FRM Notes - III & IV

Note

III. Corporate Governance and Risk Management

Corporate Failure and Corporate Governance

The first decade of the millunnium saw two major waves of corporate failures, first in the non-financial sector( $2001$ ~ $2003$ ) and then in the financial sector( $2007$ ~ $2009$ ) both of which were attributed in part to failures of cororate governance.

• How does best-practice corporate governance relate to best-practice risk management?
• How do boards and senior executive organize the delegation of risk mangement authority through key committess and risk executives?
• How can agreed risk limits be transmitted down the line to business managers in a way that can be monitored and that makes sense in terms of day-to-day business decisions?

Key Post-crises Corporate Goverance Concerns: Banking Industry

1. Stakeholder Priority
   
   • Depositors has a much stronger interest in minimzing the risk of bank failure. The usual solution to corporate governance issues may not be appropriate。
2. Board Composition
   
   • No clear correlation between a pre-dominance of "expert insiders" or "independents" and either failure or seccees.
3. Board Risk Oversight
   
   • One key post-cisis trend has been a realization that boards nned to become much more actively involved in risk oversight.
4. Risk Appetite
   
   • Regulators have pushed banks to set out a formal board-approval risk appetite that defines the firm's willingness to take risk and to tolerate solvency threats.
5. Compensation
   
   • One of the key levers of the board in determining bank behavior on risk is its control over compensation schemes.

True Risk Governance

• The primary responsibility of the board is to ensure that it develops a clear understanding of the bank's business strategy and the fundamental risks and rewards that this implies.
• The board also need to make sure that risks are made transparent to managers and to stakeholder through adequate internal and external disclosure.
• Four basic choices in risk management:
  
  1. Avoid risk by choosing not to undertake some activities;
  2. Transfer risk to third parites through insurance, hedging and outsouring;
  3. Mitigate risk, such as operational risk, through preventive and detective control measures;
  4. Accept risk, recognizing that undertaking certain risky activities should generate shareholder value.

Committees and Risk Limits

1. Audit Committee - Tranditional Mechanism
   
   • The audit committee is responsible not only for the accuracy of the bank's financial and regulatory reporting, but also ensuring that the bank compiles with minimum or best-practive standards in the key activities.
2. Risk Advisory Director - New Mechanism
   
   • To avoid bamboozle non-exectives who lack the skill to probing questions, one approach is for the board to gain the support of a specialist risk advisory director - that is, a member of the board who specializes in risk matters.
3. Risk Management Committee - Special Role
   
   • The risk management committee of the board is responsible for independently reviewing the identification, measurment, monitoring, and controlling of credit, market, and liquidity risk.
4. Compensation Committee - Special Role
   
   • It is widly recognized that incentive compensation should be aligned with the long-term interest, and with risk-adjusted return on capital.

Roles and Responsibilities in Practice

• How do the structures and mechanisms work together to make sure that the day-to-day activities of the financial insitution conform to the board-agreed general risk appetite and the limit set by the board and management committee.

Limits and Limits Standard Policies

• To achieve best-practive corporate governance, an appropriate set of limits and authorities must be developed for each portfolio business and for each type of risk.
• Two types of limits：
  
  • $Type$ $A$(Simple): Limits might include a single overall limit for each asset class, as well as a single overall stress limit(e.g., a single limit for interest rate products)
  • $Type$ $B$(Sophisicated): Limits are more general and cover authorized business and concentration limits(e.g., by credit class, industry, maturity, region)

Standards for Monitoring Risk

• Once has set out risk limits in a way that is meaningful to its business lines, how should it monitor those limits to make sure they are followed.
  
  • First, all market risk positions should be valued daily.
  • Then, business units should be under strict orders to advise the risk management function that they might exceed a limit well before the limit excess happens.

What is the Role of the Audit Function

• A key role of the audit function is to provide independent assessment of the design and implementation of the risk management.

Conclusion

• In complex risk-taking organization, it is not possible to seperate best-practice risk management from best-practice corporate governance.

IV. What is ERM

ERM Definition

ERM := E nterprise R isk M anagement

• Definition $1$ by Committee of Sponsoring Organzation of the Treadway Commission(COSO) in $2004$:
  
  • ERM is a process, effected by an entitys board of directors, management, and other person applied in strategy setting and across the enterprise, designed to identity potential events, that may affect the entity, and manage risk to be within its appetite, to provide reasonable assurance.
• Definition $2$ by the International Organization of Standardization:
  
  • Risk the the effect of uncertainty on objectives and risk management refers to coordinated activities to direct and control an organization with regard to risk.
• A more useful defintion(FRM):
  
  • Risk is a variable that can cause deviation from an expected outcome. ERM is a comprehensive and integrated framework for managing key risks in order to achieve business objectives, mininize unexpected earnings volatility, and maximize firm value.

ERM Benefits

1. Integration of Risk Organization
   
   • Top-down: Under a certralized process, the role of a CRO is created, which reports to the company's CEO and the board, while the various risk management units report to the CRO.
2. Integration of Risk Transfer
   
   • Enables the company to take a holistic view of all risks and risk hedges used in order to hedge only those undersirable residual risks that still remain after factoring in diversification across risks.
3. Integration of Business Process
   
   • ERM can optimize business performance through business decisions, including captial allocation, product development and pricing, and efficent allocation of resources. This optimization results in reduced risk and only takes on the most profitable risks(i.e., maintains only those risks whose cost is less than the benefit of the corresponding project).

