Слайд 1Practical risk management
Stuart Lawson
April 2013
Слайд 2Stuart Lawson, Executive Director
Tel.: +7 (495) 662-9312
E-mail: Stuart.Lawson@ru.ey.com
35 years in
banking in EM and OECD.
25 years in Citibank in 11
countries including 10 as crisis manager.
15 years in Russia as CEO/Chairman Citibank, Deltabank, Banks Soyuz, HSBC, director Trust, Menatep.
Chairman AEB Finance and Investment, Deputy Chairman TheCityUK Russia stream, Supervisory Board IDA.
Contact
Слайд 4A practitioner’s course
What is risk? A vocabulary.
Risk management, how to
maximise appropriate returns.
Black swans can get in the way.
Risk tools,
the quadrants and heat map.
Слайд 6What is risk?
Flip a coin, no financial outcome, does it
have risk? (flipped coins have no memory)
Interest in outcome creates
concept of financial risk.
Risk must deal with concept of loss but is inherent in the concept of profitability.
Слайд 7What types of risk?
Across a broad spectrum.
External, outside your control.
Within
your control.
The element of context and time.
Types of risks.
The constituents.
The
role of the board.
Слайд 8Risks you don’t control
Macroeconomic, financial markets, domestic, international.
Political, cross border.
Industrial,
cyclical, paradigm.
Technological progress
Business environment, local customs.
Legal and regulatory.
Acts of nature.
Слайд 9Risks you do control
Financial within company.
Company strategy and tactics.
Technology,
systems, IT security.
Operational, across all processes.
Management, key man and team.
Reputational
and PR.
Legal (not environmental).
Слайд 10Industrial
Innovations can create new paradigm.
Market dominance and impact on price
led or followed.
Supply chain changes and flexibility.
Cyclical or not, correlated
to what factors (input prices, within without control).
Слайд 11Political
Socio economic factors, short term elections, long term demographics.
Can
have broad repercussions across all industries and trading profiles.
Impacts demand
for foreign direct investment.
Cross border concepts and pricing. Impact of aggressive market positioning.
Слайд 12Company
Dependent on corporate organisation, might be single entity, group or
part of group.
Driven by company specific tactics or strategy.
Internal risk
management failure.
Relationships with employees.
Impact of counterparty, suppliers, tax, banks.
Risk profile of specific corporate.
Слайд 13Finance
Balance between risk and return on capital, leverage
Availability of
liquidity resources during period of risk.
Ability to extend trade creditors
etc
Crisis management and restructuring protocols.
Shareholder support.
Слайд 14Technology
Differing profiles of vulnerability to technology but always essential. Correct
infrastructure regularly reviewed, properly documented
Importance of appropriate MIS, training.
Information security,
vulnerability to internet and vendors. business continuity.
Competitive map, what developments are needed to keep up? IT implementation
Danger of the techies not understood by board, management. Competence to understand.
Слайд 15Operational risk
Holistic view of all aspects of the environment, what
could go wrong?
Protocols in place to govern intersection of entity
with external events.
A ‘what if’ set of action plans to address development of differing levels of risk.
Physical risk to plant and employees.
Intersection with technology, importance of processes.
Слайд 16Management risk
Misaligned organisational structures.
Role of KPI’s.
Key man risk, role of
succession planning.
Importance of corporate culture to bridge ‘gaps’.
Слайд 17Legal risk
Enforceability of ownership rights fundamental to entrepreneurship.
Regulation of rights
between constituents.
Trademarks, IP.
Overly strong creditor rights enabling banks to seize
assets.
Unclear legal environment with changing laws.
Corruption.
Слайд 18Reputational
Enhances or diminishes brand value and ability to super
price.
Cuts across all business lines.
Subject to event risk, importance of
tight public relations.
Requires clearly delineated ‘rules of road’ for interaction with media.
Once broken, extremely difficult, costly and time consuming to repair.
