through the operating model and all aspects of the business, including people, processes, technologies, and metrics. The goal of this is to bring meaningful outcomes to the organization.
the stages of digital maturity - a new mindset Is your company able to interact with customers online through your company website or Customer Relationship Management (CRM)? Do you have an active social media presence? Do you offer your products and services digitally? How advanced or mature is your digital offering? The stages if digital maturity
Dealing with specific problems or projects at a functional level – business, human resources or marketing, for example - can deliver improvements. However, functional transformation is often done in a disconnected manner without thinking about linkages across the organization. Lack of coordination results in redundant expenditures, data fragmentation, and leaves the anticipated value of digital investments under-realized.
Intelligent Risk - November 2020
023
It takes time, energy, and vision to look at entire ecosystems across the enterprise, but it is that broader perspective that offers large, lasting improvements. Businesses adopting an end-to-end ‘connected venture’ mindset that centers around the customer value proposition will be the ones that outperform and thrive as we head towards the new reality. In essence, every change in technology and process should be customer-centric in spirit and impact so that data and insights flow freely, driving informed decision-making and fostering new levels of collaboration. Greater levels of maturity are likely to translate to greater levels of value.
who should lead the digital agenda? At a recent World Innovation Series 2020 gathering of CIOs, CISOs, BFSIs and other executives, I asked the audience how many of their companies had a Chief Digital Officer (CDO)? Amazingly, only about five raised their hands. Through an instant poll, I was able to determine that a little more than 50% of the Chief Information Officers either owned the digital agenda or co-led that agenda. This may seem surprising, but let’s dig into how companies should think about the person who leads the function.
Many CEOs and leadership teams of companies think of the true digital opportunity as one that is revenuecentric. But what about the operational aspects that are necessary to make that happen? In order to advance digital capabilities, organization and change management are required, and management practices need to be in place to facilitate the speed and flexibility required in digital growth and development, such as: • Functional processes that drive and support day-to-day operations of the business and the generation of revenue • Architecture and tools which include the governance infrastructure and applications responsible for the collection and maintenance of data used in digital initiatives. 024
Intelligent Risk - November 2020
Leaders of customer-centric functions may not have experience or expertise in the areas necessary to influence each of these. Likewise, there are many technical changes necessary in order to transform a company to be digital ready.
employee skills needed for digital transformation There are several skills that become more important for digital transformation. Firstly, it’s necessary to hire skills associated with agile development. Digital transformation requires agile development which focuses on developing projects iteratively. This is in contrast to the traditional waterfall method, which is serial in nature with handoffs along the way. Agile coaches are key new roles in this paradigm. They’re part change manager, part consultant and part trainer. The second skill necessary related to agile development is the scrum master. [this term needs a brief explanation] The third skill necessary to incorporate into your teams is the product owner. In the digital age, to a greater degree, one must think of traditional projects or services of the company as products. The fourth skill that’s required for digital transformation is the user experience (UX) designer. UX encompasses both customer experience and employee experience, depending on who a given product or project is directed toward. When businesses are forced to change because of a pandemic, the advantage is that they can intensify their services through digitization, and digital transformation. As the result, they can solve problems in sales, operations and logistics channels. There are four things that can be implemented for digital transformation: (1) Ensuring business remain competitive, (2) Bringing efficiency in business processes, (3) Increasing customer satisfaction, and (4) Making it easier for business people to make strategic decisions.
conclusion – next steps In the same way that a heart attack can serve as a wake-up call and impetus for lifestyle changes for those suffering from chronic heart disease, the COVID-19 crisis and other acute disruptions can serve as an opportunity for organizations to make some fundamental shifts and to implement structures and practices that will enable them to thrive. The road to new reality will have many twists and turns, and perhaps even a few potholes. However, organizations which accelerate their digital transformation will continue to win over their customers. I wish you the best of luck! Thank you!
Intelligent Risk - November 2020
025
author Faheem Ali Expert Financial Inclusion and Digital Transformation Faheem is an international speaker and has a strong management background in the Inclusive Finance and Banking domain with insightful understanding of the financial sector in various markets in Central Asia, Asia Pacific, and Africa. Faheem has extensive experience in financial product development, digital financial product development and deployment, corporate and product marketing strategies formulation, transformation of MFIs, and credit operations. He has worked in different countries and provides training, consulting, and executive coaching services for inclusive financial service providers. Faheem has also conducted market research and numerous sessions/workshops in East African and Sub-Saharan countries, Central Asia, Asia Pacific, West Africa, and Gulf countries for financial institutions, mobile money operators, and nonfinancial providers including NGOs. Faheem’s other areas of interest include digital financial services, risk management, social performance management (SPM), capacity building, and youth inclusive financial services.
026
Intelligent Risk - November 2020
ERM lessons learned from the pandemic crisis for addressing the climate change risks
by Peter Plochan An economic crisis situation, like the current COVID-19 one, has serious implications for financial institutions around the world. With the arrival of IFRS 9 ECL / CECL1 impairment standards, banks have to work even harder now to assess the potential financial impact of such a crisis on their balance sheet and portfolios and take risk mitigation decisions accordingly. These new standards and other key bank processes are backed by models with assumptions that prevail in normal times but may prove impaired in the context of extraordinary uncertainty. As a result, these institutions and their decisions are increasingly exposed to model risk during the crisis times. From a capital and liquidity perspective, banks are well prepared for recession thanks to the capital buffer buildup initiatives implemented after the 2008-2009 crisis and the excess liquidity funneled by central banks into the economy and financial system. The 2nd pandemic wave is going to put these regulatory actions to the test and will require banking risk managers to develop more pro-active, forward-looking risk mitigation measures. Furthermore, the emergence of climate change-related financial risks and related regulatory initiatives are creating yet another set of challenges for ERM professionals to address (See Figure 1). Fortunately, there are a couple of lessons learned from the recent pandemic developments that can help banks to better prepare for the upcoming climate change crisis. Figure 1- Arrival of Climate Change
1 / Expected Credit Loss / Current Expected Credit Loss
Intelligent Risk - November 2020
027
lesson learned #1: plan is nothing, but planning is everything In order to identify the best course of action, banks have had to analyze the financial impact coming from alternative future evolution paths on both macro and micro levels. In crisis times, new insights arrive almost on a daily basis, and so the need increases for banks to reassess the impact of these changing alternative future scenarios on the economy, their loan portfolios and their bottom line, frequently and in automated fashion As banks go through a forward-looking analysis exercise, the focus should not be just on the resulting numbers, but rather on better understanding the risk sensitivities, concentrations and dependencies embedded in banks’ portfolios, and assess the effectiveness of any potential actions. With such insights at hand, banks can identify optimal risk mitigation actions and take impact-aware decisions in order to navigate through volatile and uncertain times.
