When Weathering The Storm Is Not Enough

riskinsights
Enterprise risk management

When weathering the storm is not enough
Regulatory response Scenario analyses Liquidity risk Benchmarking risk management Case studies
EDITOR-IN-CHIEF
Waynette Tubbs Waynette.Tubbs @sas.com

CONTRIBUTING EDITOR
Michael Dowding
COPY EDITOR
Chris Hoerter
DESIGN
Amanda Gadd
CIRCULATION
Ellen Brandt
PRODUCTION
Melody Fountain
Copyright 2009 SAS Institute Inc., Cary, NC, USA. All rights reserved. Limited copies may be made for internal staff use only. Credit must be given to the publisher. Otherwise, no part of this publication may be reproduced without prior written permission of the publisher and copyright owner. SAS and all other SAS Institute Inc. product or service names are registered trademarks or trademarks of SAS Institute Inc. in the USA and other countries. indicates USA registration. Other brand and product names are trademarks of their respective companies. 104224_S54597.0610
contents
2 3 4 7 8 9 10 13 14 17 20 22 24 27 30 32
Data is the solution Jim Goodnight A perfect storm: Lessons learned? David Rogers An erosion of confidence Rob Mitchell Making a case for data management for risk in insurance Stuart Rose Change the risk management view Lutz Schiermeyer Surviving the global collapse Brendon Smyth Enterprise risk management: The culture of the future for financial services Alistair Sim and Michael Imeson Liquidity risk in the spotlight Jrgen Schroeder Operational risk management can pave the road to integrated risk management Rod Nelsestuen The whole is more than the sum of its parts Tony Fisher Corporate survival using the SOAR methodology Greg Monahan Risk management at Xcel energy Cary Oswald Risk managments role in government Robert Charette Moving from stress tests to broader scenario analyses Michael Stefanick Spreadsheet risk Benchmarking the quality of risk management from a business-centric perspective Bob Mark Risk-adjusted pricing framework Laurent Birade Mind the Basel gap Karel Lannoo XBRL: eXtensible business reporting language Ivano Dei Giudici Shaping Europes regulatory framework David Doyle Staying the course Russell Walker
Access this report online:
36 38 40 42 45
www.sas.com/riskinsights
Enterprise risk management 01
Data is the solution
With the right solution in place, you can be assured that the decisions you make will be sound.
Back in 2004, I had the opportunity to moderate a panel, Regulation with Innovation in Mind, at the World Economic Forum in Davos, Switzerland. We discussed a range of issues, but the most prominent idea that emerged was balance in regulation. To expand on that discussion, I wrote an article called Trust but Verify: Compliance in a Regulated World (www.sas.com/sascom-trust). I discussed Basel II, Sarbanes-Oxley and other regulations that were pending or had just been introduced as a result of the Enron, WorldCom and Tyco scandals, as well as the terrorist attacks of Sept. 11, 2001. Those regulations were intended to increase transparency, accuracy and fairness, and diminish overall risk. I recently reread that article and was struck by one of the final paragraphs:
This activity has brought increased attention to the financial services industry by regulatory bodies, which argue that without oversight, the collapse of a single large financial organization could start a domino effect and wreak havoc on the world economy.
At the 2009 World Economic Forum, the international media speculated that we would be discussing the end of capitalism. They thought the domino-like fall of financial institutions around the globe meant that capitalism had failed. But we had different ideas instead of merely talking about what had gone wrong, we talked of solutions and began planning the future. Consumers people whose 401(k) plans, retirement programs and investments were weakened or dissolved want assurances that this near-collapse can never happen again. They want new, improved regulations. But new, stronger regulations alone were not the answer before, and they are not enough now. Data is the answer. Ignoring data had been the problem. We have simply got to do a better job of analyzing that data and then making good decisions about adequate levels of risk. I believe that the right starting point for all banks and financial institutions is a robust infrastructure that supports evolving risk management and compliance requirements. SAS solutions are built on a common business analytics framework that enables organizations to pull together risk and compliance data from multiple systems and then quickly analyze it, report on it and deliver the required information to finan-
cial institutions and regulators. In the wake of the financial meltdown and the global recession, new and strengthened regulations will be rapidly adopted. With the right solution in place, you can be assured that the decisions you make will be sound. SAS risk, finance and performance management solutions can help your organization make the most of your data.
BIO
Jim Goodnight has been at SAS helm since the companys incorporation in 1976, overseeing an unbroken chain of revenue growth a feat almost unheard of in the software industry.
Goodnight holds a doctorate in statistics from North Carolina State University, where he was a faculty member from 1972 to 1976. SAS software was originally created by Goodnight and NCSU colleagues to analyze agricultural research data. Three decades later, it is accomplishing things Goodnight never imagined in his days as a doctoral student in statistics. Today, SAS is best known for sifting massive mountains of data for FORTUNE 500 companies and other organizations most people have heard of. Insurance companies use SAS to flag fraudulent claims. Retailers use SAS to find profitable places to put stores and products within those stores. More and more financial institutions use SAS to detect money laundering, as mandated by the USA PATRIOT Act and the Basel II accord. They also use it to sniff out fraud and to score credit applications.
A perfect storm: Lessons learned?
In the final scenes of The Perfect Storm, the brave fishermen battle to keep their boat afloat in raging seas never before encountered. The boat finally sinks into the depths, its lights flickering before finally fading and disappearing. George Clooneys character is an experienced, respected captain whose crew trusts him, but hes driven to take dire risks despite repeated warnings. During the course of the movie, weather experts track the storm, issue warnings and recall the fleet, until finally, the crews worst fears are realized. Seafaring and risk management in finance, energy and government may seem unconnected. But, as the movie illustrates in graphic detail, things can go dramatically wrong when the drive toward success disregards available risk information. It will be interesting to see how business and government take on board the experiences gained from all of the players involved in this financial storm, the likes of which we have never before encountered.
BIO
David Rogers, Global Product Marketing Manager for Risk at SAS, works closely with strategists and product and program managers at SAS global and regional headquarters, and liaises with customers, partners and industry analysts to ensure that SAS understands the developments in risk management. His expertise includes the delivery of enterprisewide risk management solutions and architectures, and financial services data integration and reporting. David.Rogers@sas.com
www.sas.com/riskinsights 03
An erosion of confidence
Research reveals a need for enterprise risk awareness, risk culture
The financial crisis has exposed major fault lines in the management of risk at the worlds financial institutions. Although risk management is by no means entirely to blame for the current situation, there is a strong consensus that it has failed to provide the appropriate oversight and ensure that necessary controls are in place. As a result, there is considerable soul-searching underway in the financial services industry, with major institutions seeking to conduct a root-and-branch overhaul of their approach to managing risk. Recent research conducted by the Economist Intelligence Unit on behalf of SAS illustrates both the scope of the proposed reforms and the scale of the challenge ahead. In March 2009, we conducted a global survey of 334 senior financial services professionals, of whom 50 percent were C-level and all have responsibility for risk. We then carried out a program of interviews with highprofile commentators, including Alan Greenspan, former chairman of the Federal Reserve; Nassim Taleb, author
Trends bend. Trends break. Today, in fact, we have no idea where any trend lines might begin or end, or even whether trend lines still exist.
of The Black Swan; and Peter Bernstein, founder of Peter L. Bernstein Inc. In May 2009, we published a report written by Phil Davis, After the Storm: A new era for risk management in financial services (www.sas.com/sascomermsurvey), which brought these two strands of research together. We are very grateful to SAS for its support in enabling us to conduct this research. The report reveals an industry that remains shell-shocked by the events of the preceding 18 months. There is limited confidence in the ability of financial institutions to increase revenues or profitability into 2009 and 2010, while less than one-third of respondents to the survey say that they are seeing confidence returning to their businesses. This erosion of confidence is having a dramatic impact on the kind of business that financial institutions are willing to carry out, with a significant retreat to familiar, domestic lending and other activities. More than two-thirds of respondents say that they expect a greater focus on domestic business over the next year, while less than one-third are increasing their focus on overseas developed markets, and just over onethird on emerging markets. There is also limited confidence in the tools that are currently used to manage risk. Less than half of risk professionals in the industry believe that the principles of risk management remain sound,
which suggests that some very fundamental questions are being asked about this crucial aspect of the industry. These doubts are well encapsulated by Peter Bernstein, founder of Peter L. Bernstein Inc., an economic consultancy, who was interviewed for the report shortly before his death in June 2009. Does history really tell us anything about what lies ahead? he asked. Relying on the long run for investment decisions is essentially
sive risk taking is currently out of favor, it will remain essential to value creation, he explained. Explicit definition of the firms risk appetite is a fundamental part of developing an effective strategy. How risk appetite is then cascaded into risk limits and risk-adjusted performance measurement is equally important to ensure that front office decision making is truly linked to strategy. Responsibility for risk management must lie primarily with the business,
The most successful financial institutions realize that a retreat from risk will not lead to future prosperity.
relying on trend lines. But how certain can we be that trends are destiny? Trends bend. Trends break. Today, in fact, we have no idea where any trend lines might begin or end, or even whether trend lines still exist. Major concerns about the shortcomings of current approaches to risk are prompting significant change in the industry. More than half of respondents say that they have conducted, or plan to conduct, a thorough overhaul of their risk management. Key areas of focus, according to the survey, are likely to be the strengthening of risk governance, a move toward a firmwide approach to risk, the deeper integration of risk within the lines of business, and improvements to data quality and availability. Respondents say that the need for reform is being driven, in particular, by executive management, but regulators are also starting to apply the pressure.
Regulatory road map

