Chapter 15 - Operational and Enterprise risk Management

Value at Risk (VaR)

= Total Currency Value x [Mean - 1.65 x Standard Deviation]

Risk Management Policy

A clearly defined policy endorsed and approved by the highest management level possible to address risk. Should: -Contain a concise statement of the org's risk management goals and the overall scope of the risk management policy -Define authorities and responsibilities -Identify the types of exposures to be managed -Delineate the mitigation techniques and products that may be used -Outline the process for determining specific strategies to be employed and exposures to be mitigated -Summarize the process for monitoring performance of the strategies -Outline contingency plans -Require periodic review of the policy and testing of the plans

Enterprise Risk Management (ERM)

A comprehensive, organization-wide approach to identifying, measuring, and managing the various risks that threaten the achievement of the organization's strategic objectives and therefore its overall operations.

Retroactive Date

A date in some claims-made insurance policies that limits coverage to events that occur after that date. Claims for issues that happened before the date will not be covered.

Insurance Management

A decision or problem-solving process that identifies the possible losses and determines if insurance should be purchased against the risk of that loss and how much insurance is needed. The issue is about the company's risk tolerance threshold and involves looking at concepts like total cost of risk, rather than just purchasing insurance coverage.

Total Cost of Risk (TCOR)

A metric that captures all the elements of risk management, including insurance premiums, self-retained losses, and any risk management administration expenses.

Sensitivity Analysis

A risk measurement technique that examines the impact of a change the value of a variable on a selected outcome measure, assuming all other variables are held constant. Used to alter the value of a single variable in a spreadsheet or computer model to see how a change in that variable affects the outcome. Helps to identify the variables that have the greatest influence on net cash flow. These variables can be categorized as uncontrollable or somewhat controllable.

Monte Carlo Simulation

A risk measurement technique that is a simulation method that uses probability an random numbers to solve a variety of problems. It uses computer models and random numbers to run repeated simulations of an event to determine the likelihood of specific outcomes. A probability distribution for net cash flow emerges over the course of many runs. Often used for new products to be introduced to the public.

Value at Risk (VaR)

A risk measurement technique that is a statistical technique that was developed to estimate the maximum potential losses of a trading operation or portfolio for a given period of time -- in other words, the worst case scenario. It was designed to incorporate a wide range of risk factors and summarize their impact into a single measure that answers the question, what is the most I can expect to lose over a given period of time with a reasonable amount of certainty. Example: One-day 5% VaR of $10mm (only a 5% probability that the securities will fall in value by more than $10 million in one day)

Scenario Analysis

A risk measurement technique that is similar to scenario analysis but more than one variable is altered at a time. Usually starts with a base case and develops a best- and worst- case scenario to assess the range of possible outcomes for net cash flow or another value of interest.

Data Breach

A type of External Theft / Fraud Risk. Occurs when there is a loss of data or other digital media from an org's computer systems. Could involve either sensitive internal information from the org or info about the org's suppliers or customers.

Robbery

A type of External Theft / Fraud Risk. Orgs dealing with large amounts of cash collections or disbursements run the risk of __ or theft of those cash balances. The use of armored car services and automated store safes helps to reduce the risk of theft to the org and __ of it's employees by controlling both the amount of available cash and access to it.

Malfeasance

A type of External Theft / Fraud Risk. The collusion between external criminals and internal employees. Includes embezzlement, falsifying accounting data, corruption, money laundering, and counterfeiting. Can be prevented with strong internal controls, code of conduct, corporate culture, and ethical directives.

Tax Risk

A type of legal and compliance risk. Related to uncertainty about future tax liabilities.

Political Risk

A type of legal and compliance risk. The economic impact that businesses may face due to political changes or decisions within a country. This includes the risk of expropriation or other loss of foreign asset value.

Sovereign Risk

A type of legal and compliance risk. The risk of interference by a foreign government in the settlement or payment of a foreign transaction.

Risk Transfer

A very specific

Insurance

A very specific form of risk management in which financial protection (or reimbursement) for possible loss is purchased from another party. A method of transferring risk from one party to another.