Figure 2: Forward looking what if perspective
From now on, attention on the forward-looking “What If� perspective suddenly makes a lot of sense to the relevant business stakeholders, and banks will, and should continue to, work on improving the timeliness and efficiency of their forward-looking analytical processes.
028
Intelligent Risk - November 2020
lesson learned #2: expect unexpected credit losses Both IFRS 9 ECL and US GAAP CECL forward-looking standards were designed as a response to the 2008-2009 financial crisis, with the objective of capturing the risks on the horizon much earlier in banks’ financial statements. Now they are being stress-tested in reality for the first time by a live crisis, and the recently posted skyrocketing credit losses of leading global banks are clear proof of the volatility and sensitivity embedded in these standards. Leading global regulators like European Central Bank 2 and Bank Of England3 have published concerns about the potential pro-cyclical effect of these standards and asked banks to apply their IFRS 9 methodologies and scenarios with caution, and not to let them run wild. Credit Losses are the single most important factor impacting bank’s performance in times of stress, expressed both in P&L and capital adequacy terms. The changes introduced by these new standards have made impairment calculations much more complex and calculation-heavy, which makes their forecasting a very resource and time-consuming process. Therefore, it is crucial for banks to fully understand and own their credit loss calculations, so they can be more in control of their Balance Sheet and P&L, and create a better perspective on their potential future evolution. Examples of banks taking active measures here include explicit objectives to limit ECL volatility embedded in their risk appetite statement (Figure 3)
Figure 3: Risk Appetite metrics of a global bank with explicit ECL targets
Thanks to the current crisis, both banks and regulators now better understand the volatility and sensitivities embedded in their ECL estimates, and they can better work on addressing the identified gaps and improve the efficiency and explainability of the underlying processes and systems.
2 / ECB’s Letter: IFRS 9 in the context of the coronavirus (COVID-19) pandemic 3 / BoE’s Dear CEO letter: Covid-19: IFRS 9, capital requirements and loan covenants
Intelligent Risk - November 2020
029
lesson learned #3: keep your models at bay
“
Crisis times can expose models used by banks to new stressed data which the models might not have been familiar with. As a result, the statistical soundness and relevancy of important models can get impacted. “The real failure is not that banks used models which failed in this crisis, but rather that they did not have fallback plans to manage when the crisis did come.” Source: McKinsey, Banking models after COVID-19: Taking model-risk management to the next level
What matters is how banks respond to situations when performance of their key models drastically deteriorates, what corrective action they can take, and how fast they can respond to ensure that the models do not push them into wrong business decisions. The recent pandemic experience has exposed the burning points within banks’ modelling ecosystems. At the same time, these developments have reiterated the need for sound model governance and model risk management (MRM) processes, as well as flexibility of the underlying infrastructure which are both crucial for banks to respond optimally when their models are exposed to the unexpected.
the way forward to tackle the “green swan”
“
Recent regulatory climate risks regulations and climate risk stress testing initiatives are clear examples of the attention given to climate change by leading global regulators, despite the pandemic setback. “Climate change could lead to “green swan” events and be the cause of the next systemic financial crisis.” Source: Bank for International Settlement The Green Swan - Central banking and financial stability in the age of climate change
Similar to the pandemic experience, with climate change banks have to look forwards but over a much longer time horizon and with a much broader range of risk drivers, scenario factors and uncertainty. Banks have to work with scenario pathways which depict the relationship between carbon footprint and resulting temperature increase (Figure 4). These then have to be translated into traditional financial risk drivers (e.g. GDP growth), risk factors (e.g. PDs) and, in the end, into risk KPIs (e.g. ECL).
030
Intelligent Risk - November 2020
Figure 4: Global Green House Emission Pathways Scenarios4
One of the key challenges for banks will be to establish a clear relationship between climate change scenarios and their ECL methodologies that will be in line with regulatory expectations5. Learning from the COVID-19 crisis, banks should be prepared to address and explain any unexpected volatility of their ECL and P&L measures caused by climate risk factors. To address all the above, banks will have develop lot of new models and adjust their existing ones in a situation where there is lot of uncertainty and lack of historical data that can be used for training these new models. Banks therefore need to pay close attention to the risks arising from these new models and include them from the start in the scope of their MRM activities.
parting thoughts It will be interesting to observe over the coming years how the banking industry copes with the challenges arising from climate change. However, one thing is sure, that going through an experience like the current pandemic crisis makes it easier to have discussions with internal stakeholders about the importance of simulations and what-if analysis backed by sound MRM processes. An opportunity now emerges for banking risk managers to work on the efficiency, effectiveness and timeliness of their forward looking ERM and MRM processes, which will be much needed in the years to come for tackling the risks that come either from climate change or from the next pandemic.
4 / Source: Bank of Canada, Scenario Analysis and the Economic and Financial Risks from Climate Change 5 / Source: IFRS.ORG, IFRSÂŽ Standards and climate-related disclosures
Intelligent Risk - November 2020
031
author Peter Plochan Peter Plochan is the Principal Risk Solutions Manager at SAS. As a global domain expert, he helps organizations leverage the latest analytic technologies to solve their challenges around finance and risk regulations, enterprise risk management, risk governance, risk analysis and modelling. Plochan has a Master’s degree in banking and is a certified Financial Risk Manager (FRM) with more than a dozen years of experience in financial sector risk management. Before joining SAS in 2014, he assisted various banking and insurance institutions with large-scale risk management implementations, including working internally and externally as a risk management advisor at PwC. Peter is also a Risk Management trainer for PRMIA where he develops and delivers training on Model Risk Management and ERM & Stress Testing for the global risk community.
Interested in learning more from Peter? Join us for these opportunities: ENTERPRISE MODEL RISK MANAGEMENT VIRTUAL COURSE November 3 – December 8 This popular course is back, completely revised and updated! This 5-week virtual course is a great opportunity for you and your team to dig into the model risk discipline, expand your knowledge, and learn how to deal with model risk in an efficient and effective manner. The course consists of five 90-minute prerecorded sessions, plus a bonus lesson in Week 5.