Charles Beach, Regulation and Compliance Partner at PricewaterhouseCoopers, who was also interviewed for the research, highlights the importance of good governance and the need to embed responsibility for risk within the business. Although aggres-
not over-relying on the risk function. Asked about the barriers to improving risk management in their organizations, respondents point to poor data quality, lack of expertise and a lack of risk culture among the broader business as being the most significant. This theme of a lack of understanding between the risk function and the business certainly seems to be significant. Asked about the areas where communication most needs improvement, respondents point to the channels between the risk function and lines of business as requiring most attention. Elsewhere, just 40 percent of respondents say that the importance of risk management is widely understood throughout the company, suggesting that more needs to be done to embed risk culture and risk thinking more deeply in the institution. Steve Fowler, Chief Executive of the Institute of Risk Management, highlighted the importance of ensuring that risk is well understood as a concept throughout the organization, and pointed to where some of the existing shortcomings might lie. In banking, the risk function takes primary responsibility for dealing with risk, rather than for embedding risk management throughout the
business, and this surely cant be a sensible approach. The key is risk awareness and creating a risk culture, not letting a single function deal with it as if it were a business line in itself. The financial crisis has prompted a much broader discussion around the role of policymakers and the areas of regulation that require attention. In essence, there is a recognition that rules need to be tightened in order to prevent the kind of problems that gave rise to the current crisis. But at the same time, there is an understanding that regulation should be constructive so that the industry can return to health over the longer term. Asked about the initiatives that they thought would be most beneficial to the financial services industry, respondents pointed to greater disclosure of off-balance-sheet vehicles, stronger regulation of credit rating agencies, and the central clearing for over-the-counter derivatives as being three among the top four that have the greatest potential benefit. Although these are wide-ranging initiatives, there seems to be a common theme across all of them; namely, the requirement for greater transparency and disclosure to facilitate the more effective management of systemic risk issues. In general, however, the respondents were fairly pessimistic about the ability of policymakers to put in place the appropriate measures and provide the necessary oversight. Just three in 10 respondents to the survey are confident that policymakers can formulate an effective response to the crisis. Regulators, in particular, are singled out as being a potential weak spot, with less than one-third rating their handling of the financial crisis as good or excellent (a lower proportion than for either central banks or governments). In terms of specific regulatory interventions, respondents are most confident in the ability of regulators to maintain overall stability of the financial system, with 53 percent
expressing confidence here. Far lower proportions are confident in their ability to monitor credit ratings and prevent conflicts of interest; secure the implementation of compensation policies that support long-term shareholder value; or coordinate the work of regulators across borders. The major challenge for all policymakers in the months ahead will be to put in place a system that not only protects against the kind of malfeasance that gave rise to the current crisis, but to pre-empt any future problems that might affect the industry. This, of course, is very difficult to achieve, as Alan Greenspan, former Chairman of the Federal Reserve, explained in an interview for the report. The important lesson is that bank regulators cannot fully or accurately forecast whether, for example, subprime mortgages will turn toxic, or a particular tranche of a collateralized debt obligation will default, or even if the financial system will seize up, he says. A large fraction of such difficult forecasts will invariably be proved wrong.
from the mistakes of the past and create a system that, over time, increases in resilience and provides an appropriate framework through which the industry can take risks in a controlled and calculated way. Many institutions have already started the process of change, and are subjecting their risk management processes and functions to a thorough overhaul. Old and inadequate systems are being discarded and, in their place, new approaches are being established. At the same time, the most successful financial institutions realize that a retreat from risk will not lead to future prosperity, however appropriate this course of action might seem in the current environment. In the final analysis, they recognize that risk is not a function within a firm, it is the firm.
BIO Rob Mitchell is a managing editor in the Economist Intelligence Units Industry and Management Division, where he works on a range of bespoke research programs, surveys and reports, with a particular focus on financial services and risk management. Prior to joining the Economist Intelligence Unit, Mitchell worked for four years at the Financial Times, where he edited the newspapers sponsored reports and publications. Online:
Read After the storm: A new era for risk management in financial services (www.sas.com/ sascom-ermsurvey) by Phil Davis. His summary includes findings from the Economist Intelligence Unit survey and interviews with high-profile commentators, including Alan Greenspan, former Chairman of the Federal Reserve; Nassim Taleb, author of The Black Swan; and Peter Bernstein, founder of Peter L. Bernstein Inc.
Hoping for a risk-free environment

