PRMIA Intelligent Risk - April, 2020 by PRMIA Org

INTELLIGENT RISK knowledge for the PRMIA community

PROFESSIONAL RISK MANAGERS’ INTERNATIONAL ASSOCIATION CONTENT EDITORS

INSIDE THIS ISSUE

Steve Lindo

003

Editor’s introduction

Principal, SRL Advisory Services and Lecturer at Columbia University

004

Global model risk incurred by the LIBOR transition By Patrick Toolis

010

Climate risk: its implications for financial institutions By John Thackeray

016

Cyberwarfare: an emerging global risk impacting our society By Vivek Seth

020

Aggregated vendor risk - the cyber security blind spot By Angelina Yang, David Zelinger,Thomas Lee, Nagaraja Kumar Deevi

024

The Bank Asset-Liability Committee (ALCO): ensuring effective governance and risk management By Moorad Choudhry

029

Developing cultural capital – board level impact By Nagaraja Kumar Deevi

033

How US intelligence services analyze global risks like Covid-19 By Steve Lindo

036

How to develop risk appetite statements that align with an organization’s governance activity, senior management’s vision, and core business needs/requirements By Jason Thompson

042

De-biasing financial models By Francesca Bergamaschi, Anna Slodka-Turner, Steve Lindo

047

Why focus on human capital risk? By Oleg Lebedev

050

PRMIA member profile - Michelle Allade By Adam Lindquist

054

PRMIA Vancouver spotlight

057

Probit analysis for financial attitude: case of Kazakhstan By Maya Katenova

063

PRMIA calendar of events

Dr. David Veen Director, Evaluation Services - IT at Western Governors University

SPECIAL THANKS Thanks to our sponsors, the exclusive content of Intelligent Risk is freely distributed worldwide. If you would like more information about sponsorship opportunities contact sponsorship@prmia.org.

FIND US ON

prmia.org/irisk

002

@prmia

Intelligent Risk - April 2020

Tom Wilson announcement

editor introduction

Steve Lindo Editor, PRMIA

Dr. David Veen Editor, PRMIA

Nagaraja Kumar Deevi Editor, PRMIA

In January, when we selected the theme of Global Risks for this issue of Intelligence Risk, we did not remotely anticipate that the economy, financial markets and society would be disrupted on a global scale by the COVID-19 public health crisis. Neither did the PRMIA Sustaining Members who contributed an impressively diverse set of articles addressing portfolio risk, risk culture, risk processes and operational risks. These articles range in topics from climate change, cyberwarfare and vendor risk to human and cultural capital, risk appetite, the role of ALCO and model risk. Nevertheless, we have been able to include an article that acknowledges the unprecedented decision-making risks prompted by COVID-19. While we thank this issue’s authors for their thoughtful contributions, it seems appropriate to conclude this editorial with a reminder to all risk professionals that our cognitive, behavioral and technical skills are never more needed than in times of crisis like this.

PRMIA board member Tom Wilson named Chief Risk Officer of the year Congratulations to Tom Wilson, Chief Risk Officer of Allianz SE and member of the PRMIA Board of Directors, on being named Chief Risk Officer of the Year by InsuranceERM.

”

“I would like to congratulate Tom on being named InsuranceERM CRO of the year. This is a significant honor that is extremely well deserved. We are all indebted to Tom and the work that he has done to promote and advance the risk management profession.” Ken Radigan, PRMIA CEO

“I am honored by my peers to be voted CRO of the Year by InsuranceERM,” shares Tom. “As the old adage goes, we have been ‘lucky to live in interesting times’ - rising shareholder expectations, low interest rates, geo-political instability, rising conduct concerns, potentially adverse solvency II reviews, climate change, cyber risk and rapid technological transformation - a potentially volatile mix! My belief is that the risk management profession has adapted well to these dynamics, supporting both our businesses and our customers!”

Intelligent Risk - April 2020

003

global model risk incurred by the LIBOR transition

by Patrick Toolis At first glance, the interest-rate migration away from the London Interbank Offered Rate (LIBOR), which is scheduled to begin by December 2021 in the United States and the United Kingdom, is little more than a market-data issue1. Rates such as three-month LIBOR will be replaced by their equivalents in SOFR, SONIA, etc, depending on the currency involved2,3,9,10. However, the revised underlying instruments, calculation methods, and collateralization underlying the rates means that the levels of these interest rates may deviate from those of comparable LIBOR. In addition, uncertainty about which new reference rate is the standard for a given tenor and the lack of established derivatives products based on the new rates may introduce both new arbitrage opportunities and interest-rate risk. Lastly, the operational overhead of modifying existing derivatives contracts which will still be in effect during the rollover such that the contractual term LIBOR can be replaced with some permutation of the new reference rate and a spread may be non-trivial. While these changes to the current trading workflow pose several risks, the model risk induced by creating models taking as input reference rates which did not exist during the time periods spanned by historical training data sets may be a more substantial long-term danger.

new overnight benchmark risk-free rates SOFR (United States) SOFR is an acronym meaning Secured Overnight Financing Rate and is an average of interest rates paid on US Treasury repurchase agreements2,4. This standard was proposed as a replacement for LIBOR in 2017 by the Alternative Reference Rates Committee of the US Federal Reserve Bank. It is published daily by the US Federal Reserve Bank of New York 2. This rate is used, along with the longestablished US Effective Federal Funds Rate, as the reference rate for overnight index swaps (OIS)2,8. SONIA (United Kingdom) This acronym stands for Sterling Overnight Index Average, a benchmark published by the Bank of England (BOE). It represents an average of rates used in unsecured sterling overnight interbank loans reported to the central bank. The BOE estimates that about thirty trillion GBP in assets are valued using SONIA annually, and Wikipedia indicates that about twenty-one percent of the floating rate bond market referenced SONIA in 20189,10. 004

Intelligent Risk - April 2020

derivatives valuation under the new rate regimes Eurodollar/Other Money-Market Futures The Eurodollar futures contract (CME) and Short Sterling contract (ICE) are exchange-traded futures directly tied to the three-month LIBOR quote in US dollars and pounds sterling6,11. Plans exist for the Eurodollar contracts to be converted to SOFR as needed, and a similar translation of Short Sterling to SONIA could likely occur5. Whether liquidity in the new contracts is sufficient to enable a smooth transition is one issue, but a key concern to those using quantitative models to price the contracts and pair them with other securities in strategies is whether the yield curve models will translate between benchmarks (assuming that traders ultimately will transition to futures on the alternative rates). The collateralization of the loans underlying SOFR, and the discrepancies in calculation and reporting for all of the new rates may induce permutations in the correlations of the rates to other macroeconomic data or financial metrics. Since these rates were not prominently featured in the past, obtaining datasets which allow them to be considered alongside factors such as employment, GDP, or news sentiment may be a challenge. Swaps A vanilla interest rate swap involves exchanging fixed-rate interest payments (the swap rate defined at contract initiation) for floating-rate interest payments (based on a benchmark such as LIBOR). Thus, the primary goal of a model is to estimate a sequence of forward interest rates (from which forward yield curves can be derived). In addition, some credit risk may need to be taken into account, depending on the counterparty, clearing method, and collateralization. The change from LIBOR to SOFR/SONIA/â&#x201A;ŹSTR means that any data input into models based on the risk-free spot rate or any forward rates quoted/implied in the market will need to be drawn from different sources and possibly spread-adjusted. In addition, any forward rate models based on historical data, such as neural networks or decision trees, would need to be trained, in most cases (some historical SONIA data may be available), on an older analog of the rate now used (e.g. train using an adjusted LIBOR rate as SOFR). Swaptions/Caps/Floors These three products are interest rate derivatives with a contingent claim. For example, a fixed payer swaption gives the owner the right to enter into a swap in the event that the swap rate is above the strike rate at maturity. A cap pays if the floating rate is above the strike rate, and a floor pays if the floating rate is below it. These options might be valued with a variant of the Black-Scholes model where the underlying is either the swap rate or the floating rate. Tree-based models to approximate the possible movements of the short rate are also well-documented. However, parameters such as the volatility of the swap rate or the probability density of interest rate moves over a given time period may depend on models requiring historical data. Should this data be culled from times prior to the creation of the new rates, model risk could be incurred (e.g. if historical Treasury repo rates somehow deviate from SOFR).

Intelligent Risk - April 2020

005

Mortgage-Backed Securities (MBS) A vanilla pass-through mortgage-backed security has the cash-flow characteristics of a normal corporate bond (interest payments, default risk, principal return). In addition, the amortization of principal return and the substantial volatility in this principal remittance due to prepayment risk make the models for these securities somewhat distinct. Prepayment is historically linked to interest rates such as the effective federal funds rate, suggesting that models taking a narrow position on prepayment will use a rate such as SOFR/ SONIA/â&#x201A;ŹSTR as an input. The default modeling might be influenced by the current and forecast spread above the (term-adjusted) overnight rate reflected in the MBS weighted average coupon. Discounting of payments to arrive at valuation will of course involve an application of a new risk-free rate as well. More exotic collateralized mortgage obligation (CMO) instruments, involving inverse floating-rate notes, tranching of the securities, and planned amortization classes, might involve more complex models with more subtle adjustments due to the interest rate change. Credit Derivatives Credit derivatives are instruments where both interest rates and the default risk of an issuing party are factors in the valuation. For example, in a credit default swap (CDS), the CDS premium is the quarterly amount (percentage of notional) paid to ensure that the discounted expected value of the premiums equals the discounted expected value of all amounts received over the life of the swap. The premium, though, is also the credit spread above the risk-free rate (traditionally LIBOR) for the appropriate tenor, as the â&#x20AC;&#x153;protection buyerâ&#x20AC;? of a CDS is purchasing insurance against ratings downgrades, defaults, and other credit events. Thus, as the overnight rate fluctuates, the term-compounded rate used as the risk-free rate over the premium period also moves. If the risk-free rate rises and the premium remains the same, arbitrage opportunities involving the CDS and corporate bonds may arise. Cash flows paid and received under the swap need to be discounted using the current yield curve, as well. Historical macroeconomic models designed to determine relatively strong and weak firms for credit investment may depend on the short-term rate, so training such models with the correct approximation of SOFR/SONIA/Estr will be critical. Figure 1: Impact of LIBOR transition on major derivatives products

006

Intelligent Risk - April 2020

007

conclusion On the surface, the LIBOR migration is primarily one of nomenclature with some minor calculation adjustments. Three-month averaged SOFR and three-month LIBOR do seem to follow similar trajectories2. However, given the enormous notional of exchange-traded and OTC derivatives tied directly (e.g. Eurodollar futures) or indirectly (e.g. MBS) to short-term interest rate levels, the impact of any change to this data point can be significant. Portfolio credit risk and interest-rate risk, both components of Basel capital requirements, might need to be reconsidered in light of the change in reference rates. In addition, any machine-learning or statistical models which are calibrated using historical data might have to consider the disconnect between the rates available in the past and the rates used to value today’s derivatives. Validation and modification of models to accommodate the new benchmark rates may be critical to effective risk management across asset classes.

references 1. Wikipedia contributors. (2020, February 13). Libor. Wikipedia, The Free Encyclopedia.

Retrieved February 24, 2020, from https://en.wikipedia.org/wiki/Libor 2. The Alternative Reference Rates Committee. A User’s Guide to SOFR. April, 2019. Bank of the Federal Reserve and New York Fed.

Retrieved February 21, 2020 from https://www.newyorkfed.org/medialibrary/Microsites/arrc/files/2019/Users_Guide_to_SOFR.pdf 3. Thomson Reuters. Factbox: The global benchmarks replacing Libor. Reuters.com. Retrieved February 24, 2020 from

https://www.reuters.com/article/us-britain-libor-transition-factbox/factbox-the-global-benchmarks-replacing-libor-idUSKBN1WN0HN 4. Wells-Fargo Research Team. Get Ready for SOFR: A Primer. FXStreet.

Retrieved February 24, 2020 from https://www.fxstreet.com/analysis/get-ready-for-sofr-a-primer-202001311413 5. Stanton, Elizabeth. LIBOR’s Demise will Upend How Hugely Popular Derivatives Work. Bloomberg.

Retrieved February 24, 2020 from https://www.bloomberg.com/news/articles/2019-11-12/how-libor-s-demise-impacts-a-hugely-popular-derivatives-contract 6. CME Group. Eurodollar Futures Contract Specs. Futures and Options Trading for Risk Management-CME Group.