ENTERPRISE RISK MANAGEMENT IN VOLATILE AND UNCERTAIN TIMES Thought Leadership Webinar – Complimentary to the PRMIA network November 11, 10:00 – 11:00 a.m. EST
ENTERPRISE MODEL RISK MANAGEMENT IN VOLATILE AND DIGITAL TIMES Thought Leadership Webinar Available on-demand
032
Intelligent Risk - November 2020
hallmarks of a data-driven business Despite broad recognition of the value of data, organizations are drowning in a deluge of data, finding it hard to manage their data and extract valuable insights from it. Here are six ways data-driven companies are satisfying the demand for more intelligence.
by Matt Baker Drinking hot water and lemon feels very virtuous. It’s a cleansing, detoxifying drink. But not many people use the peel; and yet it’s packed with nutrients. It’s good for your bones, heart, immune and digestive systems. By doing a quick squeeze and tossing out the peel, you’re depriving yourself of its many benefits. The same applies to data. Data’s potential to unlock new insights and opportunities is motivating organizations to shed their old ways of thinking and adopt a new mindset inclined to spearhead innovation and create engaging customer experiences. This metamorphosis goes to the heart of a digital business and is intrinsic in all they do. It is digital transformation incarnate. Yet, many businesses are only discovering and squeezing insights from a fraction of their data. Most of their data is being wasted. Even worse, the data that they do manage to collect, store and archive is ‘dark data’- data that’s not actually used to drive a business outcome. Despite broad recognition of the value of data, organizations are drowning in a deluge of data, finding it hard to locate all their data, extract it from different sources and silos, and manage access to the right people. Without the right data, these companies are losing out on revenue opportunities due to missed sales opportunities, lost customers, inefficient supply chains and uninformed strategic decisions. But it doesn’t have to be that way. In fact, there’s a swell of businesses on the other end of the spectrum that are putting data to work. We’re not just talking about understanding customer buying habits to sell targeted ads. Data has the potential to reach and influence well beyond that. Data-driven companies are sating the demand for more intelligence by doing the following:
1. taking data real-time Data-driven businesses are harnessing real-time insights from unstructured, semi-structured and streaming data to power increasingly sophisticated data-driven use cases at scale. They’re rethinking their data management strategy in line with the exponential increase in the volume, velocity and variety of data.
Intelligent Risk - November 2020
033
For instance, they’re shifting their data pipelines as they shift their analytics from post-process analysis to real-time. They’re augmenting their data by infusing these pipelines with disruptive Artificial Intelligence/ Machine Learning (AI/ML) capabilities, so their data can now comprehend, act and learn.
2. empowering data scientists These companies are empowering their data scientists by providing the tools and training they need to spend their time doing higher value, skilled analytical work rather than operational tasks. Some of this training may relate to being able to speak in a business vernacular and to the company’s primary commercial drivers, so they can grab the attention of senior decision-makers. Crucially data-driven companies recognize that it takes a village to empower data scientists to harvest data that will propel their organization forward. It’s a company-wide effort. If data is now the lifeblood of their organization, everyone has a part to play – whether that means being part of a scrum team or bridging the gap between the data and the business problem in a product manager role.
3. sharing data beyond their four walls Data-driven businesses are actively enlisting and equipping a far wider base of users – across their organization – to access, share and derive value from data. Some are putting unfettered innovation above proprietary concerns and making their data open-source, to encourage the free distribution and creation of net new data-driven products and services. These organizations acknowledge that the force multiplying nature of data can’t be unleashed unless access is democratized across the company and their people can self-serve.
4. focusing on flow These businesses are adopting data management platforms that span data-oriented roles from data scientists to IT operations, so each component part can work together to make data easier to discover, share, enrich, and activate. Recognizing that data is on the move and needs to reach the whole organization, they’re setting-up data pipelines that deliver incredible flexibility without sacrificing impeccable data assurances. By creating these data flows, data scientists are breaking down silos and applying well-rounded, well-traveled data to specific business problems.
5. being trustworthy and transparent Data governance, data sovereignty, and data compliance are complex, constantly evolving concerns. Datadriven organizations strive to keep abreast of changing guidance and have a keen understanding of their data’s context. Being trustworthy and transparent are their guiding principles. 034
Intelligent Risk - November 2020
They’re always exploring how to safely monetize their data within these parameters. They know how – or have the software that guides and automates how different data should be used or referenced in reports – to avoid potential data privacy violations. They don’t just prioritize the proper handling of data, they’re also acutely aware of the public’s expectation of privacy. With this enshrined, they go above and beyond government regulations such as GDPR and the California Consumer Privacy Act.
6. foraging for anomalies These companies are constantly looking deeper into the stack to re-examine the performance layer and fundamentally rearchitect how to process and better utilize the data they have, as they seek out anomaly data from unlabeled data sets. While anomalous data can indicate critical incidents, such as a technical glitch or a change in consumer behavior – they’re rarer to find. However, progressive data companies are now deploying ML to automate anomaly detection. In short, they never settle with what they know.
one step at a time These hallmarks or attributes require a highly effective, data-driven culture supported by modern tooling to foster fluid innovation. Many businesses are excelling in some areas, but few are doing all of these well. In some respects, the acceleration of data and processing gains is creating a scissor effect. Companies with traditional mindsets and manual processes will fall woefully behind – while those with ready access to data scientists and compute resources will reap a rich harvest. While this might be a modern update of history-old market forces, it runs counter to our belief that technology is a great leveler. In reality, no business should feel excluded or overwhelmed. Small incremental changes can make a significant, positive impact. With the right interventions over time, any business can become a data anywhere, data anytime enterprise.
author Matt Baker Senior Vice President Dell Technologies Strategy & Planning Matt is a creative strategic planning executive with an extensive track record of achievement in developing and driving business, technology, and product portfolio strategies. Matt is Dell Technologies’ go-to leader when it needs someone with the insights of a technologist and the savvy of a business leader. He is currently Senior Vice President of Strategy and Planning for Dell Technologies, plotting the course forward for Dell’s primary growth and profitability engine.