There is no such thing as perfect risk management or foolproof regulation. The financial services industry operates in a world of inherent uncertainty, where each new cycle brings new challenges and unforeseen risks. The best that we can hope for is that the industry and policymakers learn
Making a case for data management for risk in insurance

Sophisticated models are meaningless without consistent, reliable data
Even before the recent financial crisis, risk management and Solvency II were considered the next big things for insurers. The events over the past few months have only re-emphasized this. Rating agencies are recommending that insurers implement an enterprise risk approach to ensure an excellent rating standard. Although the Solvency II implementation date is not until 2012 insurers should not wait to start risk management projects. As insurers begin risk management initiatives, one of the major challenges that they face is data management. Data is very much the lifeline of insurance companies; however, insurance companies struggle with analyzing the huge volume of available data. According to a 2008 report from the Economist Intelligence Unit (EIU), lack of relevant data is hampering financial services firms approaches to risk management. Nearly half of executives questioned (44 percent) in this survey considered the quality of information as one of the three major challenges in implementing enterprise risk management. The % respondents Embedding risk management within company culture Difficulty in quantifying risks Timeliness and quality of information Difficulty integrating risk management with other business processes Lack of necessary knowledge and skills within the organization Corporate priorities are often conflicting Availability of information Its not clear who is responsible for managing risk Other, please specify
Figure 1: Main challenges in adopting an eRM strategy
need for a comprehensive data infrastructure increases with the complexity of the risks and the size of the organization. The EIU report also highlighted that more than one-half of the respondents (56 percent) agreed that it is essential to have an enterprise data warehouse in place. Insurance companies can learn a lot from the lessons banks learned while implementing Basel II projects. One of the biggest issues banks faced was data management, not modeling. Banks concentrated on modeling and considered themselves well-equipped for risk modeling. What they found was that the data required was not available in a consistent or reliable form to populate their sophisticated models. Without the right data, the old adage applies: Garbage in, garbage out. Banks also tended to use a silo-based approach to risk, which resulted in problems with the aggregation of data and risk models to provide regulators with the required information. A successful Solvency II or ERM project must begin by integrating risk management as a key corporate initiative with an execu-
tive, typically a chief risk officer (CRO), responsible and accountable for the overall risk strategy of the insurance company. Only once this organizational structure is in place should an insurer begin the process of defining and identifying the data sources and processes required to assess firmwide risk. The final part of the puzzle is determining the solutions and applications required to support an insurers ERM project. These systems must be flexible enough to accommodate future risk and data management requirements.
BIO
Stuart Rose, Global Insurance Marketing Manager at SAS, began his career as an actuary. Stuart.Rose@sas.com
Online:
Take a deeper dive into data management for risk. Read the complete white paper, Data management for risk: The importance of data for effective risk management by Stuart Rose. Two recent EIU surveys, The Bigger Picture and After the Storm, show that inadequate risk management is a problem in todays financial services organizations. (www.sas.com/sascom-EIU08) and (www.sas.com/sascom-ermsurvey). Recent economic conditions and impending Solvency II legislation may translate to significant changes in the way insurance organizations assess risk. Read Solvency II: Compliance or competitive advantage? (www.sas.com/sascom-SIIcompliance).
47 45 44 39 37 33 33 13 1
Change the risk management view

There is increasing realization that the traditional, silo-based approach to managing risk adds little value to the organization when compared to the enormous cost of maintaining the silos. It increases the cost of system purchase and implementation, consulting, upgrading and ongoing maintenance. Of course, the investment and purchase price for risk management solutions and services are only the beginning; the real money is still ahead in the life-cycle costs associated with running risk silos. This is called the total cost of ownership (TCO). The time has come for CEOs, CROs and CIOs to rethink the current pattern of spending and investing. Industry analysts agree. Senior Vice President of Celent, Bart Narter, was quoted in November 2008 as saying, The financial crisis means that banks around the world must get more from their software providers and are demanding full solutions from a single contact. From a capital and operating expenditures point of view, the implementation, day-to-day operation and upgrades and maintenance of diverse risk systems require a great deal of expense. Dealing with the shortcomings of this complex landscape means overcoming: Various end-of-day time behaviors. Different data models in each system. No common data management. Different relational databases. Risk figures calculated in each risk silo that rarely relate or match, causing error-prone manual data processing.
Streamline, reduce costs long-term with a TCO analysis

A complete TCO analysis is not readily available because of the existing diversity of risk management systems in the various risk silos. A TCO analysis in risk management would help banks, insurers and financial services providers identify the true cost of their risk systems before further investment, and it would help identify shortcomings of the existing system. management architecture, why not set a little aside for a hedge on a brighter future? Provide an incubator fund that nurtures a new breed of transparent risk management, taking its cue from modern technology to significantly reduce costs, while being more flexible and closer to risk management customers both internal and external and setting new
The time has come for CEOs, CROs and CIOs to rethink the current pattern of spending and investing.
SAS and other industry experts estimate that data management and data cleansing costs, which are mandatory prerequisites to all further tasks, still consume 70 percent of the TCO, leaving only 30 percent for setup, operation, support, maintenance and upgrades. Risk departments are growing in size and importance. A proper TCO analysis before deployment can help identify where costs can be streamlined sustainably. Since risk management is evolving from a pure, ex-post controlling discipline to a more ex-ante bank steering discipline, a TCO analysis will help build the case to move toward a strategy discipline that combines risk management with performance management. This demands better integrated technologies and solutions, such as ERM, to provide better process efficiency in risk management. Rather than pour all of the money into expensive life support and maintenance for an aging and cumbersome risk standards for innovation. Its a win-win situation for all involved parties to move toward an ERM-driven organization.
Excerpt from Risk Management: Total Cost of Ownership by Lutz Schiermeyer
BIO Lutz Schiermeyer is the EMEA Banking Risk Business Development Manager for the SAS Global Risk Practice in Frankfurt, Germany. Lutz.Schiermeyer@sas.com Online:
Learn more about the total cost of ownership in the white paper Risk management: Total cost of ownership (www.sas.com/sascom-TCO) by Lutz Schiermeyer. Visit the SAS for enterprise Risk Management (www.sas.com/sascom-enterpriserisk) Web page for success stories, white papers, Webcasts and more that explain more fully how your organization can benefit from an end-to-end ERM solution. Since the crisis went public in mid-2007, the markets and economy have been in turmoil. Knowing what went wrong isnt as helpful as learning to balance risk and gain. Risk and return: Striking the right balance (www.sas.com/sascom-riskreturn) shows how to use business analytics to keep your equilibrium.
Surviving the global collapse