Monitor

An organization must __ each material risk exposure. The frequency with which it does this depends on the likelihood of the risk, the materiality of the risk, and the org's appetite for risk. An org must evaluate the effectiveness of each strategy it has employed to reduce exposures.

Tested

DR plans need to be __ on a periodic basis at least annually and preferably semiannually. 1. Identifies the problem with the plan 2. helps train staff and ingrain appropriate emergency responses.

Risk Management

Effective __ __ helps minimize the adverse effects of actual and potential losses by either preventing such losses from occurring (risk control) or financing the recovery from any losses that do occur (risk financing).

Risk

Four basic approaches to managing __: 1. Avoid the risk: e.g., don't enter the line of business 2. Mitigate the risk: Put appropriate controls in place to limit the potential risk exposure 3. Transfer the risk: Find someone else who is willing to assume the risk 4. Retain the risk: Selectively bear some risks (some risk is inherent)

Operational

Fundamental Factors for __ Risk management strategy: 1. Importance of organizational culture 2. Importance of technology 3. Importance of guidelines for BOD

Board of Directors

Guidelines for the actions of the __ are aseptically important in reducing operational risk. Address conflicts of interest, limit the number of internal board members, clarify personal responsibility, and facilitate the discussion and resolution of difficult or contentious issues. Lines of reporting should be clear, expect, and known t all levels of the org. Procedures are especially critical.

Implementation

In the development of a disaster recovery plan should include notifying all staff and providing appropriate training. Important that all staff understand the contingency plans, how they are __ and who they should contact for instructions and guidance. Consider employee welfare and provide appropriate support for both emergency staff and their families.

Quantitative

In this type of exposure assessment, a typical approach is to measure the cost or financial impact of a given risk; the following are completed: -Assess the materiality of exposure -Identify risk drivers -Determine the probability/likelihood for losses due to the exposure -Provide a benchmark for assessing risk mitigations strategies

Qualitative

In this type of exposure assessment, the following are completed: -Examine basic operating procedures to determine where mitigation strategies may be useful -Determine how fundamental business processes contribute to risks and permit the identification of possible solutions -Ensure that derivatives are structured and sized appropriately and proper accounting procedures are followed when derivatives are used as part of financial risk mitigation strategies.

External Financial Counter parties

Include financial institutions, market information providers, vendors, and financial markets.

Internal Financial Resources

Include treasury star, computer systems, policies, procedures, processes and office facilities

Enterprise Risk Management

Includes important risks such as: -Market Risk -Credit Risk -Operational Risk -Liquidity Risk -Legal and Regulatory Compliance Risk -Event Risk -Business Risk -Strategic Risk -Reputation Risk

Term Period

Most policies provide coverage on a basic occurrence basis, where the eligibility of a claim is primarily based on the date of occurrence of the insured event. This policy has a __ __, with a specified start and end date for the coverage, to cover losses that occur during the designated policy period.

Exposure

Once an __ is identified, it must be measured and assessed both quantitatively and qualitatively. Evaluate whether the organization can tolerate risk, and whether it should reduce, transfer, or eliminate the exposure via an appropriate risk management strategy.

Independent Agent

Receives commissions rather than salaries from insurers, and is legally an agent of the insurer

Broker

Receives commissions rather than salaries from insurers, and is the legal agent of the applicant

Risk Profile

Refers to how the company's overall value changes as the price of financial variables changes.

Business Continuity

Refers to the actions taken with regard to crisis management, alternative operating procedures, and communications to staff and customers. The intent of these measures is to preserve the firm's revenue stream.

Disaster Recover

Refers to the restoration of systems and communications after an event causes an outage. The intent of these measures is to preserve the firm's revenue stream.

Asset Liquidity Risk

Relates to the ability to sell an asset quickly and at close to its true value. Especially a problem for dogs holding portfolios of investment assets, if those assets are less than liquid due to the type of asset or general market conditions.

Exposures

Risk __ in all areas of the organization need to be identified clearly both in terms of their likelihood and their potential impact on the organization. For example financial risks (interest, FX, commodity risk) or operational risks.

Material

Risks that exceed a predetermined level of financial impatct or a predetermined level of risk to the organization.

