TM - Chapter 16 TEXTBOOK

External theft/fraud risk

- (Risk) Payment process (e.g., false invoices): (result) A/P controls: positive pay, debit blocks/filters, authorization process, segregation of duties. - (Risk) Check fraud: (result) Replacing paper-based payments with electronic payments. - (Risk) ACH network fraud: (result) Debit blocks/filters, daily ACH reconciliation, timely ACH returns. - (Risk) Breach or compromise of databases: (result) Physical and electronic security. (Risk) Malfeasance: (result) Corporate culture, ethical directives, strict code of conduct - (Risk) Robbery or theft: (result) Armored car services, automated safes

When examining an organization's overall enterprise risk, there are many types of risk that must be considered:

- Direct Responsibility of Treasury: ---> Market Risk ---> Credit Risk ---> Liquidity Risk - Other Types of Risk: ---> Operational Risk ---> Legal and Regulatory Compliance Risk ---> Event Risk ---> Business Risk ---> Strategic Risk ---> Reputation Risk

Disaster Recovery and Business Continuity

- Disaster recovery refers to the restoration of systems and communications after an event causes an outage. - Business continuity refers to the actions taken with regards to crisis management, alternative operating procedures, and communications to staff and customers. - Financial Parties: ---> Internal recourses: include treasury staff, computer systems, policies, procedures, processes, and other facilities. ---> External financial counter parties: Include financial institutions, market information providers, vendors, and financial markets. ---> Infrastructure: The infrastructure linking the two must be well designed and should include both internal and external networks, such as computers, servers, telecommunications, utilities, and vendor support services.

Purpose of risk management

- Identify future events creating uncertainty. - Economic/regulatory effects of negative possibilities. - Guide recovery when serious negative events occur. - Costs to mitigate or eliminate

Operational Risk Management

- Internal Risks ---> employee ---> process ---> technology - External Risks ---> financial institutions ---> counter party ---> legal and regulatory compliance ---> supplier ---> external theft/fraud ---> physical and electronic security ---> natural disaster ---> terrorism

Legal/Regulatory and Sovereign Risks

- Lawsuits or other legal actions - Growth of governmental regulations ---> Terrorism and anti-money laundering ---> Understand and comply with each jurisdiction - Sovereign risk --->Expropriation --->Loss of foreign asset value ---> Tax risk

criteria for selecting an issuer

- Long-term solvency of the insurer - Rating for the insurer ---> A.M. Best ratings ---> Best's Financial Strength Ratings ---> Best's Issuer Credit Ratings - Service provided - Cost versus exposure - Industry knowledge and experience

insurance management - types of losses:

- Property loss (e.g., from internal or external theft) - Business interruption or net income loss - Surety or breach of contract loss (e.g., from a contractor's failure to perform) - Liability loss (e.g., lawsuits from injured customers) - Personnel loss (e.g., loss of the president or other key employees) - Workers' compensation claims - Cyberrisk loss (e.g., loss caused by data or network security breach)

Step 2 of Risk Management Process: Identify Potential Exposures

- Risk exposure in all areas of the organization need to be identified clearly both in terms of their likelihood (i.e., probability of occurrence) and their potential impact on the organization. ---> For example, financial risks such as interest rate variations, foreign exchange (FX) rate changes, or fluctuations in commodity prices will vary depending on the industry and form of the business organization or government agency. ---> Operational risk is also an important considerations, especially for organizations with significant treasury operations. - Timely and accurate exposure info is critical for effective risk management. - A company's risk profile refers to how the company's overall value changes as the price of financial variables changes. ---> The basic risk profile for a public company shows how the firm's earnings per share, common stock price, or overall value responds to changes in interest rates, FX rates, or commodity prices. - The risk profile is an important tool used to identify key areas of exposure. Specifically, a risk profile analysis identifies the risks, classifies each risk into clearly defined categories, and quantifies the risks with respect to the probability of occurrence as well as the financial impact. ---> The analysis can be used to evaluate the effectiveness of the risk reduction measures that are employes. In some organizations, this process is known as a risk self-assessment. (often called RCSAs, risk and control/self-assessments).

Technology risks (powerpoint)

- Security breaches ---> Internal ---> External - Platform or vendor ---> After-sale installation and support ---> Vendor may go out of business - Failure of vendor-acquired ---> Hardware ---> Software ---> Communications devices - Capabilities, capacity, compatibility - Spreadsheets: ---> Mission-critical? ---> Difficult to audit ---> Avenue for mistakes, file corruption, fraud

techniques used to measure risk & evaluate the potential financial impact of certain firm-level risks:

- sensitivity analysis - scenario analysis - value at risk (VAR) - cash flow at risk (CaR) - Monte Carlo simulation

Disaster recovery plan

1 identify mission-critical functions 2. assess risks 3. evaluate contingency plans 4. prioritize corrective action 5. create a communication plan

the risk management process involves six steps:

1. Determine the organization's risk tolerance. 2. Identify potential exposure. 3. Quantify the impact and level of exposures. 4. Develop and Implement an appropriate risk management strategy to manage those exposures. 5. Monitor the exposures and evaluate the effectiveness of the strategy. 6. Review and modify the strategy as needed.