Australias banking system is dominated by four banks (the four majors): Australia and New Zealand Banking Group (ANZ), Commonwealth Bank of Australia (CBA), National Australia Bank (NAB) and Westpac Banking Corporation. This market-dominant position is supported by the Australian governments four pillars policy, introduced in 1990, that prohibits takeovers between the four majors. The four pillars policy has encouraged the four majors to focus on growth through prudent banking practices, sound risk management and tight expense management. This approach has enabled Australias banks to avoid the excesses of many banks in Europe and the US.
Australias banks plot a straight course through threatening winds

and early adoption of the Basel II Capital Accord and prudent lending practices by Australias banks resulted in limited exposure to subprime and low-doc/no-doc loans enabling Australias financial institutions to remain profitable and well-capitalized throughout the global financial crisis. ment capabilities, and preparing to respond to the anticipated avalanche of regulatory changes. The four majors are also undertaking a program to replace their core banking systems and are looking to embed risk-based decision capabilities at the point of interaction with the customer. To enable operationalized risk management within the business process, Australias financial institutions are increasingly requesting from SAS the capability to integrate and consolidate multiple risk forms to provide a single version of the [risk] truth across all types of risk and business units. This will allow Australias financial institutions to stay at the forefront of best practices, particularly when considering the latest cause-and-effect analysis of the global financial crisis and the anticipated regulatory response.
Excerpt from Working Within the Demands of One of the Best-Regulated Markets by Brendon Smyth.
Enabling our customers to meet responsible lending standards

Given the highly competitive nature of the banking industry, the ability to react quickly to market changes is an important feature of any bank. In retail lending, SAS provides Australia and New Zealand Banking Group (ANZ) with the ability to develop credit scoring models that support a fully automated assessment system. As a result, ANZ has the capability to better determine loan strategy, provide improved customer service and react quickly to rapidly fluctuating market conditions. The credit scoring system is regarded at all levels within ANZ as a critical component in the banks customer protection mechanisms. The SAS credit scoring models help the bank meet responsible lending standards by identifying credit applicants who could be at risk of overextending.
Surviving the global financial crisis

There are three key reasons why Australias financial system has survived the global financial crisis when many other financial systems have struggled, and in some cases collapsed: coordinated actions by the federal government, central bank and financial regulators; sound management of Australias financial institutions; and proactive, handson engagement by the financial regulators. The Treasury, Reserve Bank and APRA provided a coordinated and timely response to events. The Reserve Bank slashed interest rates and provided liquidity support to Australias financial institutions. The federal government provided both deposit and lending guarantees to Australias financial institutions and introduced an economic stimulus package, and APRA actively engaged with all regulated institutions in order to identify all previously unreported or unidentified risks in the financial system. Strong corporate governance, conservative low-risk management, thorough
BIO Brendon Smyth is General Manager of Risk Intelligence, SAS Australia and New Zealand. Brendon.Smyth@sas.com. Online:
Future direction
The Australian banking system remains in relatively good health, but it faces a number of risks due to the sharp contraction in the global economy, which is dragging the Australian economy into recession. To deal with black swan events that may occur during 2009 and 2010, Australias financial institutions have recently completed capital-raising programs. In addition, like their peers in Europe and the US, they are reviewing and updating their risk manage-
Optimize risk-adjusted pricing and returns throughout the organization with SAS Credit Risk Management for Banking (www.sas.com/sascom-crmbanking). Read Working Within the Demands of One of the Best-Regulated Markets by Brendan Smyth (www.sas.com/sascom-WithinTheDemands). Take a look at what other insurance and banking organizations are doing with SAS (www.sas.com/sascom-creditrisksuccess).
Enterprise risk management: The culture of the future for financial services
The critical first step to improve risk management and regain competitive advantage
Poor risk management was a chief cause of the financial crisis, which is why banks and others are now busy implementing new risk policies and processes. But unless those organizations take an enterprisewide approach to risk, they are doomed to fail. Financial institutions are supposed to be well-versed in the skills of risk management. So why did so many of their risk management policies and procedures fail? Its a straightforward question, but a complex answer. One of the main reasons for the failures was that most financial firms were unable to apply risk management coherently across the entire organization. The key disciplines credit, market and operational risk management often remained in separate silos. On the boundaries, where they should have overlapped, there were frequently gaps where major risks went undetected. In other words, they did not have an enterprise risk management (ERM) strategy an integrated approach that aligns strategy, processes, people, knowledge and IT so that risk is better understood and controlled throughout every part of the
enterprise. To make matters worse, many firms did not make it clear who had overall responsibility for overseeing risk management activities. Was it the chief risk officer, the risk management committee, the chief executive officer, the chief financial officer, the audit committee, heads of business units or a combination of some or all of the above?
Hindsights value
The Institute of International Finance (IIF), which represents more than 390 firms worldwide, has put its finger on the problem. It published a report last year on the causes of the crisis and what measures firms should take to prevent similar occurrences in the future. Principles of Conduct and Best Practice Recommendations (www.sas.com/sascom-bestprac) identifies a number of factors that contributed to the crisis in the areas of risk management, remuneration policies, liquidity management, credit underwriting and ratings, and the valuation of assets. Failures in risk management policies, procedures and techniques were evident at a number of firms in particular, the lack of a comprehensive approach to firmwide risk management often meant that key risks were not identified or effectively managed, notes the report. At the top of the reports list of recommendations for improving risk management, it says it is critical for governance to embed a firmwide focus on risk. It adds that each
Financial firms lack relevant, timely and consistent data, which is a big barrier to using risk management tools and economic capital and implementing ERM.
firm should develop a robust risk culture that is embedded in the way the firm operates, covering all areas and activities, with accountability for risk management being a priority for the whole institution. The Counterparty Risk Management Policy Group III, a group of senior officials from leading financial institutions, co-chaired by the managing director of Goldman Sachs and the group finance director of HSBC, has made similar proposals. Containing Systemic Risk: The Road to Reform (www.sas.com/sascomreform) recommends that senior managers ensure that risk management committees are chaired and staffed so that there is an appropriate overlap of key business leaders, support leaders and enterprise executives across committees to help foster firmwide cooperation and communication. Official bodies have made similar comments. The Financial Stability Forum (FSF), the Basel Committee on Banking Supervision, central banks, finance ministries and national regulatory authorities around the world have been vocal in their encouragement of banks and others to improve their risk management. For example, the FSF, comprising regulatory bodies from around the world, made several recommendations in the Report of the Financial Stability Forum on Enhancing Market and Institutional Resilience (www.sas.com/sascom-FSFreport), including the need to improve the prudential oversight of risk management.
Firms boards and senior management must strengthen risk management practices according to the lessons they have learned from the turmoil, said the FSF, noting that supervisors for their part will monitor the progress of banks and securities firms in strengthening risk
and senior regulators who talked about the importance of ERM. The series was a success and highly relevant, taking place in the weeks when banks were announcing huge write-downs and losses, some were facing meltdown and governments were stepping in to bail them out.
Business analytics can get around barriers by gathering, managing and analyzing data that can be used by senior management to make fact-based decisions.
management and capital planning practices. It added that the Basel Committee would issue further guidance relating to the management of firmwide risks. SAS announced the results of the Global ERM in Financial Services Survey 2008 it conducted with the Economist Intelligence Unit. Its conclusions were that there are major failings in silo-based risk assessment; accurate and complete data is essential to sound risk management; and it is important to have a firmwide strategy and platform to measure and monitor risk. When asked about their companies current approaches to ERM, only 18 percent of respondents said they had an ERM strategy that was well-formulated across the business and fully implemented. Most of the rest (71 percent) said they had an ERM strategy, but it was either not implemented or well-formulated, and 11 percent said they had no ERM strategy at all. The biggest challenge to adopting ERM, the survey found, was embedding risk management within company culture,
An enterprisewide strategy
Financial institutions accept that they need to strengthen their risk management and take a holistic approach. But how are they going about it? The reports above give effective guidance, but it rests with each organization to plot its own course and take its own measures, with assistance from external specialists where necessary. In the fall of 2008, SAS partnered with Financial Times Global Events to host a Thought Leadership Series. Held in London, New York and Hong Kong, these half-day conferences Enterprise Risk Management: Stability, Performance and Profitability featured risk management executives from financial institutions
followed by difficulty in quantifying risks, timeliness and quality of information, and difficulty integrating risk management with other business processes. Asked to rate the importance of certain factors in the implementation of an ERM strategy, 76 percent of respondents said it was essential that policy is supported at the board level and 56 percent said it was essential to have an enterprise risk data infrastructure in place.
Online:
SAS for enterprise Risk Management (www.sas. com/sascom-fsiriskmanagement) delivers a current, credible understanding of the risks, including credit risk, operational risk, market risk, liquidity risk and trading risk. Learn How Operational Risk Management Can Pave the Road to Integrated Risk Management (www.sas.com/sascom-ormtoirm). Read the Global ERM in Financial Services Survey 2008 (www.sas.com/sascom-ermsurvey).
Future strength
The financial crisis has exposed the shortcomings of risk management in financial firms. Industry and regulatory bodies have been quick to analyze these weaknesses and recommend remedial measures. Speakers at the Financial Times/SAS Thought Leadership Series on ERM explored the same issues and arrived at the same conclusions. The series proved that financial firms lack relevant, timely and consistent data, and that this is a big barrier to using risk management tools such as credit scoring, stress testing and economic capital and implementing ERM. But business analytics can get around that barrier by gathering, managing and analyzing data that can be used by senior management to make factbased decisions. Its now up to the firms to ensure that whatever steps are taken to improve risk management are in the context of an enterprisewide approach. Will they be successful? Only time will tell.
BIO Alastair Sim is SAS Senior Director of Global Marketing for the Europe, Middle East and Africa (EMEA) region. He also leads the SAS Global Marketing Program for Risk Management and is a key member of the Global Marketing Board. Alastair.Sim@sas.com
BIO
Michael Imeson is a Contributing Editor of The Banker magazine, for which one of his responsibilities is the monthly RegRage column. In addition, he is an Associate Editor at Financial Times Global Events, where he organizes and chairs conferences. He also runs Financial & Business Publications, an editorial services agency.
Liquidity risk in the spotlight