Intelligent Risk - November 2020
035
the changing climate of audit committees
by Rachael Johnson Climate risk has been moving higher up the boardroom agenda throughout the pandemic thanks to an expanding coalition of investors calling for more transparent disclosures aligned with the Paris Climate Agreement and a cohort of central bankers, the Network for Greening the Financial System, stepping up efforts to introduce consistent global norms for integrating climate factors into prudential frameworks. This collaborative responsibility to meet the target of a net-zero economy by 2050 is centered around companies, public and private, and their integral role in limiting climate catastrophe – not just through supply lines but also by impacting value chains and ultimately the way the world consumes. This presents Boards with yet more fresh challenges. It is their fiduciary duty to drive the company’s climate change responses, and given the Paris Climate Agreement’s short-term goal to reduce carbon emissions by 50% within a decade there is a lot of work to be done by Board directors in establishing a fit for purpose framework for that. Whilst the Board oversees and assesses risk governance, it delegates climate risk reporting to subcommittees. New regulations and investor expectations are increasingly focused on that being the responsibility of the Audit Committee. This still can vary across businesses and sectors. If you consider comparing Energy and Financial Services, for example, each has a different stage of evolution given the varied organisational models and existential threats to business. It also depends on whether the company is in the business of selling carbon, selling to customers who use carbon, or financing economic development, which can either exacerbate or help climate change challenges. The Task Force for Climate-related Financial Disclosures (TCFD) has been a helpful impetus in this respect. Likewise, the Financial Reporting Council and Bank of England have played their part in calling for companies to improve their accounting for climate risks. By putting together well-recognised frameworks, they along with TCFD and other accounting standard-setters, for example the Financial Accounting Standards Board, IASB, IFAC, and IFRS, are pushing the climate agenda into Audit Committee metrics. As Audit Committees are finding, measuring carbon emissions directly and indirectly related to the company’s operations is not easy. Carbon accounting is laden with estimates, judgements, and understanding the numbers and their implications is very challenging. Although standards continue to develop and change for the better, they need to become clearer and more consistent, particularly within sectors. Investors are joining forces more and engaging with sub-sectors, for instance in Oil & Gas. In June, British Petroleum announced that it would be aligning its accounting assumptions with the Paris Agreement goals, after much engagement with its investors on improved transparency of climate change risks. 036
Intelligent Risk - November 2020
Enhanced disclosures by certain companies in this sector have demonstrated just how material climate risks are. “Whilst some sectors will be impacted by climate change more than others, all businesses in some form or other will be affected. The energy transition that the world is trying to implement is rewiring our economic DNA. So, it is very hard to see how any sector or company will be untouched by that,” Natasha LandellMills, Head of Stewardship at Sarasin & Partners, commented in a recent Deloitte-sponsored webinar on the topic. More sector-focused initiatives are in the making. In August, the Partnership for Carbon Accounting Financials’ (PCAF’s) released its draft for public consultation on a standard, specifically for the Financial Services industry. The Global Carbon Accounting Standard for the Financial Industry offers asset class methods to measure and disclose greenhouse gas emission financed by loans and investments. In Financial Services, the focuses are on risks to portfolio and lending, including opportunities in real estate and transport, particularly automobiles, while the Energy sector is naturally more focused on its core business and transitioning that into one which is not dependent on carbon production. Conversations might have different angles and be at different levels of maturity, but we have seen them become a top priority for Audit Committees in both sectors. Audit Committees are also more involved with strategy as the risk landscape changes. They are playing a bigger role in what goes into annual reports and statements, particularly around climate but also in nonfinancial and traditional financial numbers. With new regulations around operational resilience on the horizon, the Audit Committee also needs to assess internal control framework and drive new ways of thinking about risk from the top down. Its assurance responsibilities will be increasingly crucial going forward. The assurance industry is going to take on a new meaning in terms of how companies understand the risks that they face; how they measure them; how they measure progress; and, indeed, how this becomes consistent across sectors. Audit Committees will be at the centre of this transformation, as regulations change and digital transformation continues to accelerate.
author Rachael Johnson Rachael Johnson is Head of Risk Management and Corporate Governance for the Professional Insights division at the Association of Chartered Certified Accountants (ACCA). She has over two decades’ experience writing and researching about risk governance. She started her career as a journalist at RISK magazine and lived and worked in the US and Hong Kong before moving to London where she is based. Rachael also heads up ACCA’s Governance, Risk and Performance Forum, which advocates and produces thought leadership and comments for consultations. Intelligent Risk - November 2020
037
risk management – the transformation
by John Thackeray introduction Never before in the age of risk management has so much been asked by so many by so few. Risk management is going through a change management transformation, the likes of which have never been seen before. The key drivers for this change include a persistent volatile environment, a deep longing to be considered a good social citizen, endless regulation, the growth of non-financial risk types, new methods of customer engagement and a need to address past mistakes. The change is being exacerbated by the new operating environment (working from home), which has been enforced by COVID-19, focusing risk management to think differently both in terms of architecture, people, processes, systems and value. This paper looks at the key drivers and the implications that it poses and suggests a meaningful pathway for the future of risk management by means of change transformation.
drivers The current operating environment in which firms find themselves is anything but benign. COVID-19 has deepened structural fissures within an already existing fragile ecosystem. Negative interest rates, increased compliance costs, zombie loans, the continuing levying of fines for anti-money laundering and corruption have eaten into income and capital. Moreover, the persistence of scandals which are highlighted every week by social media have evaporated any good will towards financial institutions. Many financial institutions have been seen as facilitators of tax avoidance and enablers of financial crimes. The reputation of many is such that customer expectations, sentiment, and engagement are low, with very little confidence in both the products and the messaging of the organizations. Simply put, the financial organizations seem to many of their stakeholders to have lost their way, with no moral compass to lead them, leaving behind a bankrupt and obscure identity. Having shot themselves in the foot, retribution has come in the form of heavy regulation partly due to past sins but also as an appeaser towards public opinion. The regulators now have the ready-made excuse to appear in the bowels of financial institutions, dictate terms, with an ever-increasing bright spotlight. This oversight extends and reaches on a global basis with regulation that can be retrospective, leading to unspecified fines for past mishaps from multiple agencies and countries.
038
Intelligent Risk - November 2020
Given the 2008 financial crisis, there is no longer an appetite to shore up financial institutions and indeed there is an intolerance towards any protest from the firms on the growing depth and breadth of new legislation which has dictated. This legislation has led to more detailed and demanding capital, leverage, liquidity, and funding requirements, data privacy as well as higher standards for risk reporting, such as BCBS 239. The financial guard rails have seen stiffened with more detail and requirements in the US banking system with regards to ‘CCAR” (Comprehensive Capital Adequacy Review) and by European Union guidelines with regards to stress testing, both bodies now seemingly dictating capital and dividend policy. The growing of non-financial risk i.e. types cyber, model, climate and conduct has had a dramatic effect on financial institutions and their operations. Each risk now has entered the Enterprise Risk Management portfolio and needs to be addressed with urgency. Model Risk has increased with data availability and advances in computing, modeling, and the need to address in quick order pressing legislation such as “CECL” ‘(Current Expected Credit Losses)”. Climate Risk has maintained its ascendancy as an emerging risk with the Bank of England leading the way both in terms of supervision and legislation. Operational resilience has gained a foothold boosted by COVID-19 with a resultant knock on to reputational risk. Conduct risk has escalated as scandals highlighted by social media question the ethics of firms on how far they will go to boost their profits. All these pressing risks by themselves have sequestered an inordinate amount of energy and cost both in terms of mitigating and reporting.
implications These drivers will have huge implications on the effectiveness and adequacy of business systems and operations. Technology or the increased reliance on it will be seen as a panacea, the gatekeeper that can both thwart the risks and increase the opportunities posed by these drivers. The increased use of technology continues to transform the normal processes and channels of engagement/experience and accentuate the social distancing relationship. Big Data, Machine learning and Artificial Intelligence championed by the burgeoning ranks of the FINTECH are the go-to components to mitigate the effect of the drivers by means of reimagining business processes. As regulations become more complex and the consequences of noncompliance ever more severe, financial institutions will likely have no choice but to eliminate human interventions to hardwire the right behaviors and standards into their operations, systems, and processes. There will be a need for new algorithms to parse the data, which will need to be reviewed and challenged on a constant basis. Where these interventions cannot be automated, robust surveillance and monitoring will be increasingly critical. Increased costs have led to an ever-increasing reliance on automation, both in decision making and processes. The amount of big data being generated will enable the more astute to redesign their processes using a comprehensive data management set of both public and private data sets. Processes such as underwriting will be digitalized, information submitted need only be scanned and verified without any in person engagement.