Disaster Recovery Plan

Steps to develop this include: 1. Identify mission-critical functions 2. Assess risks 3. Evaluate contingency measures 4. Prioritize corrective action

Measure

Techniques used to __ risk: 1. Sensitivity Analysis 2. Scenario Analysis 3. Value at Risk (VaR) 4. Monte Carlo (simulation)

Accidents

Tend to reduce the firms profitability, increase liquidity requirements, and impair financial security.

Risk Management

The __ __ process involves six steps: 1. Determine an organization's risk tolerance 2. Identify potential exposures 3. Quantify the impact and level of exposures 4. Develop and implement an appropriate strategy to manage those exposers 5. Monitor the exposures and evaluate the effectiveness of the strategy 6. Review and modify the strategy as needed

Communication Plan

The __ __ should include critical telephone numbers and contingency instructions for all staff. consider providing local service partners, reg agencies, and local law enforcement agencies copies of the __ __. Contingency websites and call-in lines are helpful here.

Chief risk Officer (CRO)

The executive accountable to the board of directors for the efficient and effective governance of significant risks -- and related opportunities -- for the organization and its various segments. Reports directly to the CEO because it adds authority to requests and recommendations related to risk management, and helps create an appropriate segregation of duties and responsibilities.

Corrective Action

The final step in developing a disaster recover plan. Determine the appropriate __ __ to take cane the case of specific problems. Prioritized in light of the impact on the org and the previously determined risk level.

Mission Critical

The first step in developing a disaster recovery plan. An activity or function is __ __ when an interruptions will create significant disruptions in an org's business. Such disruptions have serious repercussions on an org's ability to continue normal operations and ultimately to survive.

Risk Tolerance

The first step in developing a risk management strategy is to determine the organization's __ __. Different tolerances include: - Aggressive (new company rapidly growing) - Cautious (established company in mature industry) - Averse (government and NFP) __ __ could also be limited by various covenants or indentures in agreements or charters.

Insurance Management

The four objectives of __ __ include: - Insure against catastrophic loss - Decide when and what to insure - Manage the purchase and use of insurance - Obtain efficient pricing for insurance needs

Defalcation Risk

The general risk of intentional employee fraud

Financial Risk

The impact on an organization from unexpected changes in interest rates, FX rates, or commodity prices. The probability that the value of a given asset/liability or some future transaction will be different from expectations. Managed by some type of heading, usually involving the use of a derivative contract or balance sheet hedge.

Market Risk

The possibility that fluctuations in financial market prices and rates will reduce the value of a security or a portfolio. Usually divided into general risk and firm-specific risk. Includes equity price, interest rate, foreign exchange, and commodity price risk.

Event

The risk associated with unexpected events related to a given organization. Includes such incidents as an unplanned corporate reorganization or a large natural disaster.

Legal and Compliance

The risk of potential lawsuits or other legal actions instigated by customers, trade partners, or governmental agencies and regulators. The growth of lawes related to terrorism and anti-money laundering has added significant regulatory and compliance overhead for dogs with large numbers of financial transactions, especially those transactions that cross international borders.

Financial Institution (FI)

The risk of the potential failure of the financial institution causing issues with daily transactions processing, communication failures between the FI, the use of online banking portals, loss or tampering with payment files, as well as the risk that balances can be lost in the case of failure.

Fraud (External Theft/Fraud)

The risk often associated with the payment process; offend involving false invoices or check fraud. Orgs should maintain an AP environment with appropriate controls such as proper authorization processes, segregation of duties, positive pay, debit blocks, daily recon, etc. Includes the breach of electronic databases by hackers.

Supplier

The risk related to an org's suppliers and outsourcing arrangements; a specific counter party risk that also entails significant operational risk. The more critical the __ or commodity is in the production process, the more risk an org faces if the __ either failed to deliver according to plan or provides substandard products and services that result in customer dissatisfaction. Also includes the risk of a merger, acquisition or divestiture of a particular __ which may result in disruptions in critical supplies or services.

Counterparty

The risk that the other party in a contract or financial transaction will not perform as promised. Extends to the risk related to any type of performance failure on the part of any of the counterparts with which an org must interact.

