erm process cycle: risk identification · talent management low retention of ... exploded just...
Post on 25-Aug-2020
3 Views
Preview:
TRANSCRIPT
1
FINA6065W: Corporate Risk Management
Session 3
ERM Process Cycle:Risk Identification
Agenda
Risk identification – Part 1
Risk identification – Part 2
2
Risk Identification – Part 1
Risk categorization and definition
3
Risk identification components
Risk categorization and definition Qualitative risk assessment Emerging risk identification
4
5 common mistakes in risk identification
5
1) Not consistently defining risks by source
2) Not categorizing risks evenly
3) Not defining metrics clearly
4) Not identifying risks prospectively
5) Not gathering data appropriately
Risk categorization and definition
Handout: Summarized version of risk categorization and definition (RCD) tool
Applications– Catalyst - during qualitative risk assessment, or QRA– Collection and coordination - during QRA– Monitoring – for emerging risk identification– Reporting– Comparative analysis– Recording – risk event database
6
1) Define risks by source
7
Risks are commonly defined inconsistently, by both source and outcome
8
Which risks are defined by source and which by outcome?
BySource
ByOutcome
New competitorSupplier failureTechnology failureReputation damageRatings downgradeNew costly regulationsTerrorist attack
9
BySource
ByOutcome
New competitor XSupplier failure XTechnology failure XReputation damage XRatings downgrade XNew costly regulations XTerrorist attack X
Risks are commonly defined inconsistently, by both source and outcome
OUTCOMEOUTCOME
Lower Revenues
Higher Expenses
INTERMEDIATEINTERMEDIATE
Negative Media Coverage
SOURCESOURCE
Many different sources of risk can cause reputation damage
10
Poor Product Quality
Poor Customer Service
Internal Fraud or Scandal
Poor External Relations
Reputation Damage
Lower Company Value
Higher Cost of Capital
Classic Crisis Management: Tylenol
OUTCOMEOUTCOMEINTERMEDIATEINTERMEDIATE
Ratings Downgrade
SOURCESOURCE
Ratings downgrades can be triggered by several different risk sources
11
Poor Strategy
Poor Execution
Poor Rating Agency Relations
Lower Revenues
Higher Expenses
Lower Company Value
Higher Cost of Capital
Equity Market Risk?
12
Commonly found on key risk lists Yet, not the source of risk, but an intermediate
outcome True source of risk: Unexpected economic volatility,
that drives multiple intermediate outcomes, such as – Equity market risk– Credit risk– Unexpected inflation or deflation– Unemployment– Unexpected changes in consumer spendable income
OUTCOMEOUTCOMEINTERMEDIATEINTERMEDIATEEquity Market Risk
SOURCESOURCE
Economic Volatility is Often the Source of equity Market and Other Risks
13
Unexpected Economic Volatility
Lower Revenues
Higher Expenses
Lower Company Value
Higher Cost of Capital
Credit Risk
Inflation/Deflation
Unemployment
Consumer Spendable Income
Issues caused by inconsistent risk definitions are resolved when defining risks by source
14
Common Practice
Inconsistent Definition
Best Practice
Consistent Def. by Source
Qualitative Risk Assessment
Survey participants not all considering same risk source when scoring
Consistent understanding of each risk source by survey participants
RiskQuantification
1. Difficulty identifying SMEs2. Difficulty imagining scenarios3. Incomplete scenarios
All resolved / scenarios flow logically from originating source
Risk Decision‐making
Mitigation difficult to identify, because mitigation is mostly done at source of risk
Mitigation readily identified and evaluated: source and downstream impacts apparent
2) Categorize risks evenly
15 16
Categorize risks evenly to avoid difficulties
17
Level of Abstraction Too High Too Low Appropriate
Example Talent management
Low retention of mid‐level staff in business segment X
Ability to recruit/retainSuccession planningLabor relationsEtc.
Difficulties
Poor qualitative risk assessment, since it obscuresindividual risks within category
Causes some risks to be missed, since it may omit the overarching category and its other risks
Categorize the following risks by source
Event 1: Shop-and-Spend is in trouble. The stock market went down 25% and has remained there for the past year. Aside from the fact that Shop-and-Spend had 100% of their assets in equities, business is down. People are not shopping as much lately. The gloomy economic projections have not improved since the day they were announced by the government the morning of the market crash. People have less disposable income.
18
Categorize the following risks by source
Event 2: Odd-Man-Out Auto Rental has been doing well in recent months, particularly versus its 5 main competitors in town. However, all 5 competitors have just entered into a price war, lowering their prices 50%, and Odd-Man-Out’s business has dropped off 25%. This is unsustainable, since it results in losses. But Odd-Man-Out must decide whether to lower prices or continue to lose business until prices return to normal.