Retrieved February 24, 2020 from https://www.cmegroup.com/trading/interest-rates/stir/eurodollar_contract_specifications.html 7. European Central Bank. Euro short-term rate (€STR). European Central Bank, Eurosystem.

Retrieved on February 24, 2020 from https://www.ecb.europa.eu/stats/financial_markets_and_interest_rates/euro_short-term_rate/html/index.en.html 8. Feeney, John. SWAP VOLUMES: SOFR V FED FUNDS. clarusft.com.

Retrieved February 25, 2020 from https://www.clarusft.com/swap-volumes-sofr-v-fedfunds/ 9. Bank of England. SONIA interest rate benchmark. Bank of England.

Retrieved February 25, 2020 from https://www.bankofengland.co.uk/markets/sonia-benchmark 10. Wikipedia contributors. (2020, January 10). SONIA (interest rate). Wikipedia, The Free Encyclopedia.

Retrieved February 25, 2020 from https://en.wikipedia.org/wiki/SONIA_(interest_rate) 11. Intercontinental Exchange. Three Month Sterling (Short Sterling) Future. Intercontinental Exchange.

Retrieved February 25, 2020 from https://www.theice.com/products/37650330/Three-Month-Sterling-Short-Sterling-Future

008

Intelligent Risk - April 2020

author Patrick Toolis Patrick Toolis has spent twenty years involved in theoretical computer science applications in five countries. After co-founding J-Surplus.com, one of the first business-to-business e-commerce auction sites for excess inventory in Japan, Mr. Toolis worked in the system integration realm at Iona Technologies, dealing with major customers in telecommunications and semiconductors. He then helped develop the order and execution processing at JapanCross Securities, one of the first electronic crossing networks for Japanese equities (later merged with Instinet, which is now a part of Nomura Holdings). As a consultant, he wrote significant machine learning implementations on mobile computing platforms for Sears Holdings Corporation. At The American Express Company, he designed parallel algorithms for risk mitigation and decision optimization. Most recently, he has focused on independent financial engineering work which he aspires to grow into a hedge fund, software vendor, and liquidity pool and has consulted for a private trading firm and a new exchange. Mr. Toolis holds BS and MS degrees in Computer Science from Stanford University.

Intelligent Risk - April 2020

009

climate risk: its implications for financial institutions

by John Thackeray The defining issue and top global emerging risk of 2020 is climate risk, which has been gaining a sense of urgency with major implications for financial institutions. Climate change can no longer be viewed in isolation as a reputational risk but must be seen and addressed as a financial risk that needs to be integrated into existing risk management frameworks. Climate risk is a “transverse” risk that can extend its reach into existing risk stripes. As climate risk manifests itself through existing risk stripes, climate change can also heighten credit risks for banks, as demonstrated by the recent PG&E bankruptcy. Banks need to consider how climate-driven financial risks can be embedded into current financial risk management frameworks. Regulators have been influenced by increasing interest in both the impact and implications of climate change as a result of public awareness and the failure of governments and the United Nations to reach substantive and collective agreement. In this vacuum, central banks are starting to lead by example by including climate-related risks in their evaluations, leading to an escalation of policy pronouncements which are likely to adjust more rapidly with an intensification in the climate change debate. Increased cooperation is evidenced by The Network of Central Banks and Supervisors for Greening the Financial System (NGFS), an international cooperation and collaboration between central banks and regulators with a main aim to address the financial sector’s attempts to achieve the Paris climate goals. Since climate change continues to have huge economic and political implications, regulators are pushing financial institutions to take climate risk issues in their analyses of country risk and sovereign ratings which will filter down into individual counterparty ratings. The IMF’s new chief, Kristalina Georgieva, pioneered green bonds in 2008 while at the World Bank. She is discussing whether assigning different risk weightings to assets that are more or less green is fostering an important discussion that engages the financial community. Recently the US Democratic Senator Brian Schatz of Hawaii introduced a bill that would direct the Federal Reserve to subject large banks to do stress tests measuring their resilience to climate-related financial risks. The proposed Climate Change Financial Risk Act of 2019 underscores worries among policy makers over the risk posed by the financial system by the continuous and sustainable weather events which continue to plague the continental United States. Accountability has become the weapon of choice, with financial institutions having signed up to laudable climate principles (i.e. the Equator principles); they will need to demonstrate with actionable examples how they are adhering to such principles. Shareholder and social media will apply a lens which may mean Boards will need to become climate literate at a faster pace.

010

Intelligent Risk - April 2020

The need for disclosure is paramount and this process will escalate initiatives led by the Task Force on Climate-Related Financial Disclosures of the Financial Stability Board. As an example, the Task Force is recommending that companies make their climate-related risks known to lenders and other stakeholders. Board members are increasingly being viewed as fiduciary custodians by their stakeholders and as such there has been a need to include representation from climate science on the Board. Moreover, some Boards are openly demanding the need for organizational structural change by means of a Sustainability Committee reporting directly to them to enhance Board comfort around the climate challenges.

call to action A call to action seems to have resonated with all stakeholders within the community as evidenced below: • The UK’s regulators — the Prudential Regulation Authority became the first regulator in the world to publish supervisory expectations that explain how financial institutions need to develop a methodology, framework and approach to managing financial risks emanating from climate change. • The Bank of England is insisting that there is a senior manager in each major financial institution responsible for managing climate risk, who can be liable for fines or a ban if there is ineffective governance and oversight. • Barclays has joined sixteen other leading banks, the UN Environment Finance Initiative (UNEP FI) and Acclimatise, in publication of new methodologies that help banks understand how the physical risks and opportunities of a changing climate might affect their loan portfolios. • HSBC has set-up its Climate Change Centre of Excellence which analyzes the commercial implications of climate change for HSBC Group businesses and clients. • French banks such as BNP, Societe Générale, Natixis and Credit Agricole have retreated and stopped lending focused on oil and gas from shale and tar sands. These banks are pioneering in the climate space driven mainly due to France’s Energy Transition Law, which was introduced in 2015 and requires financial institutions to report on their carbon risks. • The European Union is to stop funding oil, gas and coal projects at the end of 2021. The European Investment Bank (EIB), the EU’s financing department, will bar funding for most fossil fuel projects. • Sweden’s central bank has ditched bonds issued by Australian and Canadian regions on the grounds that their carbon emissions are too high. • A shareholder in Australia filed suit against the Commonwealth Bank of Australia for failing adequately to disclose climate risk. The case was dropped after the bank released new reporting that recognized climate change as a financial risk.

Intelligent Risk - April 2020

011

• A retreat from lending to companies with large carbon footprints has left some financial institutions with large industrial exposures that they had not planned or been prepared to hold. • Spanish energy company Repsol SA is cutting the value of its assets by billions of dollars because the global transition to a lower carbon economy is weakening the outlook for energy prices. • Up until now, these climate risks largely have been absent from investors’ models, but the rating agencies are at least thinking about changing their methodology and methods in assigning ratings, to incorporate climate risk. • Investment funds are now being held to a higher standard when it comes to their portfolio restrictions and guiding principles on climate-related investments.

risk identification Financial risks stemming from climate change look at those risks as arising through three main channels: physical risk, transition risk and liability risk. Physical risks arise from climate- and weather-related events. These changes in the physical environment will create physical risks that will impact individuals, businesses and economies, consequently affecting a variety of financial transactions. Transition risks arise from the process of adjusting toward a lower-carbon economy. Policy, technology and laws relating to climate change could be accelerated, prompting a reassessment of the value of a large range of assets as costs and opportunities become apparent. This reassessment could modify the value of assets and liabilities, thereby altering the risk profile of financial institutions. As the opportunity to take voluntary steps lessens and the more immediate and demanding government requirements may become, the higher the velocity at which the transition occurs will affect the scale of disruption for affected industries. Transition risk is likely to be the biggest area of influence on asset values in the shorter term, whereas the physical effects are likely to be the driving factors influencing asset values and economic performance in the medium to longer term. In jurisdictions such as the US or Europe, lenders are unlikely to be held directly liable for the activities of the companies that they lend to; however, this may soon change due to increased political and social pressure. Banks acting as underwriters of bonds should assess the materiality of climate risks to an issuer’s business when drafting risk factors in the offering documents. For Board members, there is a real risk of being sued for not disclosing and alternatively being sued for making forward looking statements about climate change which prove to be incorrect. Given the uncertainty around the future path of emissions, and their associated economic and financial impacts, a natural tool for analyzing these risks is scenario analysis. There are two primary types of scenarios fit for this purpose: climate-impact (physical risk) scenarios and transition scenarios. Climate-impact scenarios investigate the effects climate change could have on economies, societies and ecosystems,

012

Intelligent Risk - April 2020

given an assumed level of emissions; transition scenarios model how economies might adjust given a temperature target and government policy. While existing scenario analysis or stress testing frameworks can be leveraged, climate risk scenario analysis differs from the traditional use of these with longer time horizons, description of physical variables and generally the non-inclusion of specific economic parameters. The Bank of England is asking British insurers and lenders to gauge to what extent global warming might impact the value of their investments and balance sheets -- and its potential to destabilize the financial markets. The three climate scenarios promulgated by the bank’s Prudential Regulation Authority are “exploratory” in nature. The hypothetical narratives are designed in a way to pinpoint risks and exposures with no pass or fail and a publication of results in aggregate without naming institutions.

how climate risk impacts existing risk types There is a need to examine existing risk types and consider whether climate risk is sufficiently material to be incorporated and embedded into established risk frameworks. Financial risks will typically be greater for long-lived assets and liabilities (e.g., infrastructure, pensions) than short-term contracts, where risks and pricing can be more readily adjusted. There may also be consequential risks, such as concentration risk and asset-liability mismatches. The more that these types of transverse considerations are embedded into firms’ day-to-day governance and risk management processes the better firms will be able to manage and mitigate the financial risks of climate change. The risks relate to a firm’s clients, counterparties, and their own internal operations. Moreover, credit analysis will also have to change as illustrated below to meet the climate risk challenge. • Climate change may affect the comparative market competitiveness and performance of the firm, i.e. the writing down of carbon asset values on the balance sheet. • Differential pricing and returns may have to be incorporated with the credit proposal emphasizing the basis for carbon free projects • Noncompliance with environmental regulations could result in various and different forms of liability for the project and its stakeholders as well as unwarranted publicity. • The client’s ability to refinance may be compromised once awareness of climate risks have increased, making it more difficult for a current investor to exit. • Repayment sources may be affected as income from the sale of assets or equity by clients may be diminished, as climate change will affect market values. • The cost of insurance for clients may increase, and exclusion clauses may become more onerous. Insurance cover may no longer be available, forcing companies to self-insure, which would require them to make financial provisions to cover future losses, affecting their financial capacity.

Intelligent Risk - April 2020

013

passing thoughts Now is the time to act on greening the financial system in order to move away from a verbal undertaking of corporate responsibility to one of sustainable leadership. The world is watching to see which financial institutions have the vision and leadership that define their role in the social and economic fabric of climate change.

author John Thackeray John Thackeray is the founder of RiskSmartInc, which helps firms control their risk by writing their risk and compliance narrative. John is an accomplished industry writer and thought leader whose global experience has covered financial and non-financial risk management. Over his career, he has held many risk positions, including CRO posts where he has engaged with US and European regulators.