`4 objectives to insurance management:

1. insure against catastrophic loss 2. decide when and what to insure 3. manage the purchase and use of insurance 4. Obtain efficient pricing for insurance needs. - insured losses may still result in lost profits.

Insurance Management

A decision-making process that identifies the possible losses and determines if insurance should be purchase against the risk of that loss and how much insurance is needed. - use of insurance is a specific form of risk management in which financial protection or reimbursement for possible losses is purchased from another party.

Credit Risk

A type of counter party risk. Its related to how a change in the credit quality of a company would affect the value of a security or portfolio of investments. - Default on an investment or security is the extreme case of credit risk, but downgrading of a security can also be an issue. - In some cases, the creditor may recover some value after default, and the amount recovered is called the recovery value or rate. ---> When given as a percentage, it is called the loss given default. - Arises both from transactions and from risk in the portfolio due to concentration of similar assets. (lack of portfolio diversification, when the assets in a portfolio are all concentrated in a single area, industry, or type of security.

Group Captive

Also known as an association captive, resembles a single-parent captive except that it provides risk financing for multiple owners instead of just one. - The captive may be owned jointly be each of the individual parents or by an association that the parent companies have formed. - This shared ownership makes the group captive arrangement a form of insurance by virtue of the transfer of risk. In most cases, group captives are industry-based, which allows risk transfer across similar risks.

Step 5 of Risk Management Process: Monitor the Exposures and Evaluate the Strategy

An organization should monitor each material risk exposure. - The monitoring frequency depends on the likelihood of the risk, the materiality of the risk, and the organization's appetite for risk. - The effectiveness of each strategy must be periodically reevaluated as well. Such evaluations should be performed with the overall risk tolerance level in mind.

Single-parent captive

Another approach to risk retention is the use of a captive insurance company. - A single-parent captive is a subsidiary owned for the purpose of insuring the risk of a parent company or its affiliates. - The captive provides guaranteed access to insurance, may be used to provide unique types of insurance coverage or favorable rates, and often generates tax advantages for the parent company. - It should be noted that a major loss could result in insolvency for the captive, but the parent company would survive.

Technology Risk

As the treasury area of an organization increasingly relies on technology, the operational risk associated with the use of technology increases. - Security breaches related to technology can either be internal or external types of risks. - Another type of technology risk is the risk associated with the choice of a particular technology platform or vendor, including issues such as the need for after-sale installation and support or even the risk that a vendor may go out of business. - May also involve extensive use of computer based spreadsheets in many parts of an organization's day-to-day operations.

Cyberrisk (powerpoint)

Breaches of employee, customer,and corporate data. - Primary cyberrisk: Current and former employees - Financial criminals: customer credit card information. 1. Phishing e-mails gain access to employee e-mail. 2. Who requests and initiates wires? 3. Fake CEO wire request.

general risk management

Effective risk management helps minimize the adverse effects of actual and potential losses by either preventing such losses from occurring (i.e., risk control) or financing the recovery from any losses that do occur (i.e., risk financing). - the purpose of an organization's risk management process is to: ---> help managers identify future events that create uncertainty ---> respond to negative possibilities by balancing the negative economic and/or regulatory effects of these possibilities with the costs that will be incurred to mitigate or eliminate them. ---> guide recovery actions when serious negative events occur.

Which is a more significant source of employee risk than the others?

Employee data entry errors (transposition or deletion errors are very common)

Sensitivity Analysis

Examines the impact of a change in the value of a variable on a selected outcome measure, assuming all other variables are held constant. - The value of a single input is varied and the change in the financial model is observed. - Helps to identify the variables that have the greatest influence on a financial model (e.g., NPV). Once identified, these variables can be categorized as uncontrollable or somewhat controllable. ---> A monitoring protocol should be established to alert the user to unfavorable movements in the uncontrollable variables so that operations can be adjusted as needed.

Step 4 of Risk Management Process: Develop and Implement an Appropriate Risk Management Strategy

Four essential risk management approaches: - Avoid the Risk: This approach may involve a company deciding not to enter into a certain line of business or utilize a particular business or manufacturing process due to the risks involved. (choosing a particular process) - Mitigate the Risk: Mitigating risk generally involves putting appropriate controls in place to limit the potential risk exposure. In financial risk management, approaches such as using derivatives or balance sheet hedges create a financial position that offsets the risk from an ongoing business process. Other risk mitigation approaches include process and facility design, project management, education, and compliance management. - Transfer the Risk: With this approach, the organization moves a given risk to another party. The primary means of transferring risk is through insurance. A company may also contractually transfer risk by requiring that the risk be borne by another party in the supply chain. - Retain the Risk: Some lines of business carry inherent risks, and it may not be possible to completely avoid, transfer, or mitigate all the risks in certain types of operations. In these cases, it may be optimal to selectively bear some risks. Since the risk of loss is retained and not transferred to another party, the firm must have the financial resources available to cover those losses.