Intelligent Risk - November 2020
039
Artificial and machine learning will be used in behavioral analysis and remove a lot of the expert judgement required by risk officers, therefore eradicating any biases within the decision-making process. Advances in technology will also help in the key areas of stress testing and scenario planning, especially in evaluation of climate risk within the portfolio. This advancement will lead to the multi-dimensional understanding of risks with complex models that need to be adjusted. While existing scenario analysis or stress testing frameworks can be leveraged, climate risk scenario analysis differs from the traditional use of these with longer time horizons, description of physical variables and generally the non-inclusion of specific economic parameters. These idiosyncrasies mean that data and climate scientists and engineers will need to be absorbed within the existing risk management structure. Moreover, stress testing and scenario planning will also have to incorporate operational sustainability and resilience which may call for significant contributions from external third parties to help complete the analysis and evaluation.
changes transformation The Target Operating Model of Risk Management of the future will be very different, with the risk professionals armed with a new set of technology tools and new skillsets. In order for it be an enabler, the organization needs risk to transform its vision and redefine its role structurally given that many risk professionals will now need to work from a home environment. The main strategy will involve a heavy reliance and incorporation of new technology to both right size and reimagine risk management practices. Listed below are some suggestions, which no doubt can be modified depending on the size and complexity of the organization. • Risk management will be seen as foremost Firm Culture Champions and then Risk Culture Champions. Building and maintaining these identical and symbiotic cultures will be critical to ensuring the success of both the enterprise and risk function of the future. The combination of these cultures is likely to be a requisite element in a firm’s future competitive advantage. The secret recipe is to start with the risk culture first and then distribute and evangelize, so that both cultures will include a vision that will include the advocation of a strong corporate value. In order for this to take root, the firm will need to monitor and survey on a regular basis the action of its employees, no doubt enhanced by technology. • The Chief Risk Officer (“CRO”) will be seen as a Champion of the firm and will be one of the stronger internal candidates to succeed the CEO. He/She will have to become an exceptional narrator who, armed with data, can convey and articulate the message of today. The brave new normal will call for greater transparency around disclosures concerning IT/Supplier disruptions, Operational resilience, Cyber-attacks, Sustainability, Climate change. The CRO must be able to engage in the conversation with the right message and be the voice piece of the firm backed by the data.
040
Intelligent Risk - November 2020
• The risk stripes will have to be reorganized structurally around correlated risk stripe clusters e.g. Fraud, Operations, Technology, IT Security, Compliance, Human Resources, Model, Conduct, and Reputation Anti Money Laundering will all come within the same coordinated structure and governance rather than standalone silos. The synergies will result in smaller teams of agile multi discipline staff with a depth and breadth of knowledge in one or more of these subject areas. • The Risk Personnel with be multi trained in data analytics as a starting point and have the ability to match this with practical experience in all risk stripes. The tour of duty will include cross training in the various risk disciplines which will enable the team to speak a common language while applying consistent standards. Risk professionals will be expected to wear many hats, expectations high on delivery and communication skills. • The risk management ecosystem will demand a comprehensive enterprise wide data base which is expected to help financial institutions create a repository for all types of structured and unstructured data. Since risk functions in the future are expected to become increasingly data driven, the supporting data infrastructure is a critical enabler. This data will have many uses and create a data driven analytical risk area which will need to be resourced by staff with multiple skill sets. Understanding the data will improve overall quality, aggregation capabilities, and riskreporting timeliness thus affording the management information systems to be displayed in a means that offers the users, a great deal of information in real time, improving the quality and timeliness of fact-based decisions.
passing thoughts Broader responsibilities, better trained, smaller, multi risk disciplined, data hungry, these will be the new requisite qualities of risk personnel. Change will happen. The question is - are you willing to embrace the change or not. The firm that thinks ahead with this mind set will be the one left standing not only with a competitive advantage but also with an enhanced reputation.
author John Thackeray John Thackeray is the founder and CEO of Risk Smart Inc., a consulting firm that helps firms control their risks by writing polices, frameworks and procedures. John is an established risk thought leader and writer.
Intelligent Risk - November 2020
041
evolution of risk management post COVID-19
by Vivek Seth implications of the pandemic The current COVID-19 pandemic crisis has perplexed us all with its unexpected arrival this year and with its exponential spread of infections. Apart from the sudden global shock and knee-jerk halt of the world’s status quo, this pandemic is expected to have lasting economic, political and social impacts in the upcoming years. We now face the risks of long-term contraction in international trade, increasing protectionism across nations, and decline in morale of social masses. As we are coming to terms with the extent of the pandemic outbreak, institutions need to understand how the world is likely to operate once the pandemic spread has subsided and global lockdowns are over. One important implication for the corporate world is to enhance their risk management frameworks and adapt adequately to new risks brought upon by the pandemic.
key elements of a risk management framework Broadly speaking, risk management refers to the discipline of identifying, assessing, and controlling threats to an organization’s capital, earnings and long-term viability. Depending on the business context, institutions have departments dedicated to managing threats arising from a wide variety of sources, including financial uncertainty, legal liabilities, strategic management errors, IT security issues, accidents, and natural disasters.
Figure 1. Risk Management Framework: Key elements
042
Intelligent Risk - November 2020
Risk management discipline allows organizations to minimize such risks and therefore avoid unnecessary expenditure before they materialize in large scale. Traditional risk management frameworks include management of credit, operational, financial market, IT, and client conduct risks. As a result of the COVID-19 pandemic, we can expect to see the following evolution of risk management practices in upcoming years:
Figure 2. Broad categories of Risk Management
digitalization in risk management This is an opportunistic moment for corporations to adopt technological innovations in risk management processes such as tools for real time monitoring of business transactions, flexible reporting, and efficient audit logging features. Digital transformation in corporations in the past have been driven primarily by cost competitiveness, and this trend will further grow exponentially in upcoming years. The pandemic crisis has made apparent the need for cloud-based and online risk management tools so that, in times of business disruptions, critical risk management work can be continued without interruption. Virtual governance meetings, adoption of internet-based software solutions, and usage of tools with remote log-in features from home or across different geographical locations are becoming the norm for effective risk management implementation. Such IT transformation enables organizations to benefit on economies of scale while staying competitive and agile in their approach towards managing business issues within their risk appetite. Online media-based risk training will also be the new way of creating awareness amongst employees and customers. This move will enable organizations to streamline their risk management capabilities and operate on a more long-term cost-effective basis.