014

Intelligent Risk - April 2020

See where the money leads. Our reporting on the Theranos scandal, shows how WSJ journalists get to the heart of the story by following the money. As a PRMIA Sustaining Member you can discover more about Theranos and stories like this by activating your complimentary access today.

cyberwarfare: an emerging global risk impacting our society

by Vivek Seth In the context of global risks faced by countries, the risk of materialization of large-scale cyberwarfare has become increasingly prominent in recent years. Broadly speaking, cyberwarfare refers to deliberate cyber-attacks like spreading of computer viruses and hacking by one or a group of nations on another nation state’s technological infrastructure. Key motivations of such attacks include political aspirations to disrupt the operational activities, digital espionage, spreading misinformation, physical sabotage, coercion in decision making process and financial gain at the expense of the target country or international organizations. With an ever-increasing interconnectedness of the world via internet and digital infrastructure, targeted cyber attacks can prove to be an effective tool for causing large scale harm to victim government, military and corporations. Some of the common means of perpetuating cyberattacks include usage of botnets for distributed denial of service (DDoS) attacks, social engineering, phishing techniques as well as disruptions via insider staff with access to sensitive or critical information systems. A key reason why such attacks are becoming more prevalent is due to their covert nature, as often the outright involvement of participants is not apparent, which is in contrast with conventional military and intelligence exercises. While there has not been a categorically declared cyberwarfare yet, the world has seen a number of incidents that have caused serious disruption to countries’ infrastructures and which are suspected of being carried out by state-sponsored organizations. Some of these events are outlined in the timeline indicated below. Key recent cyberattack events affecting serious disruption to countries’ infrastructure

016

Intelligent Risk - April 2020

While these recent cases of advanced persistent threats have so far not resulted in world scale physical conflict or violence, such computer network attacks do have consequences. Negative outcomes to a nation state could include financial and reputational damage due to disruption of services, loss of privacy of targeted individuals/organizations, civilian population daily lives affected by infrastructure operation failures, spread of phobia & misinformation affecting public trust on governments as well as weakening of national sovereignty. Currently, there are limited bilateral or multilateral agreements between countries on collectively curbing nation state targeted cyber-attacks and situations when such engagements get kicked off can be open to interpretations. Preparedness against such persistent attacks rests on fundamental cyber hygiene basics such as timely identification of IT vulnerabilities, patch management, upgrade of obsolete systems, network monitoring of anomalous activities, and strong identity and access management controls. On top of these fundamentals, vigilance is also crucial against suspicious network probing activities, communication from high risk countries known for cybercriminal perpetuators and vulnerabilities emanating from emerging technologies such as Deep Fake driven media. Adequate resourcing is also of paramount importance for a robust strategy on analyzing and risk assessment of cyber threat environment for early detection and prevention of such attacks. Cyber defense strategies should also include network segregation of sensitive IT infrastructure, containment of detected threats and usage of encryption framework, strong password and multifactor authentication culture. A statewide cyber incident management plan should be established that outlines crisis mitigation strategy for countries to defend themselves against future cyber war threats especially for critical components of a nation such as banking, railways, hospitals, stock exchanges, power stations, and food supply infrastructure. Cyber risk training and awareness among organization staff and in public media also helps in deterrence of such attacks. Many developed nations and international organizations prepare against cyberwarfare with simulation cyber defense wargames. For example, in 2019 US and Taiwan held the first joint cyber-war exercise #. NATO nations address cybersecurity concerns via Locked Shields events@. This rising trend of nation-targeted cyberattacks poses the risk of a new cyberwar arms race, with dedicated spending on stockpiling of cyber-attack strategies like that of tangible arms race. Such programs could be developed in secrecy, thus lacking transparency, governance, and agreed rules of engagement between nations. Accidental or deliberate leakage of such digital attack tools to criminal organizations can prove to be damaging to overall world stability. The Internet allows malicious cyber actors to deliver weaponized tools on a real time pace and at an exponential scale. While many nations are seeking to acquire and test digital attack and defend capabilities, they should also keep in mind widespread impact of such digital skirmishes, especially to civilian population. Thus, a widespread binding international agreement among countries to restrict the development and use of offensive cyber weapons is required that emphasize development of defensive rather than offensive capabilities. Just like in non-digital warfare, there canâ&#x20AC;&#x2122;t be winners in a large-scale cyberwarfare, but only losers.

Intelligent Risk - April 2020

017

conclusion Both developed and developing parts of the world are becoming heavily dependent on the Internet and digital infrastructure for delivery of its critical economical activities. Such dependency calls for a robust cybersecurity strategy for the smooth functioning of a nation state. This is especially crucial when such cyber attacks are persistent, organized by a large-scale organization or rival country or advance cybercriminals. Mitigating emerging vulnerability and attack vectors for cyber crimes at a national scale requires international cooperation and agreement, robust internal IT infrastructure and vigilant staff and civilian population. Only via this long-term strategy of bringing attention to the dangers of cyber-weapon proliferation, international diplomacy, public shaming, and taking collective actions against suspected cyber attackers, can the world achieve peaceful advancements in digital arena.

018

Intelligent Risk - April 2020

sources Sources used for preparing timeline chart: 1. www.bbc.com (link) , 27 April 2017, “How a cyber attack transformed Estonia”. 2. www.bbc.com, (link), 20 February 2020, “UK says Russia’s GRU behind massive Georgia cyber-attack”. 3. www.bbc.com, (link), 22 November 2010, “Stuxnet ‘hit’ Iran nuclear plans”. 4. www.bbc.com, (link), 17 August 2012, “Shamoon virus targets energy sector infrastructure”. 5. www.bbc.com, (link), 25 November 2014, “Sony Pictures computer system hacked in online attack”. 6. www.bbc.com, (link), 11 January 2017, “Ukraine power cut ‘was cyber-attack’”. 7. www.bbc.com, (link), 29 June 2017, “Cyber-attack was about data and not money, say experts”. 8. www.bbc.com, (link), 13 May 2017, “Massive ransomware infection hits computers in 99 countries”. 9. www.bbc.com (link), 4 November 2019, “US and Taiwan hold first joint cyber-war exercise”. 10. https://ccdcoe.org/about-us/

author Vivek Seth Vivek Seth is a Singapore citizen, working in the Risk Management discipline in the financial industry for over 15 years. His work experience spreads across Singapore, Dubai, and Australia along with business assignments carried out in Hong Kong and Switzerland. He holds an M.B.A. and also the PRM™ professional certification. This article presented here represents the author’s personal views and not that of his current/previous employers or any professional bodies he is associated with.

Intelligent Risk - April 2020

019

aggregated vendor risk - the cyber security blind spot by Angelina Yang, David Zelinger,Thomas Lee, Nagaraja Kumar Deevi

third and fourth party risks - critical and widespread Companies in all industries are relying on hundreds, sometimes thousands, of vendors to manage the complexity of todayâ&#x20AC;&#x2122;s business landscape. This web of vendors can include suppliers, contractors, SaaS, PaaS and IaaS. This increasing access and movement of sensitive data across internal and external systems creates a significant and growing cyber security risk, with about 50% of large PII1 data breaches caused by third parties2. An analysis of data breach costs finds that these third party breaches are just as impactful3, causing significant business, reputational and operational impact. Third party risk is also not limited to data breaches. For the financial industry, 75% of Foreign Corrupt Practices Act (FCPA) cases resulted from third party partners4. Third party risk is therefore a significant portion of enterprise risk. Cyber security teams apparently recognize this, since a recent survey-based study of the financial services industry found that 75% of respondents reported that third party data breaches had, or could potentially have, critical business impact. Management also seems to understand the magnitude of the risk, with over 90% of survey respondents answering that their Third Party Risk Management (TPRM) programs report to their Boards of Directors at least once a year, and Executive Management viewed cyber security, reputational and operational risks as the top three concerns when it came to third parties4. Financial institutions that donâ&#x20AC;&#x2122;t understand the importance of third party risk must beware. Regulators are paying close attention to how firms are protecting client data. In 2019 alone, firms were fined millions of dollars for failing to properly monitor this risk4 and there are ongoing changes in the regulatory landscape, like the new European Banking Authority (EBA) Guidelines on Outsourcing Arrangements, the California Consumer Privacy Act (CCPA), General Data Protection Regulation (GDPR) and others, which are likely to result in increasing fines in 2020 and beyond unless there is significant improvement in TPRM programs.

inadequate current approach to assessing vendors In spite of third party riskâ&#x20AC;&#x2122;s critical and widespread nature, the current measurement approach is inadequate, leaving a significant blind spot in managing overall cyber security risk. The current process for measuring third party risk has been developed from the perspective of the cyber security practitioner.

020

Intelligent Risk - April 2020

It consists largely of maturity- or compliance-based scoring5 methodologies6, often manually assessed, most often based upon proprietary or opinion-based weighting of security controls and configurations7. The problem with maturity or compliance scores is that an organizationâ&#x20AC;&#x2122;s greatest cyber risk does not come from any single vendor, but from the aggregated risk across all of vendors. A typical company has hundreds, if not thousands, of vendors and this aggregated risk can only be assessed with probabilities, not scores. Applying basic statistical techniques to a theoretical large financial institution is illustrative of the problemâ&#x20AC;&#x2122;s potential magnitude. If a third party has a probability for data breach of 1.6% (once in 62 years, on average), this may at first seem acceptable. But in an environment where there are potentially thousands of vendors engaged in the data supply chain, if only 50 have a 1.6% annual likelihood of a data breach, the chance of having a data breach among those 50 vendors is, on average, a concern once every 5 months. So, aggregate third party risk is a significant concern, and it cannot be assessed with scoring methodologies. The financial industry has the skill to understand this problem, since they commonly apply principles of aggregated risk in assessing financial portfolios. Yet, the financial industry continues to use subjective scoring methodologies to assess third parties, just like all other industries. The question is: why? We believe that the reason is because third party assessments are driven by cyber security practitioners. The cyber security practitioner views the problem from the very detailed and technical perspective of controls and compliance. In fact, compliance with security standards is the foundation of cyber security practice. But accurate probability models cannot be easily developed when this kind of information cannot be collected across all companies that have and have not experienced data breaches. Expert opinion for how these controls reduce probability is not a good substitute for sound model development practices. Scientific literature is robust on the inaccuracy of expert judgment when it comes to predicting rare events8, and large data breaches are rare events for any particular company.

statistical approach - a paradigm change However, there are factors that can be measured for all companies, which strongly and independently correlate with data breaches, and which allow the generation of accurate probability models that can be used to assess and manage aggregate third-party risk. These models are sufficiently accurate to find orders of magnitude differences between third parties9 and can even determine probability as a function of data breach size. Importantly, these models can be developed from non-technical measures that bring interpretability to non-technical Executive Management and the Board of Directors. And, because these models are based upon non-technical inputs and independent of security controls, they will remain accurate even as technology and criminal methodologies change. However, financial institutionsâ&#x20AC;&#x2122; third party assessment efforts are generally under-resourced. A recent survey of cyber security practitioners7 found that nearly 60% of survey respondents rated their TPRM program as immature and only 35% felt they were adequately resourced to measure or manage this risk. Intelligent Risk - April 2020

021

This is understandable considering that current methods are not able to address the actual risk from third parties, namely the aggregated risk. We have argued that as much as 50% of enterprise cyber risk is due to third parties. We therefore propose that financial institutions stop using maturity or compliance based scoring methodologies and instead use probability models based upon other predictive factors that can be measured for all companies, and that TPRM programs be resourced at a level consistent with the magnitude of the risk. We argue that models should be interpretable by Executive Management and the Board of Directors and follow sound model development practices recommended by the Federal Reserve and Office of the Comptroller of the Currency (OCC)â&#x20AC;&#x2122;s Supervisory Guidance on Model Risk Management â&#x20AC;&#x201C; Bulletin SR11-710. This paradigm change is increasingly needed as financial institutions become ever more dependent on third party services.

references 1. Personal Identifiable Information (PII), includes Protected Health Information (PHI), Card Holder Data (CHD) and Personal Financial Information (PFI). 2. 40% of CHD, 67% of PHI data breaches affecting more than 100K people, data from VivoSecurity, 2018 and 2019 3. See Regression Model for the Impact of a Data Breach for a Financial Institution Thomas Lee, Jason Hegland, Spencer Graves, Richmond Fed research

conference, 2018 4. CeFPro 2019, Third Party Risk: Chasing Maturity in a Dynamic Landscape 5. These are subjective scores based upon opinion of the value of certain standard controls and different from the probability derived scores used in the financial

industry. 6. These methodologies often assume there is a set security standard e.g. NIST or PCI, that should be implemented. Full compliance is often too burdensome, so

companies are scored by the degree of compliance via questionnaires. Other methods assume measuring external configurations such as web and email servers to capture the level of maturity. 7. 78% of companies use internally scoring methodologies according to CeFPro 2019 Third-party cyber risk for financial services: blind spots, emerging issues &

best practices 8. See Thinking, Fast and Slow by Nobel Laureate Daniel Kahneman. 9. These models can identify 0.4% of companies that will account for 50% of PII data breaches, compared with a perfect model that would identify 0.04% of

companies. 10. https://www.federalreserve.gov/supervisionreg/srletters/sr1107.pdf

authors Angelina Yang Angelina Yang is currently VP of Quantitative Analytics and AI Development at Wells Fargo, and senior advisor to VivoSecurity. Angelina is FRM certified, has extensive experience in fraud, data breach and financial crime modeling, and is a pioneer in novel data sources. She was a CAMS panelist in 2019, 2020. The views of the author do not reflect the views of Wells Fargo.