Adapt

The risks an org faces change over time and its risk tolerance may also change; an effective risk management strategy must adapt to deal with the changes.

Assess Risks

The second step in developing a disaster recovery plan. This function of the disaster recovery plan includes determining what would happen if the risk actually occurred. Assess both the likelihood that something could go wrong and the consequences that would then occur.

Fidelity Risk

The specific case of theft of money, securities, or property by an employee

Contingency

The third step in developing a disaster recovery plan. Includes evaluating alternative measures to deal with the program. The goal is to understand and catalog the measures currently in place and evaluate their effectiveness, considering mission-critical functions and current risk levels. This is often called the __ plan.

Claims

There are two methods for this piece of insurance selection:term period and __-made basis.

Liability Limit

These determine the maximum amount that an insurance policy will pay for a specific loss. Selecting an appropriate amount is important because higher limits increase cost while lower amounts can reduce potential recovery if a loss is greater than the policy limit.

Insurance Contracts

These offer a traditional approach to managing and controlling operational risk. Designed to compensate for losses, especially accidental losses after they occur.

Risk-Financing

These techniques involve resources that an organization may draw upon to finance recovery from losses and liabilities or which it is held responsible. These compete with other uses of corporate funds. Include: 1. Risk Retention 2. Risk Transfer

Per-Occurence

This deductible basis applies for each occurrence during the policy period. (most policies)

Aggregate

This deductible basis is set on a per period basis, regardless of the number of occurrences.

Organizational Culture

This element of operational risk management strategy includes whistle-blower protection, independent BOD, an individual responsibilities culture, questioning approach, willingness to admit to lack of sufficient information by senior officers, written policies on ethics.

Committee of Sponsoring Organizations of the Treadway Commission (COSO)

This group operates under the auspices of the American Institute of Certified Public Accountants (AICPA) and is responsible for establishing COSO's standards for ERM.

Liquidity

This is relates primarily to an organization's ability to raise necessary cash to meet its obligations as they come due. Often linked wot the ability to raise capital in a timely manner, and typically is managed by holding marketable securities or open lines of credit.

Claims-Made

This policy basis is driven by when he licks are made, regardless of when the actual loss event occurs.

Financial Supply Chain

This purchase to pay cycle is critical to financial viability following a disaster. The treasury area plays a pivotal role here through working capital management practices and by ensuring adequate liquidity sources.

Security (Physical and Electronic Security)

This risk addresses requiring physical security for the premises and employees to help prevent physical or electronic access to critical information, as well as to ensure employees safety. Include biometric systems, using fingerprint, face, or eye recognition to control physical access to facilities or key equipment.

Foreign Exchange (FX)

This risk arises from the exposure an organization has as a result of transactions, sets, and liabilities that re denominated in a foreign currency.

Business

This risk covers the classic risks to success in operating a business venture, such as uncertainty about the demand for products or services, the price that can be charged for those products or services, and the costs of producing and delivering the products or services. Sometimes strategic and reputation risks are viewed as components of this risk.

Commodity Price

This risk differs from interest rate and FX risk since most __ are traded in markets where the concentration of supply in the hands of a few suppliers can magnify the price volatility.

Terrorism

This risk has become a significant threat to the ops of many orgs. Many disaster recovery plans specifically include recovery from these events, in addition to natural disasters. Can be managed by increasing the level of security for both their premises and employees.

Technology

This risk includes breaches (which are generally referred to as security violations) and result when an employee bypasses or disobeys internal policies or guidelines related to technology use. Can also include the use of spreadsheets. Risk associated with the choice of a particular technology platform vendor, that they will go out of business, become obsolete, need after-sale install or support.

Employee

This risk is not limited to employee fraud, but can also include the purposeful violation of company policies or procedures to improve performance ratings or compensation or to cover up errors and mistakes. Most internal operational risks can be addressed by developing and implementing sarong internal controls such as the segregation of duties, mer-checker controls, periodic self-audits, management oversight, and insurance.

Credit

This risk is related to how a change in the credit quality of a company would affect the value of a security or portfolio of investments. Arises both from transactions and from any risk in the portfolio due to concentration of similar assets. The creditor may recover some value after default and the amount recovered is called the recovery value or rate. When given as a percentage, it is called the loss given default.