Enterprise Risk Management (ERM)

Refers to a comprehensive, organization-wide approach to identifying, measuring, and managing the various risks that threaten the achievement of the organization's objectives. - the topic of ERM is pertinent to treasury professionals since the treasury function is typically responsible for some of ERM's subcategories, such as financial risk management. - one purpose is to ascertain if and how each department contributes to, or is impacted by, a particular risk category. - the comprehensive approach allows the full scope of risk to be assessed across division lines.

Risk Management Policy and Governance

Regardless of an organization's approach to risk, it is important for the firm's risk management committee and chief risk officer to have a clearly defined risk management policy endorsed and approved by the highest management level possible, preferably the board of directors. The policy should: --> Contain a concise statement of the risk management goals and the overall scope of the risk management policy (e.g., avoid, mitigate, transfer, or eliminate risk) ---> Define authorities and responsibilities as well as the role of the chief risk officer. ---> Identify the types of exposures to be managed. ---> Delineate the mitigation techniques and products that may be used. ---> Outline the process for determining the specific strategies to be employed and exposures to be mitigated. ---> Summarize the process for monitoring performance of the strategies. ---> Outline contingency plans ---> Require periodic review of the policy and testing of plans.

Cyber risk

Security breaches involving employee, customer, and corporate data represent cyberthreats. These cyber breaches may come from both internal and external sources. - Current and former employees represent the primary source of cyber risk for an organization, given the access that they have to information. Internal cyber attacks may be deliberate or the result of an employee error. - Other attacks may result from an employee opening phishing e-mails. Most business email compromise (BEC) scams begin with a phishing e-mail that is used to gain access to an employee e-mail account. After monitoring that employee s email account to determine who requests wire transfers and who initiates them, the fraudster will generate a fake e-mail from the CEO requesting the initiation of a wire transfer.

Step 3 of the Risk Management Process: Quantify the exposure

The chief risk officer or other senior management must evaluate whether the organization can tolerate the risk, and whether the risk should be reduced, transferred, or eliminated. - Quantitative assessment is important in order to: ---> assess the materiality, or level, or the exposure (exp: high/medium/low) ---> Assess the estimated timing of the risk. ---> Identify the risk drivers or factors that cause the risk to materialize. ---> Determine the profitability or likelihood for losses due to the exposure. ---> Provide a benchmark for assessing risk mitigation strategies, generally in a cost-versus-benefit framework. - When quantifying materiality, a typical approach is to measure the cost or financial impact of a given risk. Material risks are those that exceed a predetermined level of financial impact or a predetermined level of risk to the organization. Materiality of risk exposure may vary significantly across firm characteristics and should be assessed and reevaluated on a regular basis. The materiality of exposure will normally drive the frequency and amount of monitoring and testing needed. - Qualitative assessment is important to the overall design of appropriate risk mitigation strategies from both an economic and an accounting perspective. A qualitative assessment should include: ---> Examine basic operating procedures to determine where mitigation strategies, such as hedges, may be useful (e.g., a balance sheet hedge matches exposed liabilities against exposed assets and is referred to as asset/liability management. ---> Determine how fundamental business processes contribute to risks and permit the identification of possible solutions. ---> Ensure that derivatives are structured and sized appropriately and proper accounting procedures are followed when derivatives are used as part of financial risk mitigation strategies.

Step 1 of risk management process: Determine Risk Tolerance

The degree of risk tolerance will vary across organizations. - examples: ---> To gain a competitive advantage, a new company in a rapidly evolving industry may be more aggressive in taking significant risks. ---> To protect an existing competitive advantage, an established company in a mature industry may be more cautious about taking risks. ---> Government entities and not-for-profit organizations may be averse to assuming even small risks. ---> A company's ability to accept risk may be limited by covenants or indentures in agreements or charters.

Risk transfer

The essence of any risk transfer is a contract between a transferring organization (i.e., the transferor) and another entity (i.e., the transferee), under which the transferee agrees to pay designated types of the transferor's losses within contractual limits. - contractual transfer - guaranteed cost insurance program - retrospective (retro) rated insurance program

Reputation Risk

The risk that customers, suppliers, investors, and/or regulators may decide that a company has a bad reputation and decide not to do business with that company.

Step 6 of Risk Management Process: Review and Modify the Strategy as Needed

The risks that an organization faces change over time and its risk tolerance may also change. - An effective risk management strategy must adapt to deal with these changes. - Any risk strategy should be reviewed periodically in light of the quantitative results of the risk management program to determine what, if any, changes are needed.

Risk transfer

Transferee agrees to pay for certain losses for fee or business contract. - Contractual transfer (hold harmless) - Guaranteed cost insurance program - Retrospectively (retro) rated insurance program

Liquidity Risk

Typically divided into two areas: funding liquidity risk and asset liquidity risk. - Funding liquidity risk related to an organization's ability to raise necessary cash to meet its obligations as they come due. It is often linked to the ability to raise short-term and long-term capital in a timely manner, and it typically is managed by holding marketable securities or through available lines of credit. ---> An example would be a corporation with an active commercial paper program. - Asset liquidity risk relates to the ability to sell an asset quickly and at close to its true value. ---> Especially a problem for organizations holding portfolios of investment assets, particularly if those assets are not fully liquid due to the type of asset or general market conditions.