The roots of liquidity date to 1854, when Otto Hbner developed the golden accounting rule for mortgage banks. In modern terms, the rule would translate to having no implicit costs for liquidity while refinancing a credit. One of the risk drivers of the current credit crisis was neglecting the implicit costs completely. Liquidity risk has long been treated as a second-order risk in the sense that liquidity issues arise from problems in other primary risk areas where the risks are not well-controlled and managed, such as market, credit or operational risk. For this reason, liquidity risk is also labeled a consequential risk. Past perception was that liquidity should be monitored and managed, but not with the same intensity as the primary risks. Banking regulations in the industrialized world also followed this perception in the last two decades by setting rules and standards, starting with the Basel I accord in 1988. Internal models for market risk quantification were introduced in 1996 (Basel) and 1998 (European Union or EU) respectively. Credit and operational risk followed with the adoption of the Basel II accord in 2004 and in 2006 (EU). In the context of Basel II, the EU regulations placed liquidity risk under Pillar 2, meaning that no standardized quantification was available and outlining that: The arrangements necessary for the supervision of liquidity risks should also be harmonized. system, this has two major implications for the future. First, the current risk measures and procedures are too weak to detect the risks being taken. Second, one risk measure is not sufficient to ensure the survival of a financial institution. Liquidity as a second, independent risk measure should ensure that failures in the measurement of the primary risks do not compromise the survival of the institution. With regard to the primary credit risk, banks will have to improve their measures to capture all risks. But more importantly, liquidity risk will raise its status as the ultimate buffer for the survival of the institution and will become as important as the primary risks. We believe that liquidity risk will be measured independently and as soundly as the primary risks in the future. In order to achieve this, current measures and procedures must be revised and improved.
Excerpt from The Renaissance of Liquidity Risk by Jrgen Schroeder, PhD, Business Expert, Risk Management, SAS.
Current measures and procedures