ERM Benefits(Example)

Chief Risk Officer(CRO)

• Today, the role of the CRO has been widely adopted in risk-intensive businesses, such as financial institutions, energy firms, and non-financial corporations with significant investment activities or foreign operations.
• The CRO typically reports to the CEO or CFO and the board.
• The office of the CRO is directly responsible for:
  
  • Providing the overall leadership, vision, and direction for ERM.
  • Established integrated risk management framework for all aspects of risks across the organization.
  • Developing risk management policies, including the quantification of the firm's risk apetite through specific risk limits.
  • Implementing a set of risk indicators and reports.
  • Allocating economic capital to business activities based on risk, and optimizing the company's risk portfolio through business activities and risk transfer strategies.
  • Communicating the company's risk portfolio to key stakeholders.
  • Developing the analytical, systems and data management capabilities.

Components of ERM

• A successful ERM program can be broken down into seven-key components.
• Corporate governance
  
  • Corportate governance ensures that the board of directors and management have established the appropriate organizational processes and corporate controls to measure and manage risk across the company.
  • From the ERM perspective, the responsibilities of the board include:
    
    1. Defining the organization's risk appetite in terms of risk policies, loss tolerance.
    2. Ensuring that the organization has the risk management skills and risk absorpation capability.
    3. Esablish the organizational sturcture of the ERM framework and defining the role and responsibilities.
    4. Implementing an integrated risk measurement and management framework.
    5. Establishing risk assessment and audit process.
    6. Shaping the organization's risk culture by setting the tone from the top.
    7. Providing appropriate opportunities for organizational learning.
• Line Management(一致性管理)
  
  • Line management must align business strategy with corporate risk policy when pursuing new business and growth opportunities.
  • The risks of business transcations should be fully assessed and incorporated into pricing and profitability targets.
• Portfolio Management
  
  • The financial institution which implemented ERM would manage all of its liablity, investment, interest rate, and other risks as an integrated whole in order to optimize overall risk, and not the case that overall business portfolio is managed independently.
• Risk Transfer
  
  • Reduces or transfers out risks that are either undersirable risks or are desirable but considered concentrated.
  • Risks could also be transferred to third parties if it is more cost effective to manage them externally.
• Risk Analytics
  
  • The development of advanced risk analytics has supported efforts to quantify and manage(credit, market, and operation risks on a more consistent basis).
• Data and Technology Resources
  
  • Management faces the challenge from data(price, volatility, or correlation metrics) and technology resources.
  • Companies should not wait for a perfect solution, instead they should make the best use of what is available.
• Stakeholder Management
  
  • It should to improve risk transparency with key stakeholders.

V. Risk Management, Governance, Culture, and Risk-Taking in Banks

Two Ways Destroy Bank Value

1. First, risk management fail to ensure that the bank has the right amount of risk.
   
   • The failure comes from:
   • Fail to uncover bad risks that should be eliminated.
   • Mismeasure good risk.
   • Mismeasure total risk.
2. Second, risk managment can be inappropriately inflexible.
   
   • When risk managment becomes too inflexible, it destroys value because the institution no longer has the ability to invest in valuable opportunities when they become available.

Determining the Risk Appetite

• Optimal Level of Risk
  
  • A well-governed bank will have processess in place to identify this optimal amount of risk and make sure that its risk does not differ too much from this optimal amount.
  • In the case of bank safe, firm value falls steeply if the bank is riskies than its target rating and increases only moderately as it increase towards the target.
  • For bank riskies, the relationship is substantially different. Its value rises significantly as it increases its risk toward its target and falls sharply if it exceeds it.
  • For both banks, having too much risk is extremely costly in terms of their value.
• Bank's risk appetite
  
  • A bank's risk appetite is the result of an assessment of how taking on more affects the opportunities that the bank can capitalize on.
  • This assessment can change as the bank's opportunities change. Consequently, a banks appetite cannot be inflexible.
  • Banks differ from other firms because their failure can have systemic effect, so regulators impose restrictions on bank's ability to take risks on the asset side and they require banks to satisfy minimum capital requirement.

Governance and Risk Taking

• Good governance should ensure that the firm chooses the optimal level of risk, which means making sure that the firm has processes in place that enable it to measure its risk, understand how firm value is related to risk, and maintain the right level of risk.
• Good risk governance does not mean less risk, instead it means that the bank has the right amount of risk for its shareholders.
• Because the optimal amount of risk from the perspective of shareholders need not be the optimal anount for the society, it would be wrong to believe that somehow better governance makes banks safer, it only makes the bank more valuable but alo riskies.

Organization of Risk Management

• Real world banks cannot control risk throught hedge for three reasons:
  
  • Limitations in risk-measurement technology.
  • Limitations on hedging.
  • Limitations regarding risk-taker incentives
• The risk has to be monitored and managed throught the organizations. To help with this task, large bank have risk management organizations that employ risk managers and headed by a chief risk officer.
• Risk managment is not equivlant of audit:
  
  • First, auditors who follow the rules cannot be an obstacle to the profitability.
  • Second, if risk managers are viewed as the risk police, they face obstacles in gathering information and understanding strategies.

Tools and Challenges in Achieving the Optimal Risk

• Using VaR to target risk
  
  • A loss that is exceeded only with a probability p over one year is the VaR.
• Setting limits
  
  • How VaR limits should be set
• The limits of risk measurment
  
  • First, aggregating VaR measures to obtain a firm-wide risk measure is fraught with problems.
  • Second, VaR does not capture all risks.
  • Third, VaR has substantial model risk.

• Incentive Structure
• Risk Culture
  
  • 
    
    *

#

#

#

#

#

#

#