19
Categorize the following risks by source
Event 3: SteadyGrowth Bank is about to go under. For 80 years, it has steadily grown based on a business of lending exclusively to the businesses run by members of the 5 most powerful families in the area. Last month, it was revealed that one of the families had been defrauded of all their wealth and is now bankrupt, with no remaining collateral. The outstanding loans from that one family represents more than all the bank capital. (The risk to be categorized is from SteadyGrowth’sperspective.)
20
Categorize the following risks by source
Event 4: SectorBet Entertainment has a quirky habit of making risky bets on market sectors, from time to time, but almost always wins. The CFO always gets nervous when the CIO takes these bets, and has warned of the massive concentration risk this involves. The bets usually consists of investing 50% of all of its assets in bonds issued by the top 3 players in a given industry sector. This year, the bet has been on drug companies heavily focused on one type of cancer, which just this week became irrelevant, due to an unexpected cure discovered by medical science. These drug companies are now having trouble issuing debt securities, and have had to raise the interest rate offered on their new issues. (The risk to be categorized is from SectorBet’s perspective.)
21
Categorize the following risks by source
Event 5: UnGuard Delivery is located downtown adjacent to a federal building in a major U.S. city. Yesterday, a terrorist car bomb exploded just outside the federal building, completely destroying both the federal building and UnGuard’s headquarters. Virtually all of UnGuard’s top management, including its top 25 salespeople, were killed in the blast. It was unusual for such a concentration of key employees to be present at UnGuard’s headquarters, but they were hosting a special event in their largest meeting room, which was closest to the location of the bomb.
22
Categorize the following risks by source
Event 6: Two weeks ago, TrustMe Energy, a highly-secretive alternative energy company revealed that it must restate its last two years worth of financial statements. The restated financials will have significantly reduced profits. Shareholder litigation plans were announced this morning. Regulators are investigating. Competitors are moving to attack TrustMe’s partnering relationships. The Wall Street Journal has already had three front page articles revealing ever-increasingly embarrassing details of the fiasco, including sources at the SEC that report they have uncovered massive fraud by the CFO and CEO of TrustMe.
Chinese shoe company's CEO, COO, cash go missing
23
Quiz / Exercise #2
Quiz/Exercise #2 (GROUP) discussion within group, group gets one grade
24
Risk identification components
Risk categorization and definition Qualitative risk assessment Emerging risk identification
25
We covered risk categorization and definition last session
5 common mistakes in risk identification
26
1) Not consistently defining risks by source
2) Not categorizing risks evenly
3) Not defining metrics clearly
4) Not identifying risks prospectively
5) Not gathering data appropriately
We covered 1 and 2 last session
Risk Identification – Part 2
Qualitative Risk Assessment
27
Qualitative risk assessment steps
1) Identify participants2) Send advance communication3) Conduct qualitative risk assessment survey4) Conduct consensus meeting
28
Step 1: Identify participants
Typically 2-3 dozen Members of C-suite (e.g., CEO, CFO, etc.) Heads of major business segments and one of
their direct reports Executive risk owners (e.g., head of I/T, head of
HR, head of legal, etc.) A couple of independent directors A couple of valued employees with long service Table 4.3
29
Step 2: Advance communication partly to prepare survey participants Inputs needed from survey participants
– Type of key risks (e.g., large impact to company value)– Number of key risks to provide (e.g., three to five)– Credible worst-case scenario for each key risk– Likelihood/severity scores for each key risk they identify
and for those identified by other participants ERM background
– Describe framework; define risk by source and as deviation from baseline strategic plan projection; etc.
Risks to consider (e.g., those in RCD tool) Definition of metrics
30
3) Define metrics clearly
31
Typical Frequency-Severity Scoring Guide for Qualitative Risk Assessment
32
Frequency Severity
5 Very high 1‐in‐5 or greater chance of occurring
5 > $100M
4 High 1‐in‐10 chance of occurring
4 $50M ‐ $100M
3 Moderate 1‐in‐20 chance of occurring
3 $25M ‐ $50M
2 Low 1‐in‐50 chance of occurring
2 $10M ‐ $25M
1 Very low 1‐in‐100 or less chance of occurring
1 < $10M
Clearly defining frequency and severity avoids sub-par results due to inconsistent scoring
33
Common Practice Best Practice
Frequency
No guidance on risk scenario• Armageddon?• Most likely scenario?
Participants are all scoring different risk scenarios
Focus on credible worst case scenarioParticipants are all scoring a similar risk scenario
Severity
No clear definition of metric• Earnings hit?• One time or cumulative?• Hit to market capitalization?• Other?
Single, consistent metric that captures all impacts: Δvalue
• Provide brief tutorial to give feel of enterprise value metric
For example, a $10 million impact on … what metric? Table 4.5 or Table 4.6 Time Horizon?