Reputation

This risk is that customers, suppliers, investors, and/or regulators may decide that a company has a bad reputation and decide not to do business with that company. Covered under Basel guidelines. Relates to who companies react to unexpected events that can impact their reputations and ultimately their futures.

Equity Price

This risk is usually associated with volatility in stock prices. The general form of this risk refers to the sensitivity of an instrument or portfolio value to a change in broad stock market indices, while the firm-specific portion of this risk relates to just the company in question. Can be mitigated by holding a portfolio of stocks, while general risk cannot be eliminated.

Natural Disaster

This risk leaves orgs open to possible operational risk. Events could range from a temp power outage to a major earthquake or hurricane. Every org should have a contingency business resumption plan in place to manage and recover from impacts such as these.

Strategic

This risk refers t the risk of major investments for which there is a significant uncertainty about success or profitability. Examples include entering into new markets, trying to spot and take advantage of trends, and investing in new technology.

Operational

This risk refers to potential losses resulting from external events that impact an org's operations or from inadequate and failed internal processes, people, and systems. Internal Risks: employees, processes, technology External Risks: FI, counterparty, legal and compliance, supplier, theft/fraud, security, natural disaster, terrorism

Interest Rate

This risk relates to changes in investment values and borrowing costs, and potentially to overall firm value, as __ __ change.

Process

This risk usually comes from a lack of proper controls or the failure of employees to follow procedures. Can result from accounting or financial reporting errors, lack of timely reconciliation of bank accounts, when processes are so technical and complex that the people using them do not understand the processes, how to use them or what their limitations are and when they should not be used. Also incurred when an org may not be able to meet the terms of contracts with customers and suppliers; risk of capita error; errors in the actual caring and settlement process for financial transactions.

Risk and Control Self-Assessments (RCSAs)

To demonstrate compliance with SOX and similar requirements in various countries, many companies perform risk self-assessments and test against them regularly. These assessments are referred to as __ __ __ __ __.

Insurers

When selecting among competing insurers, consider: -Long term solvency of the insurer -Rating for the insurer -Service provided -Cost versus exposure -Industry knowledge and experience

Ratings

When selecting insurance, should consider the __ of the insurer. A.M. Best company is the leading provider of __ and financial information for the global insurance industry. Assigns two types of __: one for the financial strength and one for the indebtedness.

Solvency

When selecting insurance, should consider the __ of the insurer. Generally, state-guaranteed funds provide only limited protection when an insurer fails, and the delays involved in settling claims may be significant. A firm's lavenders pay require credit agreements or loan covenants that stipulate minimum ratings for insurance carriers.

Industry Knowledge

When selecting insurance, should consider the __ of the insurer. Insurance companies often specialize in specific industries and as a result have specific experience in the risks and issues faced by companies in that market segment.

Cost

When selecting insurance, should consider the __ of the insurer. The __ of an insurance policy or progam should always be weighted in relation to the financial stability, overall coverage, and quality of services offered by the prospective insurer.

Service

When selecting insurance, should consider the __ provided by the insurer. The ability of the insurer to provide loss control and/or claims service may help reduce the overall cost of insurance. __ levels and specialization or expertise in a particular area of insurance should always be taken into consideration.

Risk Self Assessment (Risk Profile Analysis)

__ __-__ identifies the risks, classifies each risk into clearly defined categories, and quantifies the risks with respect to the probability of occurrence and the impact on value and/or cash flows. Can be used to evaluate the effectiveness of the risk reduction measures that are employed.

Technology

__ is necessary to help gather and analyze the information needed and then to monitor operational controls and procedures. Can help to reduce manual errors and can also serve to limit access by non authorized personnel

Treasury

__ is responsible for financial risk management as well as general risk management for __ operations. Also directly or indirectly involved in identifying and managing overall risk for the enterprise.

Deductible (Retention)

by selecting insurance coverage that has a __ , an insured party can obtain a significantly lower premium when compared to the cost of first-dollar coverage (a policy that provides reimbursement for losses without any up front costs).