The striking fact about the credit crisis is that it was not a failure of a single institution, but a failure of the whole system. Conclusions drawn from the crisis are varied and are being discussed at many levels. Results from the SAS 2009 ERM survey (www.sas.com/sascom-ermsurvey) can be taken as an overview. In general, failures in risk management whether credit or liquidity risk have played a major role in the crisis. If a failure in risk management is a major part of the failure in the financial
37% 35% 46% 54% 46% 45% 50% 32% 44% 30% 31% 22% 27%
Failures to address risk management were 33% largely to blame for the credit crisis The credit crisis has prompted my organization to allocate more 34% budget to risk management at the expense of other areas 6% The credit crisis has forced us to scrutinize 13% our risk management practices in greater detail Financial services providers need to 31% improve current stress testing methods In the wake of the credit crisis, we will be paying 17% particular attention to our stress testing methods We currently lack confidence inn our stress testing methods 6% We will be increasing the amount of time we invest in our stress methods 9% Our scorecards were not able to adapt to market requirements 9%
21%
17%
11% 2% 5%
Online:
21%
10% 3% 12% 2% 4%2% 5% 8% 3% 12% 3%
Liquidity is an area of risk that can no longer be overlooked or isolated. Its interrelationship with other risks must be measured. Read the complete white paper, The Renaissance of Liquidity Risk (www.sas. com/sascom-liquidity) by Jrgen Schroeder, PhD, Business Expert, Risk Management, at SAS. Learn how SAS Risk Management for Banking (www.sas.com/sascom-fsiriskmanagement) addresses the interrelationships of risk to help your organization tackle liquidity risk and embed risk management across the enterprise. It is important to create a well-understood and resilient liquidity culture. Read From Dramatic Drought to Fluid Finance (www.sas.com/sascom-ff).
0 10 20 30 40 50 60 70
Strongly agree Agree Neither agree nor disagree Disagree
80 90 100
Strongly disagree
Figure 1: Main challenges in adopting an eRM strategy
Operational risk management can pave the road to integrated risk management
Financial services institutions (FSIs) worldwide are pursuing a full, integrated understanding of the risks they bear enterprisewide. Boards of directors are demanding better risk intelligence, stockholders remain skeptical about institutions ability to manage risk, and regulatory pressures are building for ongoing and ondemand proof of an FSIs comprehensive risk position. On top of this, traditional marketplace risk relationships are changing, making the job of effectively managing an FSIs risk more difficult. Thus, gaining complete visibility and transparency into firmwide risk is now an urgent objective for most FSIs. Yet few endeavors to achieve integrated risk management (IRM) have succeeded to date. Instead, domain-centered risk management, whereby each line of business or functional area manages its own risk, continues to be the default approach in most financial institutions.
oxymoronic because operational risk is universal to all domains or lines of business risk. For that reason, operational risk cannot be a separate domain but must be managed in an integrated fashion. This realization is the key to achieving IRM.
Connecting the dots

Operational risks fall into two basic categories: risks of omission and risks of commission. The potential risk factors in each of these two categories apply to all of the traditional domain risk categories, as shown in Figure 1 (next page). Operational risk is the unifying element among the various domain risks in the figure. Missing information, lack of communication, and mere mistakes all can apply to managing credit risk as much as to managing liquidity risk. Likewise, risks of commission such as financial crime in settlement fraud or ignoring market risk cross the domain boundaries. In short, operational risks are universal, while domain risks are specific. The traditional departmental approach to operational risk management (ORM) only exacerbates the problem of risk management silos within an FSI. This in turn deters management from gaining the firmwide, integrated view of risk that will be critical to thriving in the financial services industry beyond the current economic crisis. For example, IRM will discover instances when different business units are unintentionally duplicating efforts with regard to a
The prescription for change is simple enough, but the medicine is strong.
The Basel II capital adequacy proposal whereby banks allocate capital to cover operational risk spawned the formalization of operational risk management, replete with its own departmental status and management. Operational risk was seen as a separate risk domain. This approach was
certain risk. If the credit department is using derivatives to offset internal credit risks, and the treasury department has done the same thing for asset and liability management purposes, many banks are unable to connect the two actions in a way that allows them to see if by offsetting specific domain risks, they have inadvertently created a new and potentially more threatening risk. Operational risk must be managed within and across all of the domain risks an FSI encounters. Instead, most FSIs today maintain separate ORM departments and leadership, and have little integration of processes. Worse, in discussions with risk managers of all stripes, many hold little hope of achieving integration. At the same time, all risk stakeholders realize that a firms ability to integrate risk management firmwide may mean survival in tomorrows more volatile and dynamic industry. Thus, most of the industry exemplifies the adage penned by American author, Rita Mae Brown: Insanity is doing the same thing over and over again but expecting different results. Paradoxically, ORM, which today often contributes to the fragmentation of risk management, can become IRMs unifying force if the approach to ORM is changed from silos of secrecy to enterprise openness. The prescription for change is simple enough, but the medicine is strong. Following are key steps to putting ORM at the center of IRM. Implement participative governance. Turn ORM into an audit, control and support function. Stop looking to regulation and regulators. Integrate technology, people and process.
Risk Domains Counterparty Credit Liquidity Market Portfolio Regulatory Reputational Settlement Sovereign
Operational Risks Cross Domains Risks of Omission: Inadequate review Mistakes Miscommunication or a lack of communication The unanticipated, underestimated or unknown Unseen change Security breakdown Risks of Commission: Unchecked aggressiveness The ignored Financial crimes Process breakdown Fragmented risk management A failure of culture
Figure 1: Operational risk management: A shared means to understanding firmwide risk.
parency, management can determine the right actions to take to respond to risk at a much deeper and more significant level than would otherwise be possible, effecting a greater change to the FSIs risk profile. Moreover, improving visibility and transparency enables management to establish, monitor, manage and migrate risk parameters best suited to the FSIs capital, business plan and stakeholders. By integrating the operational risk standards firmwide, the governance body will have a finger on the pulse of all operational aspects of the business. It will also greatly improve its chances of taking early and appropriate action with regard to policy and management to avoid risks, even unknown risks. The IRM value proposition is that simple. But overcoming the resistance to integrated risk management that is inherent in most FSIs today requires a governance structure that is driven from the top down and also has broad participation and accountability from the bottom up. In other words, the governance model must be firm and clear but also participative.
However, just as the global financial system has demonstrated a level of systemic interdependency that was unseen for years, ORM can expose the interdependencies between different areas of a bank, a brokerage house or an insurance company. For this reason, not only must each domain manage its operational risk, but each domain must be accountable for the enterprise visibility and transparency dictated by ORM policy. Arguments ensue when an ORM manager has the right to enter and examine a business unit or to prescribe operational procedures for that unit. Rather than make the ORM group into a law-making and law-enforcing unit, turn ORM into an audit function whose responsibility is to opine on the quality of transparency and visibility each line of business or functional unit provides in meeting firmwide risk policy objectives as established by the institutions governance body. This function can also support the integrated analytics, modeling and enterprise risk scenario-building for management. In short, re-engineer the existing ORM organization.
Implement participative governance

Visibility and transparency are essential for effective risk governance. Visibility is the ability to see all risks in a function or business unit. Transparency is the ability to understand the potential consequences of those risks in the context of all risks faced by the enterprise. With visibility and trans-
ORM as support
The need for specialized expertise in each domain area is often used as an excuse to avoid trying to improve visibility and transparency between business units and internal functions. Moreover, todays ORM leader is viewed as meddling in other departments.
Stop looking to regulatory for answers