Credible Worst Case Scenario
Severity
|Credible Worst Case Likelihood
Step 3: Conduct qualitative risk assessment surveys Reiterate key points in advance communication For each potential key risk, gather:
– Description of risk– Credible worst-case scenario– Frequency score– Severity score
Keep participant on track regarding identifying:– Only key risks, and– Risks defined by source
Accumulate list of potential key risks, asking each subsequent participant to score any risks not identified by them
Return to prior participants to gather their scores on risks identified subsequent to their interview
35
4) Identify risks prospectively
36
Identify risks prospectively to avoid the “fighting the last battle” syndrome
37
Diagnosis “Fighting the Last Battle” Syndrome
Cause Over‐emphasis in risk identification process of past events
SymptomSome risks on key risk list merely because of a recent past event burned into management’s memory
Prognosis
Qualitative risk assessment scoring will be skewed, over‐emphasizing risks with recent occurrencesSome risks that should be on the radar may be crowded out
• Morgan Stanley Settles Gender Discrimination Case for US$54 Million;
• Countryfile's Miriam O'Reilly wins BBC ageism claim
5) Gather data appropriately
38
The right data, at the right time, in the right way
39
Common Practice Best Practice
What data?
Frequency scoreSeverity scoreAdditional data
• Historical experience data• Mitigation in place/planned• Etc.
Frequency scoreSeverity score
(only purpose: identify key risks)
When?Additional data: during risk identification phase (too early), and for all risks
Selected additional data: during risk quantification (when needed), and only for key risks
How ?
TemplatesNot well‐received Inconsistent time and effortsDifficult to correct errorsLess confidential
InterviewsWell‐receivedConsistent time and effortEasy to fix errorsMore confidential
Table 4.7 Example of Larger-Tan-Necessary Data Request
40
Step 4: Conduct consensus meeting
Discuss any widely divergent views and arrive at a consensus– Define risk-ranking criteria Table 4.10– Rank the risks– Dispersion analysis bimodal and highly disparate
Select key risks from among the potential key risk data set produced
41
Figure 4.7 Example of Selecting Key Risks
42
Table 4.11 Example of Key Risk List
43
QRA’s 3 results: Key risk list Tool to monitor Advancement
of risk culture
Emerging Risk Identification
44
Emerging risk identification
Monitoring known risks– Use non-key risks identified in qualitative risk assessment
Environmental scanning for unknown risks– Critical to set expectations with principles
o ERM cannot prevent risks from occurring ERM cannot foresee the unforeseeable Events will occur that are unexpected and that are not on the key risk list
– Techniqueso Attend industry conferenceso Research industry journalso Serve on industry committeeso Conduct comparative analysis of competitors’ disclosed riskso Read ERM surveyso Make other investments in information / intelligence gatheringo Ivory Tower may not be just…
45
Killer risks Share three qualities:
1) Politically difficult to introduce2) Easily identifiable3) A leading indicator of high-severity risk events
Arrogance (AIG example)– Less focus on competitors, market trends– Overestimation of strengths– Underestimation of vulnerabilities
Concentration of power / information– Less transparency / accountability– Lack of negotiating leverage– Lack of backup resources– Examples: rainmaker (AIG and more example); mastermind
(CFO example); critical supplier; large customer; large distributor Possible Risk Mitigation
46
Killer risks – Arrogance is a Leading Indicator of Failure
47
Time
Success
Struggle
Excel
Dominate Arrogance
Failure
Compete
Wake-up call?
Quiz/Exercise 3a and 3b
Each group further divides into subgroups I and D
EXERCISE 3a – PAIRS– Subgroup I as interviewers; Subgroup D as directors (strategic RM
experts).
EXERCISE 3b – PAIRS– Subgroup D as interviewers; Subgroup I as directors (operational RM
expert).
READ INSTRUCTIONS FOR BOTH 3A AND 3B BEFORE STARTING EITHER EXERCISE
[In 3a, 3-4 students of a group work in the subgroup and servein the interviewer role and the others in the director role; and in 3b, they switch roles.]
48
49Back 50Back
51Back 52Back
53Back
Rainmakers
Orange County bankruptcy (1994): Robert Citron
Barings Bank (1995): Nick Leeson
Sumitomo Corporation (1996): Yasuo Hamanaka
LTCM (1998): John Meriwether; Merton Miller, Myron Scholes
Allied Irish Banks (2002): John Rusnak
Amaranth Advisors hedge fund (2006): Brian Hunter
Societe Generale $7.2B trading loss (2008): Jérôme Kerviel UBS $2.3B trading loss (2011): Kweku Adoboli
JP Morgan Chase $6.2B trading loss(2012): Bruno Iksil
54Back
top related