022

Intelligent Risk - April 2020

David Zelinger David Zelinger is currently advising early stage FinTech firms on go-to-market strategy and product messaging. Previously he has served at the management level across a range of financial services market participants, including Deutsche Bank, IHSMarkit, Duco Technology and others, with a specialization in delivering solutions to complex operational and regulatory risk problems.

Thomas Lee Thomas Lee is the CEO of VivoSecurity, a company focused on data collection, regression modeling and AI to quantify cyber security risk. Thomas has spoken at the Richmond Fed research conference 2018, invited participant at Richmond Fed cyber security workshop 2019, invited speaker at O.R.X Toronto & Milan 2018, speaker at OpRisk North America 2018, ACAMS panelist 2019, PRMIA NYC & BCG 2018, multiple patents for quantifying cyber security risk.

Nagaraja Kumar Deevi Nagaraja Kumar Deevi is a senior strategic executive with over two decades of Leadership experience in Finance, Risk, Regulatory, Digital, Analytics and Technology enabled solutions advising Global Banking & Financial Institutions. He is currently Managing Partner & Senior Advisor at DEEVI Advisory & Research Studies. NAG is specialized in Digital Transformation, Banking regulations, Regulatory Policy & Affairs and Enterprise wide Strategic Risk initiatives. Designed and developed Enterprise Risk Governance Framework aligned with firm-wide Corporate strategy, setting high level Regulatory Policy, Risk Appetite Statement, Recovery, and Resolution Planning (RRP)/ Living Wills, Culture, Conduct & Reputational Risk. Effective utilization of Tools &Techniques addressing Risk Assessment, Risk Identification, Risk Measurement, Prioritize Risk & Risk Mitigation & Risk Response processes. NAG works closely with Academia and Research studies on Risk & Analytics and AI based startup companies through knowledge sharing, Solution Approach & Go-to Market strategy, and has advanced management studies from Harvard, Columbia, NYU, Kelloggâ&#x20AC;&#x2122;s & MIT.

Intelligent Risk - April 2020

023

the Bank Asset-Liability Committee (ALCO): ensuring effective governance and risk management

by Moorad Choudhry The onset of the COVID-19 stress on markets and the subsequent “lockdown” policy response from governments worldwide has created a genuine stress event potentially on a par with that observed in the financial crash of 2008, if not worse. The impact on global markets has been significant, and this time banks need to demonstrate both adaptability and speed of response as they manage events and support their customer franchise through the impending recession. How best should banks address the need to ensure flexibility and rapid decision-making, while maintaining balance sheet robustness during this time? What should the role of ALCO be? And critically, how can ALCO assist the bank to meet its key objectives? A committee is, after all, just another committee. Making a committee effective and “real” to the business is a challenge that goes beyond the mere procedural and into the realm of the cultural. And as befits a forum that is viewed typically as a “technical” one, the challenge is not a trivial one: how do we make the ALCO meaningful to the business lines, so they derive the full value-added that the primary balance sheet management forum should be delivering? And what “lessons learned” might ALCO benefit from once the current lockdown restrictions have been eased?

ALCO and its importance The ALCO has always been an important management committee in any bank. In previous publications the author had noted:

”

A greater number of financial institutions are enhancing their risk management function by adding to the responsibilities of…the Asset and Liability Committee (ALCO)…and integrating…traditional interest-rate risk management with credit risk and operational risk. “In order to fulfill this more enhanced function, ALCO will require a more strategic approach to [its] function. (From The Bond and Money Markets: Strategy, Trading, Analysis, Butterworth-Heinemann 2001, page 536)

024

Intelligent Risk - April 2020

”

Another extract, also dating from before the bank crash, sets out the ideal behind ALCO: “The ALCO will have a specific remit to oversee all aspects of asset-liability management, from the front-office money market function to back-office operations and middle-office reporting and risk management.” (From Bank Asset and Liability Management, John Wiley & Sons Ltd 2007, chapter 8)

Simply organizing a monthly ALCO meeting and setting up a formal terms of reference (ToR) for it doesn’t necessarily make an ALCO fit-for-purpose – if by that we mean an ALCO that ensures that the bank’s balance sheet remains robust and viable in perpetuity. Every failed bank in 2007 and 2008 had an ALCO, as all banks do today (although at this stage of the COVID-19 crisis no one is suggesting that the threat to banks is existential. As quoted in The Economist of 11th April 2020, “it’s primarily an earnings issue, not a balance sheet one.”) That is why it was welcome when the UK regulatory authority (then called the Financial Services Authority, now the Prudential Regulatory Authority or PRA) issued a “Dear CEO” letter containing guidelines for effective ALCO practice in January 2011. This contained valuable guidance, including that the ALCO should: • Proactively control the business in line with firm’s objectives, focusing on the entire balance sheet • Act as the arbitrator in the debate and challenge process between business lines • Ensure issues are fully articulated and debated • Engage in active dialogue amongst various members and display a strong degree of challenge An ALCO that really did operate along these lines would be harder to render ineffective. Of course, culture comes from the top, as it does in all groupings, and if the committee Chair is inclined towards the above behaviors, then there is more chance that ALCO will be able to act in line with these recommended guidelines. If the Chair is not so inclined, there is more chance that the ALCO is rendered less effective. But let us suppose that a bank did do all the things we’ve described up to now. Imagine that the organization structure gives the ALCO real authority, it acts as a genuine and open debating chamber, and its membership and ToR are fit-for-purpose. Is that enough?

ALCO and its meaningfulness A question asked frequently at seminars and workshops is “How can we make ALCO more meaningful and effective, especially to the business lines?” Alongside that is the related question, “Often the metrics reported in the ALCO pack aren’t ‘real’ to the business lines, for example earnings-at-risk (EaR) or economic value of equity (EVE)…how can we make the indicators more meaningful to the business, such that they actually assist the business in their planning and balance sheet optimization?” Intelligent Risk - April 2020

025

These are good questions. It is true that that certain risk indicators reported in the ALCO deck do not tell the business line managers anything of genuine value that assists them with their day-to-day work. And when this happens, it makes the ALCO process less effective than it could be, because it makes it more difficult for the first line of defence (1LOD) to engage fully during the meeting and during the overall ALCO process. It is certainly true that in many banks ALCO is seen as a “technical” committee that is less relevant to the front-line customer business. ALCO needs to answer these questions fully, because otherwise it risks becoming less effective than it should be. In the first place, balance sheet risk metrics reported in the ALCO deck need to include meaningful indicators that actually help the business line heads manage their business from the product origination stage onwards. This goes beyond the metrics included for regulatory purposes: items such as CET1 ratio and LCR would be included at the start to demonstrate compliance with regulatory requirements. We might label these “Tier 1” metrics. However, this list of indicators tends to include the NSFR, EVE, EAR and VAR type metrics, and while these are of course all very important Tier 1 metrics, they aren’t necessarily the ones that connect easily at the “coal face” (although, ideally they would be). To make ALCO meaningful at all levels and across the business lines requires that it also reports metrics that are transparent and easily discussed and also can be understood straight away in terms of impact at the assets and liability origination stage, for instance: • Liquidity: for example, customer loan-deposit ratio (LDR) and size of high quality liquid assets (HQLA) portfolio as a share of the balance sheet, and other measures that the 1LOD will use on a daily basis to help understand the business, alongside the standard regulatory metrics; • Capital: for example, buffer over the total capital requirement (TCR) and capital available to absorb unexpected losses on a going concern basis, and any “pinch points” over (say) the next two quarters where this level may be a constraint on the lending plan; • Earnings: for example, net interest income (NII) and net interest margin (NIM), and critically the sensitivity of these indicators to one or more changes in internal and external balance sheet factors (such as customer and product type changes); • Non-traded market risk: for example, the ΔNII metric and its sensitivity to “business-as-usual” market changes alongside the prescribed stress scenarios. There are, of course, any number of additional risk exposure numbers one can report, and the final suite of them will be a function of the size and business model of the institution. Including these additional risk indicators in the Tier 1 list of metrics alongside the standard regulator-driven ones in the monthly ALCO pack will make ALCO more meaningful to the business, and thereby assist in making the meeting itself more productive as all attendees engage in the proceedings. In terms of order and layout, it is a good idea to have the ALCO deck aligned fully with the bank’s Board risk appetite statement (RAS) (ideally, the RAS takes its cue from the ALCO deck, but the other way round is more common). 026

Intelligent Risk - April 2020

Using LDR again as an example, this metric may appear in the Liquidity and Funding section of the RAS in the following format:

The format should be replicated in the monthly ALCO MI pack, thereby giving instant conformation of compliance with the “green zone” of the RAS. Hence in this instance:

The format should be used for all risk metrics reported in the ALCO pack. Tier 2 and Tier 3 metrics, that may not appear in the RAS, would ideally be reported in the same way, again to enable ALCO attendees to note instantly that the balance sheet shape and structure is “green”. And in the second place? ALCO needs to be as open as possible, and a genuine debating chamber. This second point is more “cultural” than technical and presents not an insignificant challenge. But getting the first point right will assist in making the meeting itself more meaningful to all attendees, especially the business lines. And that is a good thing for what is the most important committee in the bank.

ALCO and adapting to events The Coronavirus crisis and lockdown response to the spread of COVID-19 has demonstrated, among a number of things, the importance of a bank being able to react quickly and decisively to market-wide stress events. This time, unlike in 2008, banks aren’t part of the problem, but they can and should be part of the solution. Supporting the customer franchise through difficult economic times is the primary objective, and banks can take their cue from the central banks and regulatory authorities, who have implemented a number of support measures for the country’s workforce. The Bank for International Settlements also published a statement on 3rd April which included the guideline that capital and liquidity buffers were there to be used during this time. This is significant. A bank’s ALCO ToR should ensure that it retains ownership of the balance sheet, under delegated authority of the Board. The ToR should enable ALCO to meet as frequently as needed (daily, if deemed necessary) during stressed market circumstances. As part of daily review, it should be monitoring balance sheet metrics for capital and liquidity, particularly the LCR and cashflow survival days measures. And of course, it should be tracking customer behavior closely, and respond with guidance for relationship managers to assist customers as required. In this respect, it can then recommend for Board approval any adjustment of the risk appetite statement and quantitative limits for capital and liquidity risk, if necessary.

Intelligent Risk - April 2020

027

Balance sheet robustness remains key during any stress event, hand-in-hand with customer franchise support, and in this respect ALCO remains the most important committee in the bank: it should be communicating downwards to the business lines and upwards to the Board (and regulatory authority). Once the market stress has passed, the key lesson learned for the medium term is to ensure that ALCO remains fit for purpose to manage balance sheet risk in the future. Its performance, and the performance of the bank itself, during the present time will be key pointers in this regard.

references 1. For ALCO operating model and governance structure: Moorad Choudhry Anthology: Past, Present and Future Principles of Banking and Finance, John Wiley & Sons Ltd (2018), Chapter 10 2. For template ALCO Terms of Reference: Moorad Choudhry Anthology: Website, Chapter 10 folder E-book Link: Wiley.com

author Moorad Choudhry Professor Moorad Choudhry is a non-executive director on the board of Recognise Financial Services Ltd.