Слайд 19PR
Once out, particularly on internet, you can’t put it back
It
develops a momentum of its own
Can be controlled by competitors
Impact
on brand value
Who controls the ‘storyline’
Слайд 20Perspective, context and time
Experience is memory based and we have
selective memories.
History will influence the view of risk (eg been
lucky in the past).
Representative bias, that things should make sense.
Risk does not take place in a vacuum (competitors, macro, industry).
Слайд 21Types of risk
Market versus firm specific.
Continuous versus event risk.
Catastrophic versus
smaller risk.
Risks don’t have same rankings over time.
‘Chemistry’ of risks,
not predictable.
Слайд 22Who are the constituents?
The management
The customers
The regulators
The employees
The shareholders
Слайд 23Role of board in risk
Management board
Set up the vocabulary
of risk.
Dialogue with the supervisory board to set return parameters.
Create
and enforce control environment
Supervisory board
Represents the interests of the shareholders.
Approves the overall risk and reward appetite.
Слайд 24Risk management, a balancing act….
Слайд 25What to do with risk?
Avoid, strategic or tactical repositioning.
Transfer, economically,
to customers, banks, insurance companies.
Mitigate, operational controls, redundancy systems.
Keep.
Maximise.
An
appropriate return for risk taken
Слайд 26Dangers of risk management
Wrong risk culture means faster to wrong
conclusions, the herd mentality.
Wrong input, wrong output (credit scoring Russia).
Enables
increased risks to systemic level.
Can be used to disguise underlying risks.
By changing shape of cash flow, may benefit one constituent at expense of another (compensation and career path).
Слайд 27…if you get it right
Grow faster at more efficient rate
of capital.
Lengthens growth period.
Impacts the default rate and therefore cost
of debt.
Creates a greater upside opportunity where the firm focuses on areas where it has competitive advantage.
Allows stability of earnings that may be reflected in market valuation.
Tax impact of earnings smoothing, reduces tax on excessive profit.
Слайд 29Black swan, what is it?
An outlier, outside normal expectations, rarity
(the fat tail).
Carries an extreme impact.
Human nature causes us to
explain why it occurred AFTER the event.
Non occurance of the probable.
Differing timeframes (earthquakes and internet).
Unknown unknowns.
Слайд 30Normal distribution vs fat tailed
Слайд 32Mediocrastan and extremistan
Non scalable
Mild randomness
Small pieces of pie
Not a single
instance
Observation and understanding possible
Easy to predict from seen to unseen
Scalable
Wild
randomness
Giant or drawf
Winner takes all
No constraints to the number
Tyranny of accidental
determined by small number of extreme events
Improvements in ability to predict have been outpaced by uncertainty
Слайд 33And so???
Allowing unexpected to happen key to success.
Importance of trial
and error, be as exposed as possible to chance encounters.
Key
to success is not always skills doesn’t mean skills not relevant.
Can deliver black swans after thousands of white swans (the past does not predict the future, as a turkey around Thanksgiving).
BS unpredictable consequences, retrospective explainability.
Won’t know the unknown but maximise upside exposure to it.
Preparedness not prediction, chance favours the prepared.
Focus on consequences not probability
Слайд 36Quadrant 1, simple, normal
Heads or tails.
No single outcome can dramatically
change mean (height not wealth.)
Time of movie.
Elections, win or lose.
No
leverage exists..
Слайд 37Quadrant 1 tools
Probabilities from historical data work well.
No outlier, surprises.
At
risk type models work well (VAR).
Слайд 38Quadrant 2, simple, fat tailed
Payoff simple (happens or not).
Able to
understand the outcomes of events that might happen.
Manageable risks.
Apple (Q1)
coconut (Q2) trees.
Shark attack.
Oil spills.
Define risks.
Слайд 39Quadrant 2 tools
Do not understand the distribution of risks well.
Do
not know when a dramatic event may occur.
But we do
know the consequences.