Intelligent Risk - November 2020
043
decentralized and local setup of risk management One key lesson organizations have learned in this crisis is that it is crucial to have the subject matter expertise within close proximity and the same time zone of local business, especially in times of restricted travel and people movement. Having few centralized teams for catering to global business operations may prove to be a weak link if the hosting geographical location is impacted by a crisis like the current pandemic. This was evident in many manufacturing businesses this year whose supply chain primarily relied on operations in China, and global goods supply shortages were faced when quarantine measures were taken in China. It is expected that, in the upcoming years, more organizations will set up their risk departments locally with trained personnel that can address risk and compliance matters per local government and customers’ expectations. Companies that fall behind in adjusting to these local talent hiring measures are likely to lose their customer market to their agile competitors.
emergence of new risk management areas In the last decade, businesses across the world have become much more cognizant of their responsibilities towards climate and socio-economic aspects of business operations. The pandemic crisis is bringing further light to such issues as public health management, corporate social responsibility, and long-term issues of industries with high carbon footprint. The crisis has made it very obvious that changes in one part of the world are closely interconnected with the rest of the globe. To address issues as complex as climate change, public health, access for all to hygienic living conditions etc. – collaborative efforts are needed across nations, international organizations and individual corporations. As part of demonstrating this global citizenship behavior, organizations would be expected to have good governance on global impact issues. As a result, we are likely to see new areas in corporate discussions such as effective management of health insurance of employees, company investment in ventures with positive sociological impact, usage of local partners in the supply chain etc. These new areas will eventually evolve into more traditional quantitative disciplines that will help firms demonstrate their commitment to their long-term sustainability vision.
management of risk averse customers post pandemic Post lockdown, altered patterns of social behavior may be seen across the world on how we interact with each other, consume resources and prioritize our personal goals. Consumers are likely to emerge from the crisis more risk averse and to prioritize their spending, especially given the financial hardships attributed to the pandemic lockdown. Customer spending patterns in dining, leisure travel and large scale gatherings are likely to be reduced in the near future. Institutions will need to take into consideration such risk averse behaviors in their corporate risk appetite and while planning for daily operations. Organizations not adapting to these post-COVID altered scenarios in a timely fashion could end up facing business losses, rise of customer complaints, legal reprimands and reputational issues, if revised client preference and buying patterns are not adequately understood ahead of time. 044
Intelligent Risk - November 2020
risk management arising from disruptive business alternatives During this crisis, the world has witnessed the rise of many alternative business strategies, as traditional business operations came to a sudden halt. In the entertainment industry, online streaming services have gained a wide customer base during the crisis. Staycation - the concept of spending holidays at or nearby home, are becoming popular alternatives to overseas vacations. Plant-based diets have also gained popularity amidst fears that a future pandemic could arise from meat product consumption. Online payments, digital banking, cryptocurrencies and digital assets have gained mass interest during lockdown. Traditional businesses across the world have to incorporate the rising competition posed by these disruptive alternatives in their strategic risk assessments. It is also an opportunity for corporations to upgrade and enhance their operational infrastructure, funding and strategic plans to adapt to these changing business dynamics.
evolution of risk management post COVID-19
conclusion The year 2020 will certainly be remembered in history for the COVID-19 pandemic, but it could perhaps also be remembered for organizations adapting to the new status quo of doing business and evolution of risk management strategies. As part of tackling the downside of a pandemic, organizations can take this time as an opportunity to enhance their risk management frameworks and adapt adequately to new risks brought on by the pandemic.
Intelligent Risk - November 2020
045
Key enhancements could include digitalization of risk management processes, adoption of a decentralized setup for risk governance; development of new risk disciplines such as climate change and impact investing, adjusting risk plans for new consumer behavior and risk oversight on disruptive business forces. Governments, business and societies that rise to these risk challenges and strive towards the enhancement of risk management discipline will ultimately emerge successful in the long term.
author Vivek Seth Vivek Seth is a Singapore citizen, with over 15 years of Compliance & Risk Management experience in Financial Industry. His work experience spreads across Singapore, Dubai and Australia along with business assignments carried out in Hong Kong and Switzerland. He holds an M.B.A. and also the PRM™ professional certification. This article presented here represents author’s personal views and not that of his current/previous employers or any professional bodies he is associated with.
046
Intelligent Risk - November 2020
risk management practice changes due to COVID-19
by Fatema AlSaad change is inevitable These are unprecedented times with unparalleled impact on our livelihoods, health, unemployment, GDP, government support, etc. Those risk managers who thought that they “have seen it all” during 2008’s financial crisis, or that it couldn’t get as bad as the 1930s Great Depression, were in for a big surprise. If 2020’s COVID-19 proved to us one thing, it is that nothing is stagnant. The butterfly effect will always exist, and in order for our risk management approaches not to fail us when we most need them to work, we need to continuously ensure that they are evolving and viable. There is no doubt that the practice of risk management is going to change. Although the magnitude of this change will only be realized when we reach the end of this pandemic, we can recognize the areas in which change will be more prominent. This article aims to summarize some areas in which the impact on risk management practices will be observed in the short run.
credit loss factors Risk modelers will need to take more care when deciding which factors to include in credit models. They will need to dig deeper to understand the true factors impacting credit losses. For example, it has been a popular practice to include unemployment in expected loss models, and a high correlation has been observed between unemployment and default rates over the years. However, COVID-19 changed that. As unemployment soared in March and April, government packages supporting households moved default rates in the opposite direction from what was expected. In econometrics, this is an omitted variable issue: when leaving out an important variable, the estimated coefficient may be biased and produce unreliable results. A correction to these credit models might be to substitute unemployment with income: borrowers stop paying with their incomes are disrupted, not merely when they are unemployed1.
cyber resilience The spread of COVID-19 has triggered the biggest global shift toward “Work-from-Home” in history. Therefore, a resilient cyber risk management system is essential for companies to remain operational and secure. Organizations need to train employees to detect phishing e-mails and report them, and they need to install up-to-date antivirus and monitoring tools.