Considering recent history, some FSIs viewed regulatory findings as the final word on the safety and soundness of their institutions. For their part, regulators published findings that reflected how well the institutions did in meeting the rules of
the road. Although compliance is necessary, most regulation is a response to past events in the marketplace and industry as a whole rather than forward-looking. For example, after the Graham-Leach-Bliley Act of 1999 rescinded the Glass-Steagall restrictions prohibiting banks from offering securities and investment services, banks took advantage of new freedoms in new markets, sometimes in markets they didnt understand. This was not the fault of the regulator. By the same token, new regulatory approaches such as stress testing have to date been limited and prescriptive, based on historical relationships in the marketplace. These relationships are no longer valid, and if static testing is used to forecast risk in the new economic climate, it may in fact provide false signals as to the safety and soundness of an FSI. Understand that true risk management is not a regulatory matter.
enhancing visualization technologies to help people understand complex issues in a clear and prioritized fashion to manage risk better. To use even the brightest of new technologies effectively, however, humans require form and structure that enables them to work and think as humans do. This is where process design can make or break the outcome of integrated risk management. It is in processes that operational risk becomes a universal issue to every employee in every line of business, department or function. With all of the good risk management technologies in existence today, those with the capacity for intelligent delivery are best able to deliver information within the capability of humans to use it and in a fashion that makes them want to use it. Orchestrate people, process and technology to achieve IRM.
This article is based on research by the Financial Strategies and IT Investments practice at TowerGroup, a leading research and advisory services firm focused exclusively on the global financial services industry. Senior Research Director Rodney Nelsestuen can be reached at rnelsestuen@towergroup. com. Learn more about TowerGroup or subscribe to its research services by calling +1.781.292.5200 or e-mail service-info@towergroup.com.
Conclusion Integrate technology, people and process

TowerGroup has introduced the concept of the intelligence suite, which calls for the integration of people, process and technology in dynamic and real-time ways and within the flow of business. Technologies that deliver analytics, rules engines and process controls and detect anomalies and identify new opportunities must allow for the integration of human intelligence as well as artificial intelligence. Leading vendors understand that the human element determines whether the benefits of their products or solutions are gained or lost. Vendors are Inclusive governance and organizational risk management are the foundation for actionable steps to achieve integrated, firmwide risk management. Spending less energy worrying about regulation and regulators and more developing an effective intelligence suite provides the methods to fulfill the promise of integration. Whether financial institutions are bold enough to swallow the tough medicine that true integration of enterprise risk management requires may well determine which financial services institutions will thrive in a new, different and dynamic post-crisis industry.
BIO
Rod Nelsestuen is a Senior Research Director in the TowerGroup Financial Strategies and IT Investments Cross Industry group. He conducts research on business and IT strategies, emerging trends, growth strategies, and issues germane to all verticals across the industry.
Online:
SAS ranks first in two categories of the Chartis RiskTech 100 Report: Operational Risk and Core Technology (www.sas.com/sascom-chartis-2008). Gartner positions SAS in the Leaders quadrant of the Magic Quadrant for Operational Risk Management Software for Financial Services. (www.sas.com/sascom-gartner-2008). Effectively monitor risk across the enterprise with SAS for enterprise Risk Management (www.sas.com/sascom-enterpriserisk).
The whole is more than the sum of its parts

ARISTOTLE (384 B.C.322 B.C.), PHILOSOPHER
One of the biggest mistakes that organizations make is to approach data as a technology asset. It is not. It is a corporate asset and needs to be treated and funded as a corporate asset. Justification for data management projects lies in the ability to create a business plan based on the benefit to an organization. Executives want to know how a data management initiative will enhance the business. To do this, any attempt to improve your organization must emphasize risk mitigation, revenue optimization and cost control. As much data as flows through businesses today, executives still tell me they do not know where to begin to get the information they need. In some companies, the IT department is keeper of data, and a simple question such as How many units did we sell of this product vs. a similar product packaged differently? can involve a request to IT that will take a week or more to turn around. Lengthy delays fuel the pessimistic mindset rampant in many companies where data is viewed as sensitive and in need of safeguarding. In still other companies, each C-level executive has built her own silo of information. The chief marketing officer (CMO) has data on sales and marketing efforts and may be able to create automated marketing campaigns. The chief financial officer (CFO) is tracking dollars and cents, using a solution unique to the world of finance. The executive vice president of merchandising or manufacturing
sets up his own supply chain, buying and planning systems. There are, of course, problems with each of these approaches. When IT holds the data captive, executives tend to request the same type of static report over and over, because asking for unique reports is often a time-consuming exercise in futility. When information is managed in silos, there is no single version of the truth. The CMO may be raving about a marketing campaign bumping sales over last year, while the CFO stares at a sheet with data that suggests the exact opposite.
Quality data keeps your business running smoothly, it keeps your companys value high and ultimately it keeps your company in business.
Executives may manage very different worlds, but they need to work from the same data foundation and they can benefit from exposure to the kind of data that other executives use and manage. For instance, the CMO is typically responsible for retention, market share, branding, cross-sell opportunities, and up-sell effectiveness. How many CMOs, though, can readily determine whether a new marketing campaign for a lower-margin product or service is actually cannibalizing existing high-margin customers? Meanwhile, the
executive vice president of manufacturings finely honed supply chain may not be flexible enough for the CMOs plan to market products in several different types and sizes of packaging. The CFO is looking at the business from a completely different perspective, because she is responsible for the financial performance across the organization. In publicly-held companies, the CFO needs to forecast reliable earnings expectations. In both private and public companies, the CFO is constantly under pressure to maximize performance and value, establish key performance indicators (KPIs), predict trends, and align strategic goals. The CFO also shares some of the burden of regulatory compliance. A CFO isnt responsible for a supply chain disruption, but without that information the forecasts cant be reported accurately.
In advanced organizations, the chief information officer (CIO) is more business-focused, understanding the needs of the other executives, helping align IT and business, and explaining the value of reaching one version of the truth. This person provides a critical role in establishing the data sharing that is needed to make the business run better. This is not an easy task even starting may be difficult. The vast majority of companies have multiple applications and systems, and executives are quite fond of their own solutions. Business users, meanwhile, maintain or clamor for a solution that solves their specific problems. Championing an enterprisewide approach involves a huge up-front cost, a great deal of risk, and the potential dissatisfaction of business users who are tied to their siloed solutions. Realistically, the
Remember
1. Data quality and data governance should not be considered a one-time project. A quality culture must be an ongoing, continuous process. 2. No organization can tackle enterprisewide data quality and data governance all at once. To be successful, your journey must be evolutionary. 3. Start small, and take achievable steps that can be measured along the way.
CIO cant advocate scrapping a myriad of systems, solutions, and software that are in use. The CIO cant impose a one-size-fits-all solution, even if such a solution were available in the market today. But the CIO can focus on making the organization successful by creating a collaborative, aligned, and integrated data environment. Adding data quality and data governance to the existing data silos or the enterprisewide applications and systems can fix many of the problems a CIO faces in data management, while limiting the pain to the business users. Even though the benefits of successful data management can be substantial, getting to that point shouldnt consume you. Improvement is not about buying one solution, scrapping existing solutions, or patching together 20 disparate systems. The process is not about the next 12 months being the Year We Get Our Data in Order. This is a process that is best done by taking one step at a time, one project at a time, one action at a time while always focusing on the business reasons. I like cars, so I like car analogies. We tend to spend a lot of time and effort choosing the right car. We research the brands and comparison shop, and when its all finished and we drive off the lot, we think Phew, glad thats over with. Achieving quality data is not like the process of buying the car. But it is like the process of maintaining the car. It is putting the right
gas in, getting the oil checked and replacing worn tires. It is the routine, everyday things that are critical when it comes to keeping the car running and maintaining its value. Quality data keeps your business running smoothly, it keeps your companys value high and ultimately it keeps your company in business. Period.
This content is excerpted from The Data Asset: How Smart Companies Govern Their Data for Business Success, 978-0-470-46226-3, 2009 with permission from the publisher, John Wiley & Sons. You may not make any other use, or authorize any others to make any other use of this excerpt, in any print or non-print format, including electronic or multimedia.
BIO
Tony Fisher is President and CEO of DataFlux, a wholly owned subsidiary of SAS, which enables companies to analyze, improve and control their data through an integrated technology platform. He has guided DataFlux through tremendous growth as it became a market-leading provider of data quality and data integration solutions and speaks throughout the world on emerging trends in data quality, data integration and master data management, as well as how better management of data leads to business optimization.
The Data Asset: How Smart Companies Govern Their Data for Business Success (www.sas.com/sascom-dataasset).
Online:
With larger volumes of data being processed more quickly, why are companies still struggling to turn data into information and make sense of that information? Read Better Answers, Faster (www.sas.com/sascom-betteranswers). Watch this BetterManagement.com video interview (www.sas.com/sascom-bmanagement) with Fisher to learn how IT and business groups can align data as a strategic asset and allocate resources and funding for data management. For ongoing tips and information about data governance, data quality and data integration, follow the DataFlux Community of experts blog (www.sas.com/sascom-datafluxblog).
Corporate survival using the SOAR methodology
From time to time, one expects a large organization to fail. If the average rate of defaults in any one-year period among AAA-rated organizations is, say, 0.03 percent, these two expressions are true: Any single AAA-rated organization has a probability of failing within a one-year period of around 0.03 percent. In any group of 10,000 AAA-rated organizations, around three will fail in any typical year. In very recent times, a surprisingly large number of highly rated organizations have failed, and the period beginning around mid-2008 through the summer of 2009 has become popularly known as the global financial crisis, largely because of the number of headline failures of large financial institutions. This article is a brief description of how SOAR methodology should be applied in any organization as a means to ensure survival. The SOAR methodology prescribes the disciplined analysis of the probability distribution of possible outcomes in relation to strategic objectives. In order to examine the application of the SOAR methodology to the very fundamental objective of surviving, we set survival as the objective, which would be stated as follows: Our objective is to survive. We can easily restate survive as remain solvent. We can then, for the purpose of the SOAR methodology, restate the objective as follows:
Our objective is to hold capital that would protect us against the worst possible loss over the next year, estimated at 99.97 percent confidence.
SOAR: Set metrics