028

Intelligent Risk - April 2020

developing cultural capital – board level impact

by Nagaraja Kumar Deevi Building Cultural Capital is an evolving challenge across the Industries, not just a Banking and Financial Services Industry issue. In the recent months, financial services regulatory agencies in the US and UK are leading the effort in addressing the challenges. Cultural Capital, unlike Financial Capital, Economic Capital, Regulatory Capital, and Liquidity Capital can’t be measured in financial numbers, income, or net worth. Cultural Capital, on the other hand, deals with human capital that includes behavioral aspects, skills and knowledge of employees rather than the product and design lifecycle methodologies, revenue and growth forecasting models, that run against large population of data. Cultural Capital is both a tangible and an intangible asset and is the employees’ collective wisdom working across the business lines within the organization and its impact on the society. It is not just a task that is identified, validated on a monthly or quarterly basis, and closed after the annual performance measure. Developing Cultural Capital is not an independent business function or a sole responsibility of just the CEOs or boards of directors. Cultural Capital Framework must come from both top-down approach and bottom-up approach with an oversight on monitoring and driving effective influence of the workforce to overcome the social stigma, ethical paradox in decision-making and cultural misconceptions. Building Cultural Capital is growing concern. Building Culture includes accumulation of knowledge, behaviors, education, skills, and evolves along with the organization growth, while retaining the business values. It is hard to quantify the Organizational Culture as it is often based on perceptions, personal motivations, blindness to objective consequence and failure to consider the ethical dimensions of decisions.

developing culture is a mission critical task Defining an Organizational purpose, that encompasses employees and management with shared values, code of conduct embedded within Ethical Policy, and communicating the cohesive cultural values effectively, is the foremost responsibility of the management in every organization. Understandably, cultural change is a long journey, especially in a toxic environment, where trust and integrity of the leaders are measured. One of the difficult processes is of developing a framework with “meaningful value” with economic measure. Emerging technologies, including social media, create and contribute to different ethical experiences and challenges. Management teams must consider behavioral phenomena, ascertain that the AI systems that are created generate reliable outcomes, avoid overreliance on AI to cover the bias in effective decision making and achieving optional results.

Intelligent Risk - April 2020

029

importance of creating psychological safety: creating cultural capital Amy Edmondson, a Harvard Professor and author of the book The Fearless Organization, explains what psychological safety is, what it is not and how to create organizations. Creating organization is all about building human capital in a complex interdependent environment and challenging the status quo of emotional intelligence. Business leaders play an important role in developing the Cultural Capital and help in setting up a stage for an honest, challenging, collaborative, and effective work environment that encourages employee candor, management openness, and building mutual respect. While developing the Cultural Capital framework, incorporating the Psychological safety chart, in my view amplifies the Cultural Capital in terms of shareholder value and reflects on the market performance.

designing cultural framework Learning from the earlier missteps is the foundation for developing and foundation of the cultural capital Framework.

Leadership Impact â&#x20AC;&#x201C; Organizational Cultural must align with overall strategy and objectives. Leadership must ensure and establish the importance of Risk management practices and embrace the culture of the continuous training and development. Behavior Matters â&#x20AC;&#x201C; Culture and Conduct must follow the moral code. All employees must be accountable for their actions and lead by example. One of the key developments in 2019, during the Business Roundtable summit, a group of 181 CEOs signed the pledge, and announced that they committed to lead their companies for the benefit of all stakeholders â&#x20AC;&#x201C; customers, employees, suppliers, communities and shareholders.

030

Intelligent Risk - April 2020

overcome misconduct risk According to the New York Fed – Cultural Capital is a principle that defines the behavior, mindsets, and norms that determine how people act, that makes companies more resilient to potential misconduct losses or misconduct events. Tone at the Top - management teams must take responsibility for how their decisions affect organizational culture and become accountable for their actions. Designing a rewarding system is one of many ways to overcome the misconduct risks. During the financial crisis, Wells Fargo management team’s ethical business behavior was widely published and in most recent weeks Boeing 737 missteps, causing CEO resignation etc., resulting in reputational loss and loss of public trust, reflected directly in the market performance.

empathy-driven leadership and emerging challenges Empathy is a key leadership quality that inspires greater innovation as businesses embrace emerging technologies that take the control away from humans and their decision making. An evolving trend that needs further research work is around behavioral sciences and economics, to eliminate cognitive bias across the workforce in the highly volatile geopolitical environment. A recently published research study, emphasized on effective risk management policies and practices, allowing financial institutions for great transparency and appreciation, with strong Independent Risk Management Culture.

best practices for setting up the cultural capital framework • Boards of Directors must ensure Cultural Capital framework is independent of CEO oversight • Board of Directors and Management committees proactively share information early and often.

references 1. https://www.newyorkfed.org/medialibrary/media/governance-and-culture-reform/nyf-culture-conference-june-4-2019.pdf 2. Research work from Professor. Amy Edmondson from Harvard Business School. “The Fearless Organization: Creating Psychological Safety in the Workplace for

Learning, Innovation, and Growth” 3. https://www.hbs.edu/faculty/Pages/profile.aspx?facId=6451 – 4. https://www.wiley.com/en-us/

The+Fearless+Organization%3A+Creating+Psychological+Safety+in+the+Workplace+for+Learning%2C+Innovation%2C+and+Growth-p-9781119477266 5. https://www.businessroundtable.org/business-roundtable-redefines-the-purpose-of-a-corporation-to-promote-an-economy-that-serves-all-americans

Intelligent Risk - April 2020

031

author Nagaraja Kumar Deevi Nagaraja Kumar Deevi is a senior strategic executive with over two decades of Leadership experience in Finance, Risk, Regulatory, Digital, Analytics and Technology enabled solutions advising Global Banking & Financial Institutions. He is currently Managing Partner & Senior Advisor at DEEVI Advisory & Research Studies. NAG is specialized in Digital Transformation, Banking regulations, Regulatory Policy & Affairs and Enterprise wide Strategic Risk initiatives. Designed and developed Enterprise Risk Governance Framework aligned with firm-wide Corporate strategy, setting high level Regulatory Policy, Risk Appetite Statement, Recovery, and Resolution Planning (RRP)/ Living Wills, Culture, Conduct & Reputational Risk. Effective utilization of Tools &Techniques addressing Risk Assessment, Risk Identification, Risk Measurement, Prioritize Risk & Risk Mitigation & Risk Response processes. NAG works closely with Academia and Research studies on Risk & Analytics and AI based startup companies through knowledge sharing, Solution Approach & Go-to Market strategy, and has advanced management studies from Harvard, Columbia, NYU, Kelloggâ&#x20AC;&#x2122;s & MIT.

032

Intelligent Risk - April 2020

how US intelligence services analyze global risks like Covid-19

by Steve Lindo in the intelligence world, volatile, uncertain and high-stakes risks occur 24/7 Terrorism, war, cyber-attacks, drug cartels – these are just some of the volatile and uncertain risks which confront US Intelligence Services every day. The teams of professionals tasked with analyzing these global risks face a herculean task, sifting through mountains of inconclusive and sometimes conflicting data, as well as expert opinions, emotions and cognitive biases, all under intense time pressure. In order to address these challenges, over the course of the last 25 years US Intelligence Services have developed and implemented a suite of analytical methods specifically designed to produce rigorous, objective and transparent assessment of complex, high-stakes situations such as these.

structured analytic techniques The methods used by US Intelligence Services are known as Structured Analytic Techniques (SATs). Their origin stems from the cognitive and behavioral research which came to prominence in the 1980’s, overlaid by a vast trove of actual intelligence analysis and outcomes. The framing and practice of these methods by US Intelligence Services began in earnest in the 1990’s, was endorsed by the 9/11 Commission Report and incorporated as mandatory for high stakes decisions where there are multiple possible outcomes in the 2004 Intelligence Reform and Terrorism Prevention Act. Today, this suite of methods encompasses more than 50 distinct techniques, which fall into three main categories: • Diagnostic Techniques aimed at making analytic arguments, assumptions and inferences more transparent and objective • Contrarian Techniques which explicitly challenge current thinking • Imaginative Techniques which aim at developing new insights, different perspectives and/or alternative outcomes

Intelligent Risk - April 2020

033

All of these methods share field-tested characteristics designed to improve the outcomes of complex analysis. In particular they: • Lever diverse views and expertise • Encourage evidence-based assessments • Slow down thinking • Expose group-think and corner-cutting • Respect, and test, intuition and gut feelings • Document the analytical process for review and future learning • Are explicitly endorsed by each agency’s executive leadership Importantly, these methods don’t pre-empt the way that each agency makes its decisions, but rather strengthen the existing decision-making process by adding diagnostic, contrarian or imaginative analytics appropriate to each situation.

the private sector has no equivalent In spite of the extensive, publicly-available documentation of these analytical practices, there is no evidence of their adoption in the private sector. One reason is a domain transfer barrier: businesses typically don’t look to government for best practices in decision-making or risk management. Another, more practical reason, is that most businesses confront volatile, uncertain and high-stakes risks only rarely. When they do, they typically call upon the same fast and efficient decision-making practices which have served them well in familiar situations, where data, models and expert judgment are known to be reliable. Only when these fastthinking decision-making methods prove disastrously wrong have private sector organizations recognized the need to develop slow-thinking decision-making practices like the ones used by US Intelligence Services.

the new normal - managing unpredictable risks During the last 25 years, the risk management profession has come a long way, in terms of developing methods and processes to measure, analyze and manage predictable risks. However, the sudden onset of COVID-19 is now demanding a crucial pivot to analyzing and managing unpredictable risks. Levering the hard-won analytical experience of the US Intelligence Services is a lifeline that should not be ignored. On April 22 PRMIA featured a webinar which walked through the use of US intelligence methods to test a COVID-19 decision. As a sign of PRMIA’s commitment to helping the risk profession rise to the challenge of these troubled times, the the webinar recording is available to all of PRMIA’s network. View now

034

Intelligent Risk - April 2020

author Steve Lindo Steve Lindo is a financial risk manager with over 30 yearsâ&#x20AC;&#x2122; experience managing risks in ALM, funding, banking and trading portfolios. His current role is Lecturer and Course Designer at Columbia Universityâ&#x20AC;&#x2122;s School of Professional Studies, teaching Financial Risk Management to graduate students in Columbiaâ&#x20AC;&#x2122;s MS in Enterprise Risk Management program. He is Principal of SRL Advisory Services, an independent consulting firm specializing in risk governance, education and strategy, financial technology innovation, risk data management, regulatory expertise, information risk management and financial litigation support. Mr. Lindo is a regular presenter at conferences, webinar host and author of risk management articles and case studies. He has a BA and MA from Oxford University and speaks fluent French, German, Spanish and Portuguese.

Intelligent Risk - April 2020

035

how to develop risk appetite statements that align with an organization’s governance activity, senior management’s vision, and core business needs/requirements

by Jason Thompson let’s get started… The development of risk appetite statements is conceptually difficult; moreover, creating statements that management can use, and that applies to day-to-day operations has been extremely challenging if not impossible. • Define risk appetite and explain how existing business processes and risk tolerances/ performance metrics, such as Key Risk Indicators (KRI) and Key Performance Indicators (KPI) are organic inputs for the development of risk appetite statements. • Discuss the importance of calibrating the risk appetite statement development process with an organization’s oversight activities, business processes, and procedures at all levels of management. • Why functional continuous process improvement measures and rapid feedback loops are an integral part of a Risk Appetite Statement Model (RASM) and will: 1. Lead to an environment where decision makers have timely risk information 2. Ability to make more informed reprioritization decisions 3. And identify and respond (mitigate, avoid, etc) to risks that may impact strategic objectives with reliable, consistent, and traceable data • Provide the blueprints of a (RASM) that will support existing business processes, risk management practices, compliance requirements, performance measures, and strategic planning.

what is a risk appetite and how should it resonate throughout an organization? Risk is the uncertainty of events occurring that may impact a desired outcome. The event may yield positive results, or it could cause financial losses, reputational damages, or a host of other undesired consequences.

036

Intelligent Risk - April 2020

The word appetite, at its core, means one’s ability or desire to take on or consume something. Risk appetite is the ability or desire to take on uncertainty at a level (or amount) that an organization has determined is in its best interest. An essential function of a well-defined risk appetite statement is to express senior leaders’ “vision” of the application of risk management practices. This “risk vision” should determine how staff operates in relation to taking on risks compared to potential gains. Conversely, input data (e.g. KRIs/KPIs) from the point of mission delivery (point of sale, services, desired outcomes, etc) should flow back to decision makers and potentially impact changes to an organization’s “risk vision.”

why should we calibrate risk appetite statements to an organization’s risk management practices, compliance activity, performance plans, mission, and vision? The most effective and efficient organizations use a variety of reports and tools to gauge performance and measure/identify risky activity. These reports, tools, and measures should correspond with strategic objectives, regulatory requirements, and the allocation of resources, such as human capital, time, and money. A common disconnect is when these tools (e.g. KPI and KRI) are not calibrated at all levels of the organization, that is, the measures (targets/thresholds) fail to comport with the organization’s mission, strategic objectives, business needs/requirements, and what needs to materialize at the point of mission delivery. This misalignment may cause operational gaps, inaccurate or ineffective reporting, systemic issues, or other issues and problems. Equally, the calibration of the end-to-end process of developing risk appetite statements and all aspects of organization’s operations is a top to bottom/bottom to top function. In the next section we will discuss ways to standardize this approach to ensure the RASM is a value-add proposition for the organization and its stakeholders.

how to build risk appetite statements that drive culture change, resonate risk awareness throughout the organization, and support the mission and strategic objectives? When developing an organization’s risk appetite statements, one of the first questions is which inputs to use. Some organizations have opted to: • Review with senior leaders about their risk capacity or ask senior leadership how they fell about certain risk activity - - this does not go far enough.