1 / DeRitis, C. (2020), COVID-19 Broke My Credit Loss Model, GARP. Available at https://www.garp.org/#!/risk-intelligence/credit/all/a1Z1W000005W8ehUAC
Intelligent Risk - November 2020
047
This pandemic has proved that companies who did not place high emphasis on their cyber security have suffered strains on their IT systems, hardware and personnel. Better prepared companies found it easy to migrate to, and maintain, network integrity through Virtual Private Networks (VPNs) and multi-factor authentication. We will likely observe a change toward pushing cyber risk up the priority list, including it in well-documented periodic business continuity simulation plans, and purchasing robust cyber insurance policies2.
a new management mindset Although global pandemics may arise every few decades, disruptive regional outbreaks are happening more often. Since companies’ operations and customers are becoming more global, risk managers must be ready to manage outbreak effects wherever they occur. Pandemics will no longer be thought of as events of low probability and high impact. Mere focus on employee wellness and healthcare is no longer viable. We will be seeing more emphasis on securing of operations, supply, and distribution channels. Also, active relationship management will substitute any current one-sided communication with employees, customers, investors, and stakeholders. An engagement in public-private information sharing and the building of trust networks will reduce the risk of negative overreaction that contributes to economic losses arising from pandemic outbreaks3.
active climate risk management This year, The World Economic Forum has recognized climate risk as one of the top five risks facing the economy by likelihood and impact severity. This, and the impact of COVID-19, will result in a more proactive approach in including Climate Risk in companies’ Enterprise Risk Management (ERM) plans. We will see more active assessment of financial and non-financial impacts of climate change, as well as various scenario analyses as to how a company’s performance will be impacted by specific climate factors instead of generic vague statements. It should not be a surprise if Boards proactively highlight the importance of such analysis and if a designated climate risk board committee is formed4. Climate change, just like pandemics, lead to systemic risk that can manifest at any time. And, although many companies have included environmental initiatives in their Corporate Social Responsibility plans, more enforceable and a wider set of national and internal policies to guide companies in the direction of active climate risk management are likely to be observed over the upcoming years.
2 / AON (2020), Cyber Risk Implications of the Coronavirus Outbreak, AON. Available at: https://www.aon.com/getmedia/fc789882-0d2c-4ed9-bfdb-1a5d22cf274f/Cyber-Risk-Implications-Of-The-Coronavirus-Outbreak-COVID.aspx 3 / World Economic Forum (2019), Outbreak Readiness and Business Impact. White Paper. Available at: http://www3.weforum.org/docs/WEF%20HGHI_Outbreak_Readiness_Business_Impact.pdf (Accessed: 20 August 2020) 4 / Saltman, H. (2020), How Boards Can Use COVID-19 to Plan for Climate Change Risk. Available at: https://www.brinknews.com/how-boards-can-use-covid-19-to-plan-for-climate-change-risk/
048
Intelligent Risk - November 2020
conclusion COVID-19 seems to have uncovered shortcomings in many risk management approaches and is leading to many changes to improve corporate resilience and responsiveness to emerging risks and changes. However, the ability to implement required changes has never been easier. Companies that take advantage of the availability of data, technologies and communication platforms, will find themselves in a competitive advantage and with increased economic resilience.
author Fatema AlSaad, PRM, MSc. Senior Risk Officer, Bank of Bahrain and Kuwait Fatema AlSaad became a certified Professional Risk Manager in 2019. She holds a Master of Science in Risk Management from University of Southampton, UK. Fatema is currently holding a Senior Risk Manager position in the Bank of Bahrain and Kuwait which is the second largest local bank in The Kingdom of Bahrain. Fatema is handling many projects within her bank and department such as the IFRS9 Expected Credit Loss system, ICAAP and Stress Testing. She has worked in both Market Risk Unit and Credit Risk Unit gaining experiences in both aspects.
Intelligent Risk - November 2020
049
operational risk frameworks in the age of COVID-19: in data we trust!
by Thibaud de Barmon The past 10 months have changed firms’ operational landscape in ways that few would have thought possible. To date, this change hasn’t led to major disruptions, but there is no doubt that the level of operational risks firms are now exposed to is on the rise. What does this mean for the practice of operational risk? Because the current changes are both profound and lasting, we believe they will particularly impact the way risk frameworks anticipate, measure and communicate. For operational risk this will mean major adjustments in three areas: more complex and dynamic scenario analysis; more granular self-assessments of the risks and controls; and agile reporting and escalation of risks and vulnerabilities. This article looks at each in turn.
the development of scenario analysis Firms’ operational environment is still very much in flux, and a new normal is still at least several months away. Yet new constraints are profound and environmental changes are very uncertain. For operational risk managers forward-looking tools will thus be crucial, and the scenario analysis process will be the key one. Through well-designed scenarios, risk managers can assess both the first and second order impacts of any operational risks. Seven months into the worst pandemic in a century, the first order impact of a pandemic is now pretty much known: thanks to the rapid adoption of remote working, it appears financially and operationally manageable. The longer-term and second order impacts on the contrary are still incredibly uncertain, as much as possible firms should try to anticipate them. This is no easy task, but we believe that it can be achieved by extending and refining the following three types of scenarios: • The scenarios most impacted by changes in the business environment because these lead to increases in impacts of many other events such as rogue trading, modelling failures, and processing errors. • The scenarios most impacted by the loss of access to the more secure legacy workplaces because remote working weakens external defenses and increases the chances of successful intrusions such as cyber intrusions, data leakages, and external frauds.
050
Intelligent Risk - November 2020
• Adjacent to this, the scenarios most impacted by the loss of proximity between first and second lines because these weaken internal controls and thus increase both the probability and impacts of rogue trading, processing errors, and internal fraud events. The challenge is that most of these impacts are bound to grow gradually over time as increased distance between staff, lower productivity, and looser controls lead to bigger internal disruptions and failures. Scenario analysts may thus consider longer time horizons (several years rather than a few months to a year) and more complex measurement techniques (use of split storylines). Such added complexity is certainly a challenge but also an opportunity for their operational risk functions as their transversal and multi-disciplinary constructs will make them the best placed to respond to these challenges.
self-assessments of risks and controls In a still fluid risk environment, backward-looking tools are bound to be challenged. Risk Control SelfAssessments (RCSAs) will be no exception, especially in their ability to assess new inherent risks. Yet RCSAs still can be very useful in their ability to determine in granular and analytical fashions the difference between inherent and residual risks. This difference will be particularly helpful in assisting the measurement of second order impacts we mentioned in the previous section. Yet this requires detailed internal data on key controls with a particular attention to those impacted by the new constraints, especially the large-scale adoption of remote working. We see here four areas of focus: • Time-critical external controls especially daily ones (payment releases, transaction matching, settlements) because their deterioration is often very gradual but their failure can lead to major disruptions. • Performance-based external controls such as call-handling and fraud detections. These too should be particularly sensitive to staff and productivity levels and their deterioration if they persist could lead to widespread frauds or litigations. • Independent but co-located internal controls (P/L, risk reporting, scoring, model validations) between first and second-line functions. Lockdowns and remote working have made those controls more formal, time consuming and highly dependent on quality of risk data. Their performance thus needs to be monitored carefully. • Lastly, firms should consider improvements during the pandemic may be the sign of reduced activity that have been achieved at the expense of future risks and controls. Firms should thus consider if improved change controls actually mean too many changes to allow safe executions further down the line.