Don’t know timing or how bad..
If size matters and timing everything, we have a problem.
Generally the risks can be managed, rules based, reduce, cap, mitigate.
Слайд 40Q3, complex, normal distribution
No leverage.
Outcome predictable with high level of
certainty.
Errors mostly human not physical
O rings on challenger.
Auto parts, complex
machinery.
Lunar expedition.
Are historical statistics reliable guide?
Слайд 41Quadrant 3 tools
Resilient, redundancy, fail safe systems.
Are the tails really
thin or is it a lack of historical data (ie
are we fooling ourselves).
True Quadrant 3 risks can be managed around.
Слайд 42Q4 complex, fat tailed
Black swan territory.
Infrequent but massive impact.
Leverage is
often excessive.
Risk models dont work.
Extremistan.
Social impact high (job loss, government
fail).
Dont rely on statistics or models.
Слайд 43Quadrant 4 tools
We cannot manage or model the unknown risks
of Q4.
Limit the downside risk contractually.
Reduce the impact of relationships
and complexities we do not understand.
Build in redundancies, train.
Слайд 45Over the horizon, strategic
Longer the horizon, more strategic needs more
discussion and challenge to historical bias.
Challenge the output with independent
experts.
Small cross functional risk team that collates silo’s information and looks for patterns etc.
Maps of potential risk and response.
Слайд 46External
External, uncontrollable risks (black swans excluded).
Stress testing, but watch
out for recent history (eg USA real estate) causing myopia
Scenario
planning, define time horizon, which events will have maximum impact on company (watch out for over optimism).
War gaming, teams develop what competitors (actual and potential) could do to disrupt plan.
Слайд 47Preventable, predictable risks
Compliance, rules based systems with appropriate exceptions (important
to know who can make the call).
Standard operating procedure and
clear internal culture around strong mission statement
Integrated risk management alongside line, but beware of ‘going local’
Checked with internal audit, line reviews
Слайд 48Some tools
Scenarios, separate risks, three outcomes
Decision trees, separate risks,
many outcomes
Scenario planning, continuous risk, correlated, built into each simulation
Слайд 49Practical approach to risk management
Make inventory of all risks, categorise
them
Quantify risk for entity, high, medium, low
Manage the downside whilst
maximising the upside. Decide which risks to hedge, which to pass through to investors. Cost versus impact.
What risk hedging products are available, correlation?
Which risks can be handled better than competition?
Create strategies to maximise exposure to risks which entity can better handle
Слайд 50Phase 2 approach
The list of risks’ definitions to be
used
Create risk matrix for *
Group level
Subsidiary level
Risk management
strategy
Risk management governance bodies
Risk identification, assessment, control and monitoring (“to be”)
Risk appetite and IT solutions
Risk register development
Mechanisms of risk controls: KRIs, limits, reports
Risk management strategy
Risk management governance bodies
Risk assessment
Risk control mechanisms
Risk appetite calculation and setting
Decision making process
Risk monitoring mechanism
Models of risks assessment
Basel II
IT risk management solutions
Inventory of IT systems for risk management
Recommendation to CRO for review and approval
Validate risk mapping with *
Approve risk mapping with *
Policy
Principal of risk appetite calculation and setting
1
2
3
1.1
1.2
1.3
1.4
1.5
2.1
2.2
2.3
2.4
2.4
2.5
3.1
Слайд 511 Risk management design process
1.1 Risks’ definition
Слайд 521.2 Risks mapping
1.2.1 Risk mapping by subsidiaries
1.2.2 Risk levels by
subsidiaries
Level of delegation
Low risk
Medium risk
High risk
Not applicable
1.2.3 Risk levels by
clusters
Слайд 53Conclusion
Before you have the discussion, create the vocabulary.
Create a
broad log of all risks.
Ensure that all constituents participate.
Map risks
against quadrants.
Review appropriate actions against each set of risks.
Schedule regular reviews, risks change over time.