Intelligent Risk - April 2020

037

â&#x20AC;˘ While other organization have built their statements considering emerging risks to existing operations - this limits your depth as well. Subsequently, with these approaches, and other similar models there may be gaps between how the statement impacts operations and vice versa. The RASM displayed in Figures 1 thru 4 below considers all components of an organization operations and the ability to adapt to changing environments. The goal is to assist all stakeholders (from the CEO to line employee) understand and more importantly have a clear â&#x20AC;&#x153;risk visionâ&#x20AC;? of and for the organization, specifically as it applies to their respective tasks and responsibilities. Figure 1. Assumptions of RASM

Figure 2. Inputs and Data

038

Intelligent Risk - April 2020

Figure 3. Analysis

Intelligent Risk - April 2020

039

Figure 4. Statement and Report

let’s sum it up… There are three primary objectives for developing Risk Appetite Statements: 1. Establish transparent enterprise-wide tolerances for risk capacity. For example, if a risk manager asks the Chair of an organization and someone in the customer service department the same risk related question, then each response is consistent and aligned. 2. Ensure an organization has sound risk management practices and measures that support strategic planning, capital budgeting, business requirements/needs development, innovation, process improvement, daily operations, quality assurance and all other aspects of running a successful enterprise. 3. The organization’s “Risk Vision” resonates with all stakeholders in concept and application.

040

Intelligent Risk - April 2020

author Jason Thompson Jason Thompson currently serves as a risk manager in the federal government, where he specializes in identifying and responding to operational risks. Prior to joining the federal government, Mr. Thompson was an advisor at FIS Financial, where he focused on projects relating to banking compliance in mid to large financial institutions, nondepository servicers, anti-money laundering, the Bank Secrecy Act, and other federal and state regulatory affairs. Prior to his role as an advisor, Mr. Thompson was Regional Vice President of Operations for JP Morgan Chase and a Retail Sales Manager at E*TRADE Financial. Mr. Thompson holds a Bachelor of Science Degree in Finance, with a Minor in Economics and his Master of Business Administration from the University of Maryland.

Intelligent Risk - April 2020

041

de-biasing financial models by Francesca Bergamaschi, Anna Slodka-Turner, Steve Lindo are financial models biased? A body of literature and social media has emerged in recent years, calling attention to the possibility that some models used by financial institutions to analyze risks and make important decisions may contain unintended biases. Proving or disproving the existence of unintended bias in a financial model and determining the potential negative consequences of such biases has been a challenge. In this article we argue that testing financial models for unintended biases may be a valuable component of model risk management.

the importance of independent model validation As the practice of financial modelling has gained prominence and matured, model risk management has become an essential part of the models’ life cycle. Regulations such as SR11-7 provide guidance on model risk management practices in order to ensure that models perform as expected and in line with their intended use. However, the industry has yet to fully and structurally address the concept of validity of intended use, beyond the assessment of the underlying data, methodology and implementation from a strictly mathematical point of view. Indeed, while a model may be mathematically accurate in itself, it might not be well-framed, meaning that the underlying assumptions may be correct from a quantitative perspective, but not correct for the model’s purpose.

fit for purpose – a model validation challenge Besides the quantitative assessment, it is important to assess the suitability of each model also from a qualitative perspective, addressing in particular how well it fits the specific context, as well as the drivers that impact the various parts of the model development process and ultimately affect the quality of the model. This includes assessing the impact of unintended bias, meaning those processes that influence our understanding, actions and decisions and lead without an individual’s awareness to a number of partial assessments and behaviors. Addressing methodically the impact of unintended biases in a model’s lifecycle is an important, but challenging step in making sure that a model is actually fit for purpose.

042

Intelligent Risk - April 2020

where model biases occur Various aspects of the model life cycle may be influenced by unintended bias. One aspect is the underlying data of a model, which is particularly relevant as data is used in various parts of the model development process, such as the selection of model drivers or the calibration of parameters. Data is also used for benchmarking expert opinion, raising the possibility of biased data corroborating a biased opinion. Unintended bias may also impact the model architecture, leading to setting inadequate user and business requirements, thereby impacting the soundness and validity of the modelâ&#x20AC;&#x2122;s assumptions. Finally, unintended bias may lead to misinterpreting the modelâ&#x20AC;&#x2122;s outcome, which may be compounded by a false sense of security and blind trust in data/model-driven outcomes and decisions.

model bias types Different types of bias may unintentionally distort the results of financial models. Cognitive bias is typically defined as a systematic error in thinking that affects the decisions and judgements that people make. Natural examples include conformity bias and confirmation bias, which may lead to setting unrealistic assumptions and to mis-interpreting a modelâ&#x20AC;&#x2122;s outcome. Bias driven by demographic differences, such as age, gender, domicile, and education may lead to the development of a model which is unintentionally designed to fit a specific demographic. Moreover, data may be demographically biased in itself, for example when a sample is not representative of minorities or reflects discriminations that were performed in the past. Finally, macro-economc factors such as the global economy, climate change or wars, may be the source of bias and lead to the setting of unrealistic assumptions. Cognitive bias may influence several of the models that are part of the fundamental risk framework of financial institutions and that are currently used for crucial decision making and planning, such as economic capital, solvency and liquidity stress testing models. These models often incorporate strong components of expert judgement. In these situations, the model validation function manages the risk of biased input by following well-established guidelines to challenge the outcome of expert opinion. Unintended bias may affect also relatively traditional models with a well-established validation process, such as retail and commercial lending models, or life and P&C insurance models. As awareness of model bias has increased, some of these models have been found to be prone to demographic bias, with the sources of bias ranging from the use of biased data to the use of biased expert opinion. Biased historical data may lead the algorithms underlying predictive models to automatically select drivers for creditworthiness that lead to outcomes that discriminate against specific demographics. Only last year, gender discrimination complaints against the Apple Card triggered an investigation by New York State regulators on the algorithm used by Apple to determine the creditworthiness of its clients.

Intelligent Risk - April 2020

043

adverse consequences The obvious immediate risk arising from biased models is that their predictions are not correct; for example, for lending models this means that high credit quality is assigned when low credit quality is due, and viceversa. In addition, banks may incur reputational damage and lose clients who are increasingly becoming attentive about issues related to discrimination. Finally, banks may incur regulatory fines and losses arising from litigation. In the aftermath of the 2007-2008 financial crisis, the international community reflected on how widely-used pricing models were not fully understood, not well-framed and improperly used. Prior to Lehman Brother’s bankruptcy, investors encouraged by large returns demonstrated authority bias by being reassured by the fact that the increasingly complex mathematical pricing models were used and implicitly endorsed by recognized experts such as rating agencies and regulators. The sense of trust in the outcome of these models was boosted by confirmation bias, in the form of the over-optimism that characterizes all periods of economic upturn. Model validation is well-placed to expose the level of uncertainty around a model’s outcome created by unintended bias, thereby limiting and mitigating its potentially negative effect.

testing models for unintended biases Detecting unintended biases in financial models requires a thoughtful and well-documented approach. The three-step process we describe below is an example of how to achieve this. 1. Create a Checklist 2. Analyze Variances 3. Test Assumptions The first two steps are relatively straightforward. The checklist should list all known biases which can affect financial models, grouped under the categories of Cognitive, Demographic and Macro mentioned above, and be updated periodically with new additions or refinements. In the case of each specific model, the biases relevant to its design and output should be tagged for testing during validation. As regards the analysis of variances between a model’s results and actual outcomes, typically this is an established model governance requirement. For our three-part process, the additional use for this variance data is to review it for patterns or variances which cannot be explained by known causes, that may indicate the presence of one or more of the biases tagged for testing. The third step - testing the assumptions which underlie a model’s design - requires collaboration with the model development and end-user teams. The first step is for each team to list all the assumptions which have to hold in order for the model to be accurate. 044

Intelligent Risk - April 2020

The second step is to select, from the list of all relevant assumptions (which could number 10-15 or more), the 3-5 assumptions that are crucial to the model’s accuracy, and examine: a) How strongly the underlying data supports each assumption, b) How reliable the underlying data is, and c) How much the failure of an individual assumption would impact the model’s accuracy. The purpose of this test is to confirm that each assumption is amply supported by evidence or, conversely, to expose the possible presence of unintended biases in one or more of the assumptions.

an example of testing model assumptions A simplified example of this methodology is shown in the table below, which uses a 1-10 rating scale to test three assumptions underlying a residential mortgage loss forecasting model.

Note: The table’s design is adapted from a structured analytic technique (SAT) used by the US intelligence services.

In this example, high ratings of 8 or 9 in columns B and C confirm that each assumption is supported by reliable evidence. If, however, column B or C’s ratings were 2 or 3, this would indicate that the data does not support the assumption, thereby suggesting the presence of confirmation, causation or optimism bias. Conversely, a low rating of 2 or 3 in column D would indicate that the presence of biases in that particular assumption was not of crucial importance to the accuracy of the model. Other techniques used to test underlying model assumptions may be equally valid. More importantly, regardless of the method used, the inclusion of testing for biases as a requirement in the “valid for intended use” section of a bank’s model validation program has the beneficial effect of creating awareness among both model developers and users that they have to guard against allowing unintended biases to interfere with the accuracy of their model results and interpretation.

Intelligent Risk - April 2020

045

closing the gap As financial models increasingly adopt machine learning and other advanced technologies, the need becomes pressing to adopt objective validation standards for determining their fitness for purpose. The three-step process for detecting unintended biases described above is our contribution towards the establishment of such standards. During the coming months, we intend to continue our research into the occurrence and prevention of unintended biases in financial models. We invite readers of this article to email us their own experiences of, or opinions on, this important subject.

authors Francesca Bergamaschi Francesca Bergamaschi is a mathematician working in banking as a quant. She is currently a model validator at ING Group, focusing mainly on Economic Capital and Stress Testing models. With a background in Number Theory, she holds a PhD from Leiden University (The Netherlands).

Anna Slodka-Turner Anna Slodka-Turner is a banking expert, having worked for over 15 years across most banking functions and divisions. She led one of the largest global research surveys into the role and relevance of banks in customers’ lives. She is passionate about the role banks play in the economy and wider society, while staying ethical and fair. She holds a PhD from University of Lodz (Poland), and is currently a Global Leader for Risk Practice at Evalueserve.

Steve Lindo Steve Lindo is a financial risk manager with over 30 years’ experience managing risks in ALM, funding, banking and trading portfolios. His current role is Lecturer and Course Designer at Columbia University’s School of Professional Studies, teaching Financial Risk Management to graduate students in Columbia’s MS in Enterprise Risk Management program. He is Principal of SRL Advisory Services, an independent consulting firm specializing in risk governance, education and strategy, financial technology innovation, risk data management, regulatory expertise, information risk management and financial litigation support. Mr. Lindo is a regular presenter at conferences, webinar host and author of risk management articles and case studies. He has a BA and MA from Oxford University and speaks fluent French, German, Spanish and Portuguese.