Intelligent Risk - November 2020
051
Overall, RCSAs will need to be less backward-looking, more predictive, and more dynamic and identify changes in both external and internal behaviours. These will require more frequent and granular assessments and harnessing far wider sets of internal data than is currently the norm.
reporting and escalation of risks and vulnerabilities Reporting risks in a stress environment is always a challenge because both risk exposures and risk appetites keep changing. For operational risk this implies a move towards forward-looking, sensitivity-based reporting which is particularly difficult because of the small size of the historical and external data available. Transaction records, life-cycle events, staff levels, customer queries and complaints, system availability and performance, the universe of data available to assess operational stress is vast and can make a big difference. We would therefore recommend firms to substantially extend the use of these datasets and go far beyond RCSAs and scenarios. They could consider performance indicators and cross-reference them to dynamically predict levels of operational stress for key functions and services. Doing so requires substantial data mining and machine learning capabilities but also transversal and multidisciplinary expertise that is often present in operational risk functions. The development of such capabilities is probably the biggest challenge and the greatest opportunity this pandemic may bring to the practice of operational risk.
conclusion The pandemic and the profound changes in the operational environment that go with it will stretch many operational risk frameworks to their limits. Key elements such as scenario analysis and RCSAs are bound to be challenged but coupled with the right multi-disciplinary expertise and new data-driven technologies they could also be transformational and turn operational risk frameworks into sophisticated and highly-effective risk management platforms. In doing so they have the potential to turn the operational risk discipline into, not just a useful function, but an indispensable one for both firms and their regulators.
author Thibaud de Barmon Thibaud de Barmon has been working in financial services’ operations for the past 25 years, first as a practitioner, running large investment banking programmes and backoffices and as a UK regulator. From 2008 to 2020 at the FSA and the Bank of England he ran the department of risk specialists dedicated to change, IT and operational risks. He was particularly involved in the supervision and policy developments of operational risk and resilience, banking restructuring, structural reform, Brexit and Fintech. He now runs Milton House, an advisory consultancy dedicated to operational effectiveness and operational resilience in financial services. 052
Intelligent Risk - November 2020
How do I lead in these turbulent times?
How can remote work help me and my business? How do I communicate business plans amid uncertainty? How should I handle difficult remote conversations with my customers and employees?
Uncertain Times Call for Trusted Facts. PRMIA Sustaining Members have complimentary access to The Wall Street Journal. Become a member today at www.prmia.org
Š 2020 Dow Jones & Co., Inc. All rights reserved.
PRMIA volunteer profile - Kathryn Kerle
by Adam Lindquist PRMIA Director of Membership
Adam
Along with your PRMIA role, what is your “normal� job?
Kathryn I am Chair, Audit, Risk and Evaluation Committee of the Microbiology Society and Adviser to the Board of Urgentem. Previously, I was Head of Decision Making, Royal Bank of Scotland.
Adam
What are some of the benefits you have found with being active with PRMIA?
Kathryn I think there have been two key benefits: keeping up with developments in risk management and developing relationships with risk professionals across the industry. When I joined PRMIA, I was in a role at RBS that was very inward-facing. I was keen to meet risk professionals at other organizations, and PRMIA gave me the means to do so.
Adam
Why do you recommend that people should volunteer?
Kathryn I think being involved with PRMIA can really boost your career in risk. You meet a wide range of risk professionals, from subject matter experts to senior executives. And, because you work with them on various events, you really get to know them. In the process, you run the risk of learning something. Finally, it is fun.
Adam
What kind of professional benefits have you experienced by volunteering?
Kathryn I have developed skills in chairing committees as well as moderating panel discussions. And, I have learned about a wide range of risk issues, from the challenges of diversity and inclusion to the implications of open banking.
Adam Kathryn
054
I have found that volunteers often are involved with a few organizations. Are you the same? Yes, along with PRMIA I am a member of the London Committee of Human Rights Watch.
Intelligent Risk - November 2020
Adam
What time management tips would you suggest to others to make volunteering worth their time?
Kathryn
As Chair of the London Chapter, I try to make sure that we are realistic in our expectations of volunteers. And I try to make sure we are all clear on what we expect of volunteers and what they can expect from us. On a personal level, I try to plan ahead as much as possible to make sure I can fit everything in.
Adam
Thank you, Kathryn for your great insights.
There are a variety of short- and long-term PRMIA volunteer opportunities available. VIEW VOLUNTEER OPPORTUNITIES
interviewee Kathryn Kerle Kathryn Kerle serves as the Chair and Co-regional Director of the PRMIA London Chapter, one of our most active. I caught up with Kathryn to get her perspectives on the role of volunteering and her take on why others might want to consider doing it as well.
Intelligent Risk - November 2020
055
calendar of events Please join us for an upcoming training course, regional event, or chapter event, offered in locations around the world or virtually for your convenience.
PRM™ SCHEDULING WINDOW September 12 – December 18
PRICING AFTER LIBOR November 10 – Webinar sponsored by Arrayo
THE WORLD OF RISK POST-PANDEMIC WILL NEVER BE THE SAME November 10 – PRMIA Boston Virtual Event
ENTERPRISE RISK MANAGEMENT IN VOLATILE AND UNCERTAIN TIMES November 11 – Thought Leadership Webinar
REMOTE THREATS: INSIDER RISK AND THE REMOTE WORK PARADIGM November 12 – Thought Leadership Webinar
PRM™ TESTING WINDOW November 16 – December 18
RISK LEADER SUMMIT November 17 – 18 – Risk Leader Virtual Event
056
Intelligent Risk - November 2020
FRTB AND CREDIT & COUNTERPARTY RISK November 17 – PRMIA Hong Kong Virtual Event sponsored by Bloomberg
COVID-19: CREDIT IMPLICATIONS FOR INSURANCE COMPANIES November 18 – Thought Leadership Webinar
TO BE UPDATED
RISK/FINANCE ARCHITECTURES USING A DATA-DRIVEN APPROACH November 19 – Webinar sponsored by BearingPoint
2021 PRMIA RISK MANAGEMENT CHALLENGE December 1, 2020 – April 19, 2021
AUDITING RISK CULTURE THROUGH HUMAN FACTOR RISK December 2 – Thought Leadership Webinar
TO BE UPDATED
COMPARATIVE BACKTESTING OF THE EXPECTED SHORTFALL December 9 – Thought Leadership Webinar
Intelligent Risk - November 2020
057
INTELLIGENT RISK knowledge for the PRMIA community ©2020 - All Rights Reserved Professional Risk Managers’ International Association
