Tuesday, 20 September 2011

IRM principles on Risk Appetite and lessons from UBS

Pretty interesting finish to last week, with UBS getting spanked for a cool $2.3bn through the now-typical route of a back office know-it-all getting promoted to the trading desk and circumventing the plethora of internal controls designed to stop the very activity they and they alone know how to take to the n-th degree.

I thought of this when looking through the IRM's risk appetite and tolerance paper released at the end of last week (separate post to follow incidentally, only so many hours in the day!), specifically whether there was anything being promoted/supported by the institute which may have averted this rather grim result for the boys from Berne.

6 IRM principles to start with;
  1. Risk appetite can be complex - don't try to dumb it down if it isn't justifiable
  2. Risk appetite needs to be measurable
  3. Risk appetite is not a single fixed concept
  4. Risk appetite should be developed in the context of an organisation's risk management capability
  5. Risk appetite must take into account views at strategic, tactical and operational level
  6. Risk appetite must be integrated with the control culture of the company
Sadly for the profession, the risk governance set up at UBS is paper-perfect in this regard, so I dare say the CRO may feel obliged to hand in his cards. This despite the fact that, as with the Leeson and Kerviel cases beforehand, if you personally know the gaps (and the reward is great enough) the rogue trader is nigh on unstoppable by the second line of defence in these kinds of organisations. However, it looks more of a "should have done better" case for the second line, and should categorically be used as a counter argument to the dismissive tones of management when discussing risk limits and qualitative tolerances.

Some great quotes below from their website (highlights are for my benefit);

High Level – Risk Management and Internal Control
The [risk controls]framework is dynamic and continuously adapted as our businesses and the market environment evolve. It includes clearly defined processes to deal with new business initiatives as well as large and complex transactions.

Risk assessment and management oversight performed by the BOD considers evolving best practice and is intended to confirm to statutory requirements
Risk Appetite
Our risk appetite framework establishes risk appetite objectives in respect of earnings and capital levels that we seek to maintain, even after experiencing severe losses over a defined time horizon.
Our risk appetite is approved by the BoD. Risk appetite is based on our risk capacity, which is in turn based on our capital and forecasted earnings resources. Our overall risk appetite is set as an upper limit covering the aggregate risk exposure for each risk appetite objective, taking into account inherent limitations in the precision of risk exposure measures that focus on extreme market and economic events. Comparison of the firm's risk exposure with our risk capacity under prevailing operating conditions as well as prospective business plans serves as an input to the risk limit framework. This comparison is also a key tool to support management decisions on potential adjustments to the risk profile of our firm.
Operational Risk-specific
Management and risk committees are the governing bodies responsible for oversight and active discussion of risk management activities, including the question of whether or not the cost of mitigating actions is adequately balanced against the acceptable level of operational risk. Management, in all functions, is responsible for establishing an appropriate operational risk management environment, including the establishment and maintenance of robust internal controls and a strong risk culture.
Material operational risks and significant internal control deficiencies are identified and reported at least quarterly to stakeholders, including the BoD, GEB, divisional/regional/local management, Group Internal Audit, external auditors and regulators.
We have developed a model for the quantification of our operational risk, which meets the regulatory capital standard specified by the Basel II advanced measurement approach (AMA). Our model has two main components. The expected loss component is a statistical measure based on our own historical loss experiences (collected since 2002), and is used primarily to determine the expected loss portion of our capital requirement. The unexpected loss component is based on a set of generic scenarios representing categories of operational risks that are relevant to the firm. The scenarios are reviewed extensively on an annual basis by internal experts, using internal and external event information, information about the prevailing business environment and our own internal control environment. This component is used to determine the unexpected loss portion of our capital requirement.
Risk and Reward

No comments:

Post a Comment