046

Intelligent Risk - April 2020

why focus on human capital risk?

by Oleg Lebedev human capital impact The impact of Human Capital on the economies of entire countries and individual organizations cannot be underestimated. At a macro-economic level, the quality and mobility of Human Capital are important factors when dealing with the consequences of the profound transformation of the world by technological advancements, the globalization of trade and production processes, demographic trends, and intense migration flows. Human Capital is firmly on the agenda of the World Bank and many Central Banks as a key driver of sound economic performance1. In a micro-economic context, Human Capital plays a pivotal role as an important intangible asset, providing a significant contribution to a company’s profitability despite not being listed on its balance sheet. The focus of this article is on Human Capital and the importance of successful management of risk it creates in the context of an organization.

key driver of human capital quality The quality of Human Capital in any organization is driven by its employees’ education, experience, intelligence, skills, health and other values such as loyalty and punctuality (this list is not exhaustive). Some of these qualities are brought by employees to an organization when they join, while others have to be developed in the workplace and require investment. What becomes clear when looking at these qualities is that all of them can be improved with investment. However, only one stands out as a prerequisite in the development and maintenance of the other qualities – health. The health of employees (both physical and mental) is the most important underlying factor that determines the effectiveness of their investment, performance, and ultimately the quality of Human Capital. When people feel unwell, they cannot fully focus on executing their tasks and meeting their objectives, thus leading to a loss in productivity. Spillover effects should also be considered: as the performance of one’s immediate team suffers, other teams working together with the affected team will also suffer the negative consequences, and the whole organization will be underperforming. The more senior the role of the affected individual in the organization, the more severe the consequences as poor decision making at the top is much more significant for the livelihood of an organization.

1 / https://www.bis.org/review/r181121f.htm

Intelligent Risk - April 2020

047

human capital and profitability The link between the profitability of an organization and the health of its employees at all levels of seniority is obvious: when people are increasingly stressed at work, their physical and mental performance suffer, ultimately leading to productivity loss, which will affect the overall performance of a company. A number of studies have consistently shown that in the US, workplace-stress-related costs to employers are estimated to be somewhere between $300 and $500 billion annually2 - this represents around 2% of the GDP of the world’s largest economy. The numbers in the EU are similar, with 51% of Europe’s workers finding stress ’commonplace’ in their workplace and about a third of the labor force being affected by work-related depression and burn out3. Another important factor in gauging shortfall in performance is the engagement of employees: only 13% of employees are engaged in their work, which costs US companies roughly $450–$550 billion annually4. Furthermore, research proves that inspired people can deliver over twice as much as their ‘merely satisfied’ colleagues. Companies that focus on productivity through more inspired workforce show a 30-50% higher operating margins growth than their industry peers5. In summary, an investment into the wellbeing of employees, positively impacting both their health and their engagement, can be quite substantial, easily translating into a double digit increase in an organization’s profitability.

successful management of human capital risk Since people are at the center of every company’s activities, human capital risks, if materialized, can disrupt the execution of both the strategic and operational objectives of an organization. Given the substantial impact on performance and even the survival of an organization, Human Capital Risk (HCR) should be at the top of the list of things the Boards must pay attention to. However, it is often found that responsibility for this risk falls somewhere between the Enterprise Risk Management (ERM) and Human Resources (HR) departments, which do not always agree on the impact and man-agement of HCR. The only way to ensure this risk is properly addressed is for businesses to take ownership of human capital risks6. Taking into account the potential disruption of the business and the inherent upside in monetary rewards if managed properly, companies should consider establishing a formal HCR process with business ownership and participation, and a standing group that oversees this process.

2 / https://www.benefitspro.com/2017/10/20/workplace-stress-costing-employers-500-billion-ann/?slreturn=20191001085145 3 / https://quickbooks.intuit.com/r/employees/the-hidden-costs-of-workplace-stress/ 4 / https://www.fastcompany.com/3048751/happy-employees-are-12-more-productive-at-work 5 / https://hbr.org/2015/12/engaging-your-employees-is-good-but-dont-stop-there 6 / https://erm.ncsu.edu/library/article/human-capital-risk/

048

Intelligent Risk - April 2020

author Oleg Lebedev Oleg Lebedev, Founder of Ten Diffusions Limited, Partner at Feel Good In Companies, CoRegional Director of PRMIA London Chapter Oleg is a strategic business leader and board advisor who specialises in the efficient functioning of an organisation. With over 23 years experience in risk, business and technology transformation in the financial industry and Executive MBA from London Business School, Oleg helps organisations to better understand risks and take advantage of technology disruption, shape and deliver required change through high-impact cross-functional programmes, as well as improving overall enterprise performance through productivity increase and better customer satisfaction due to higher levels of employeesâ&#x20AC;&#x2122; wellbeing.

Intelligent Risk - April 2020

049

PRMIA member profile - Michelle Allade

by Adam Lindquist PRMIA Director of Membership Interview with Michelle Allade, a very active PRMIA volunteer as well as a respected risk professional. Her insights in this issue of Intelligent Risk are helpful for risk managers across the globe. Adam

Tell us about your risk role?

Michelle I work as the Bank Model Risk Officer of Comenity Bank and Comenity Capital Banks (“the Banks”) which partner with more than 145 of the most respected retailers in the world, to provide credit cards to more than 50 million members. I am responsible for ensuring sound decision-making processes within the Banks by certifying that models used for decision making are reliable and well understood from the perspective of their assumptions and limitations. This leads to ongoing model improvements and ultimately the ability to react quickly to changes. My role is essential within the risk organization as models are leveraged across all facets of the Banks and are getting more complex with the adoption of Artificial Intelligence and Machine Learning. In my current function, I lead a team that manages the risk inherent to the use of model within risk management functions such as market and liquidity, credit and counterparty, operational, portfolio, and financial risks (i.e. capital forecasting and stress testing) and compliance as well as other critical business functions such as Pricing, Finance, and Marketing. The breadth of exposure allows me to drive alignment in assumptions used across models and break down silos in the decision-making process. Adam

How did you get interested in risk?

Michelle I stumbled into risk management after getting a bachelor’s degree in finance and economics. I landed a job as a research analyst for an insurance company where my main duty was to identify clients that fit the company risk appetite within its agencies’ book of business. This piqued my interest, and I decided to get a masters within the field of risk management. Adam

How is your bank addressing COVID-19 virus concerns?

Michelle Employee safety and customers’ well-being are the primary concerns at our bank. As such, most of the associates are currently working remotely, and multiple measures have been taken to help customers who are experiencing financial difficulties caused by the COVID-19 pandemic.

050

Intelligent Risk - April 2020

From a risk management perspective, key actions have also been taken, including targeted analyses to better understand our risks along with prudent and timely actions to mitigate the downside of a potential global recession and ensure continuity of our operations. In addition, reporting of our risk metrics is communicated more frequently as we monitor the pandemic situation closely.

Adam

How do you think this will affect businesses in the future?

Michelle Unfortunately, the immediate effect of the pandemic is already visible with businesses reducing their workforce and taking a conservative approach by reducing risk exposure and drawing down credit lines. Financial institutions encouraged by regulators have been quick to offer forbearance options to consumers. Some institutions, based on expectation of upcoming recession and even prior to the COVID-19 outbreak, had already started cleaning up their portfolio of non-performing assets, adjusting credit policies and ensuring that they are well positioned from a credit, liquidity and capital standpoint. From a consumer perspective, I expect a shift in overall credit quality as impacted consumers reduce monthly payments, utilize COVID-19 forbearance options offered by many institutions, increase credit line utilization, open new credit lines and slowly experiment score deterioration as a result. For consumers that are not yet impacted, I suspect a decrease in monthly payment as consumers attempt to increase their savings in the event of a job loss. I will also expect a decrease in overall discretionary spending and a boost in essential and discount-driven industries. Another point worth mentioning is that financial institutions should incorporate the financial impact of healthcare to the average consumer that ends up requiring a trip to the ER amid of all this uncertainty. There is a lot of uncertainty around the length and severity of the impact with prediction changing rapidly. Regardless of the financial impact, COVID-19 will impact the way organizations operate, improve contingency planning, and highlight weaknesses in rigid practices.

Adam

What advice would you give to students thinking about a career in risk?

Michelle A career in risk is very rewarding. I would say to focus on building strong foundation and expertise at the initial stage of the career. Once the expertise is developed, a risk professional should understand how his or her role fits in the overall business process and the knowledge needed to impact changes. I would recommend model risk as a specific area because of the diversity of the exposure that this field offers. In order to reap the benefits from a career in model risk, students should prioritize consulting firms or smaller financial institutions. Big Banks tend to confine roles to a very narrow type of models which limit the learning opportunity for recent graduates.

Intelligent Risk - April 2020

051

Adam

What would you say are the top three skills risk managers need?

Michelle

In my opinion, the top three skills for effective risk managers are:

1. Technical skills: quantitative or analytical, information technology skills 2. Business knowledge: domain or function specific understanding to drive the most value from the technical skills 3. Communication skills: critical to share outcome of risk assessment for decision making process and building relationship needed to drive change.

Adam

You are a very active PRMIA volunteer. Why did you decide to volunteer, and what have you learned from the experience? Michelle I chose to volunteer with PRMIA because I believe in the mission of the organization. I also believe that each of us have multiple talents that cannot all be leveraged by our day job. For me, volunteering with PRMIA to help drive membership by reinforcing its value proposition allowed me think outside the box and drive strategic initiatives. Through volunteering, I have learned that PRMIA members have diverse backgrounds and are making an impact in the world of risk management.

Adam

Where do you see yourself in five years?

Michelle I would like to leverage my experience in risk to enable better strategies and execution at the enterprise level. The field of strategic risk management, which is the risk that failed business decisions, or lack thereof, may pose to a company, is definitely an area I can see myself in. My current role prepares me for such role with the focus on emerging risk and the cross-functional requirement of managing risk. Strategic risk management as a discipline is an area that needs further attention and adoption across the industry.

author Adam Lindquist Adam Lindquist is the Director of Membership for PRMIA. His career background includes vertical integration disruption as a regional manager in banking, business development resulting in a 5-year run as fastest growing specialty retailer, and many entrepreneurial ventures.

052

Intelligent Risk - April 2020

interviewee Michelle Allade Michelle is a risk analytics leader with financial services experience focusing on Model Risk Management (MRM). She currently leads the Model Risk Management program of Comenity and Comenity Capital Banks. She previously worked as consultant at KPMG where she helped various financial institutions (small, medium and large), implement and maintain robust model risk management programs. Michelle has specific experience building MRM programs from the ground up and optimizing processes of existing programs. She also led the development, validation and audit of various models within the stress testing space. Michelleâ&#x20AC;&#x2122;s primary focus is to optimize enterprise-wide decision-making process through the lens of model risk. She is currently working on cross-functional governance for Artificial Intelligence models. Michelle has two Bachelors of Business Administration in Economics and Finance and a Master of Science in Mathematical Risk Management from Georgia State University.

Intelligent Risk - April 2020

053

PRMIA Vancouver spotlight

Vancouver: where you can ski, surf and learn more about risk management on the same day. The city is a global outdoors destination no doubt, but frequently overlooked as somewhere to build a successful career or network together a critical mass of risk professionals. The PRMIA Vancouver chapter is trying to better connect its members through common interests and current events presented by local thought leaders. By connecting local risk managers across the full breadth of industries, from mining to asset management, and facilitating learning opportunities and networking, the chapter fulfills an important role.

how does Vancouver chapter operate successfully? Our chapter embraces the need to operate a little differently. First, we realized many years ago we have to appeal to future risk enthusiasts. We are highly involved with Simon Fraser Universityâ&#x20AC;&#x2122;s (SFU) downtown Beedie School of Business. Members take part in SFUâ&#x20AC;&#x2122;s Mentors in Business program, play a role with SIAS (one of Canadaâ&#x20AC;&#x2122;s only student-led investment teams) and present at an annual designation event we put on with the local CFA society and CAIA. Since 2019, the chapter has asked for two SFU student volunteers to fill the Secretary and Membership Coordinator positions, which keeps the chapter running smoothly and offers an organizational immersion for students.

054

Intelligent Risk - April 2020

The Steering Committee reflects the city’s wide array of backgrounds, and we rely on their strong global connections to find attractive speakers and sponsorship opportunities. Our small size makes for a tightknit leadership group who meet monthly and connect with members through a quarterly newsletter. We regularly bring in new faces and fresh ideas. We have made progress connecting with nearby chapters (Seattle, Calgary, and Edmonton) who face similar challenges and are talking about ways we can collaborate on meaningful events that expand what we could do alone. Our goals have been modest to date, relying on a few collaborative events with local non-risk associations and one or two panels for a dedicated risk audience. Momentum has grown this year, however, and our attendance at panels in 2020 has roughly doubled, to 30 people, from what we had on average last year. Now that we have greater traction in Vancouver, we want to encourage risk enthusiasts to become members and for PRMIA members to spread the word, thereby broadening the member base in this thriving chapter. Perhaps most unique of all, as a chapter member you can actively shape and contribute to the Vancouver risk community and support Vancouver on its journey to becoming not only a hiking destination but a destination for risk professionals across all industries.

events organized by the Vancouver chapter in 2019 and 2020 (sponsors featured in parenthesis)

• Model Risk Management - panel discussion • How are investors assessing and mitigating climate risks? (MSCI/Net Impact chapter at SFU)

• ESG Risk Management: A Case Study of the Financial Sector (MSCI) • Designations – co-presented by CFA, CAIA and PRMIA annually

• Invest with Impact (MSCI) We also want to give our appreciation to the SFU staff and students who support our events by providing meeting rooms, technical assistance, event setup and catering services. We treasure this important partnership!

PRMIA Risk Management Challenge On behalf of PRMIA Vancouver we would like to congratulate Team No Limits – Marisa McGillivray, Sukriti Prabhdyal, and Adam Saad – from Simon Fraser University for passing through to the virtual 2020 PRMIA Risk Management Challenge (PRMC) International Challenge Round! We would also like to express our sincere thanks to all participating PRMC teams and our local judges, the unsung heroes. The Vancouver PRMC Regional Round, which was recently held, was conducted virtually due to the global COVID-19 pandemic. Intelligent Risk - April 2020

055

The Risk Management Challenge, a case competition of the PRMIA Institute, empowers undergraduate and graduate students by taking them beyond the classroom and gives them exposure to real-world business situations. The Challenge offers students the opportunity to apply the concepts they have learned and showcase their knowledge, critical thinking skills, leadership, and presentation abilities. Regional Directors • Andy Leung, CTO, AquaNow • Sarah Reppchen, Leader, Risk Advisory, Deloitte (Incoming) • Carl Densem, Manager, Central 1 Credit Union (Outgoing) Steering Committee • Amit Budhwar, Director, Risk Management, Powerex • Benjamin Jang, Portfolio Manager, Nicola Wealth Management • Carlos da Costa, Lecturer, Simon Fraser University (SFU) / University of British Columbia (UBC) • Cesar Oboni, Vice-President, Oboni Riskope Associates • David Baxter, SVP and CIO, Peoples Trust • Kevin Chen, Commercial Specialist, BMO Private Banking • Tony Webb, Quantitative Advisor, FINCAD Secretary (Graduate student volunteer) • Chintan Matalia, MSc Finance Candidate, Simon Fraser University Membership Coordinator (Graduate student volunteer) • Paapa Essel, MSc Finance Candidate, Simon Fraser University

056

Intelligent Risk - April 2020

probit analysis for financial attitude: case of Kazakhstan

by Maya Katenova Both 2015 and 2019 surveys were performed by KIMEP University student groups as a class project in spring semester of each year, using face-to-face and paper-and-pencil surveys in different cities and towns of Kazakhstan. Excluding invalid and unsuitable answers for the analysis, the total number of survey responses resulted were 830 for 2015 and 983 for 2019 studies respectively. One of the weaknesses of survey data may be the possibility of mindless responses and random guess works. To reduce possible distortions of mindless answers and random guess works, we cut the middle portion of the literacy scores (2 and 3 points out of 5 points). The results provided us with a total sample of 529 observations for 2019 survey and 443 observations for 2015 survey. Then, we transform the data into 0 and 1 binary observations since we are still not sure the exact differences in financial knowledge between 0 and 1 and between 4 and 5 for literacy scores. We assigned 0 for the literacy scores of 0 – 1 and 1 for the literacy scores of 4 – 5. We simply treat the continuous knowledge difference as a latent variable, and the observation of respondents’ knowledge as two discrete alternatives, financially “illiterate” and “literate.” These trimmed binary data are analyzed for a series of probit analysis to find out the probability of being financially literate based on individual’s personal profiles and the probabilities of choosing proper financial attitude/behavior based on the level of basic financial literacy level, controlling the impacts of personal profiles. The following hypotheses are investigated: H1: Personal profiles such as gender, education level, ethnicity, hometown, marital status, and income will influence the probability of answering correct on the basic financial literacy questions. H2: The higher the level of basic financial literacy a person has, the higher the probability of making better financial decisions for retirement plan and delinquency in payment, and the more frequent in making money-related decisions. In 2019 survey, Business Education and Hometown are significant for positive impact on basic financial literacy level. A person with more than one year of business education and/or residing in a city is most likely acquired higher level of financial knowledge. Gender, Ethnicity, Marital Status, and Income do not impact significantly on the level of financial literacy. The 2015 survey shows, however, that females are more likely to have lower scores in financial literacy which is evidenced in many previous studies. There are no significant differences in financial knowledge between Kazakhs and non-Kazakhs, between village and city dwellers, and between Single and NonSingle. The marginal impacts of these variables assuming other variables are in the mean levels are provided in the δP/δX columns.

Intelligent Risk - April 2020

057

058

Intelligent Risk - April 2020

In the 2019 survey, the probability of Retirement Plan is significantly negatively impacted by Gender and positively impacted by Hometown, Marital Status, and Income. Females are less likely to have a retirement plan while those who are living in cities, married or non-single, and higher income are more likely planned retirement. The marginal impact of Income is the highest, showing the movement from higher income group to lower or no income group reduces the probability of retirement plan by 24%. Interestingly, the Literacy Level and Business Education have no significant impacts on retirement plan. Again, we suspect that large number of students who have more financial knowledge and higher business education but not yet planned for retirement are sampled in this survey. The Delinquency in Payment is significantly positively impacted by Literacy Level and Business Education, but significantly negatively impacted by Marital Status and Income. A person with higher financial knowledge and higher financial literacy is most likely never or rarely delinquent in payment. However, a person in the higher income group and/or married/non-single has higher probability of delinquencies in payment.

Intelligent Risk - April 2020

059

This high probability of delinquency for higher income group may be due to the unexpected deterioration of economy caused by oil price collapse in 2014 and substantial currency depreciation in 2015. Gender, Ethnicity, and Hometown do not impact the probability of being planned on retirement. Strong marginal impacts are observed in the level of financial literacy (15%) and Income (13.7%). Those who are females, and/or non-Kazakhs are making less money-related decisions compared to males and Kazakhs, and those who are married or non-single and make higher incomes most likely make frequent money-related decisions. Financial Literacy level and the level of Business Education do not differentiate in making the frequency of money-related decisions. Again, as in Retirement Plan, we suspect that large number of students were sampled in this survey. In addition, the Hometown also did not impact the probability of making frequent money-related decisions.

060

Intelligent Risk - April 2020

In the 2015 survey, the probability of being prepared for Retirement Plan was impacted significantly negatively by Business Education, and significantly positively by Marital Status and Income. A person with higher business education level is most likely not planning for retirement. Together with the non-significance of Literacy Level in 2015 and 2019 surveys and non-significance of Business Education in 2019 survey, we can interpret that the retirement plan is not influenced by business education nor financial literacy level. Rather, the married/non-single person and/or higher income earner is strongly likely to prepare the retirement plan. The marginal impact of the Income is the highest on Retirement Plan by showing -0.372. Assuming other variables are in the mean values, a person whose income is less than $25,000 or zero is not prepared for retirement at 37% more probability compared to a person with higher than $25,000 income. The Delinquency in payment was significantly negatively impacted by Literacy Level, Ethnicity, Hometown, and Marital Status. Interesting point in here is that a person with higher Literacy score tends to delinquent in payment more frequently than a person with lower Literacy score. This result is opposite of our expectation and conflicting with the result shown in 2019 survey. This result may indicate the experiences of massive loan defaults and economic hardships after the financial crisis of 2008-2009. Non-Kazakhs, those who reside in cities, and those who are married/non-single are more frequently delinquent in payments. Females are less likely delinquent in payment compared to males in 2015 survey. Non-Kazakhs are making more money-related decisions compared to Kazakhs in the 2015 survey, which is an opposite finding of the 2019 survey. Married/Non-Single people are making more money-related decisions compared to single people which are consistent with the result in 2019 survey. Again, Literacy Level and Business Education do not influence on the probability of making frequent money-related decisions. A summary of the relationships between financial attitude/behavior and literacy level/personal profiles are shown with binary signs, positive attitude/behavior (+) and negative attitude/behavior (-). Literacy Level and Ethnicity do not influence on the probability of making a Retirement Plan. However, Marital Status and Income Level move the positive attitude toward Retirement Plan. The influence of Gender, Business Education, and Hometown on the probability of Retirement Plan are not continuous, significant in one year and insignificant in another year. However, the non-significant influence of Gender and Business Education in one year show the same signs as the year with significant influence. Those who are males and with low business education level are likely to have a retirement plan. The significant negative sign for constant means that a person is most likely not planned retirement if the person is with low literacy and business education levels, who is male and Kazakh, lives in village and is single, and earns none or low income. The Literacy Level shows conflicting results between two years in Delinquency in Payments behavior. Highly literate people delinquent less frequently in 2019 while the opposite is true in 2015. Singles are less likely delinquent in payments compared to married/non-single people in both surveys.

Intelligent Risk - April 2020

061

Literacy Level, Business Education, and Hometown are not significant in influencing the frequent decisionmaking of money-related decisions. Married/non-single people make more frequent money decisions compared to singles in both surveys. Ethnicity shows conflicting results between two years, Kazakhs make more money-related decisions compare to non-Kazakhs in 2019 survey, and the opposite is true in 2015 survey. The impacts of Gender and Income are not continuous. Only in 2019 survey, Males and highincome earners make more frequent money-related decisions.

author Maya Katenova Maya Katenova, DBA, PRM, DipPFM, Assistant Professor of Finance, KIMEP University. Maya teaches bachelor students as well as master students including Executive MBA students. She has received a Teaching Excellence Award in 2017. Courses taught in her portfolio include such courses as Financial Institutions Management, Ethics in Finance, Financial Institutions and Markets, Principles of Finance, Corporate Finance and Personal Finance. She supervised Master Thesis Dissertations of several students and has numerous publications in different journals including high quality (Q1-Q2) journals. Research interests are mostly related to financial literacy and retirement planning as well as corporate social responsibility and global ethics. Maya is Professional Risk Manager and is planning to teach Risk Management in future. Her future career is strongly connected with Risk Management Conferences, symposiums and workshops. 062

Intelligent Risk - April 2020

PRMIA calendar of events Please join us for an upcoming training course, webinar, regional event, or chapter event, offered in locations around the world or virtually for your convenience. Watch the PRMIA website at www.prmia.org for information on new event and learning opportunities.

PRM SCHEDULING WINDOW March 14 - June 19, 2020

IBOR TRANSITION 2.0: SHIFTING FROM PLANNING TO EXECUTION May 6 – Webinar

FOUNDATIONS OF MACHINE LEARNING AND ARTIFICIAL INTELLIGENCE FOR FINANCIAL PROFESSIONALS May 12 – June 30, Weekly Sessions – Virtual Training

SKILLS AND COMPETENCIES FOR RISK MANAGERS OF THE FUTURE May 13 - Webinar

FUNDAMENTALS OF FINANCIAL RISK MANAGEMENT May 19 – June 8, Weekly Sessions – Virtual Training

PRM TESTING WINDOW May 25 - June 19, 2020

COST-BENEFIT METHODOLOGY TO VALUE CLIMATE CHANGE RESILIENCE June 3 - Webinar

Intelligent Risk - April 2020

063

PRMIA Intelligent Risk - April, 2020

Articles inside

Probit analysis for financial attitude: case of Kazakhstan By Maya Katenova

Cyberwarfare: an emerging global risk impacting our society By Vivek Seth

Climate risk: its implications for financial institutions By John Thackeray

PRMIA member profile - Michelle Allade By Adam Lindquist

Developing cultural capital – board level impact By Nagaraja Kumar Deevi

Aggregated vendor risk - the cyber security blind spot By Angelina Yang, David Zelinger,Thomas Lee, Nagaraja Kumar Deevi

The Bank Asset-Liability Committee (ALCO): ensuring effective governance and risk management By Moorad Choudhry

Editor’s introduction Tom Wilson announcement

Global model risk incurred by the LIBOR transition By Patrick Toolis