The first step in the SOAR process is to set appropriate metrics. From the restatement of the strategic objective, it is apparent that the metric should be capital and that the target value of the metric should be some amount greater than or equal to the worst possible loss over the next year, estimated at 99.97 percent confidence. Imagine the worst possible loss is estimated to be $3 billion. Then the organization must hold at least $3 billion in capital. It is that simple. The most difficult part, as you might well imagine, is estimating the worst possible loss. In the case of financial institutions, reasonably mature models exist for the estimation of losses, particularly losses on credit portfolios. One wonders, then, how so many large organizations could have recently failed. If models exist to estimate large losses and all that an organization has to do in order to survive is hold capital greater than the losses, then any of the following are possible: The models understated the possible losses. The models provided reasonable estimates of the losses but the failed organizations did not respond appropriately by holding at least an equal amount of capital.
There can be a number of reasons why the models might understate potential losses, and criticism of models has been widespread. Whether this is justified or not is hard to say, without knowing the details of the models that were applied within the failed organizations. There are a number of reasons why an organization might choose to hold an amount of capital than is lower than what the model suggests, not the least of which is the cost of capital, which has a direct impact on profitability and value.
Even a very quick analysis of the chart would likely highlight the following: Estimated worst loss has increased steadily over the three months. Level of capital held has remained constant over the three months. If the trend in the worst loss amount continues and the level of capital held remains at $100, the estimated worst loss will exceed the capital held after month five.
SOAR: Observe and analyze

As time goes by, and both the organization and the environment change, it is important to regularly observe metric values and then analyze the movements in metric values (this being the third step in the SOAR process). Consider, for example, the chart below, which shows the estimated worst loss and the level of capital held at three points in time.
SOAR: React
The final step in the SOAR process is to react to the analysis of metric values. Any of the following would be reasonable reactions to the analysis presented above: Raise additional capital. Change the operation in such a way that the worst loss reduces. On the face of it, to set survival as a strategic objective seems to be setting the bar very low. While I am not suggesting that setting survival as a strategic objective is enviable, I do believe that had any of the recently failed organizations acted on the SOAR methodology, they would still exist today and the global financial crisis would not have come about.
BIO Greg Monahan is a consultant and a former practice
manager for risk intelligence for SAS Australia. Monahans consulting clients include a number of SAS offices throughout the Asia-Pacific region and the University of New South Wales. While at SAS Australia, he helped define and execute the marketing strategy for risk management products, primarily in the areas of credit risk and operational risk. In addition, he helped develop the first version of the SAS Credit Risk Management solution.
Figure 1: Chart depicts estimated worst loss and the level of capital held at three parts in time.
Take a look at how SAS can help you embed ERM in your organization: SAS for enterprise Risk Management (www.sas.com/sascom-enterpriserisk).
Online:
In Enterprise Risk Management: A Methodology for Achieving Strategic Objectives (www.sas.com/sascomSOAR), Monahan illustrates an effective enterprise risk management (ERM) framework. He also further outlines his SOAR (strategic objectives at risk) methodology.
Risk management at Xcel Energy
The Risk Grid allows informed allocation of billions of resource dollars
Serving 5.3 million customers in eight states, Xcel Energy operates one of the worlds most diverse energy portfolios. With dozens of electricity-generating plants driven by coal, natural gas, nuclear, hydroelectric and wind sources and tens of thousands of miles of pipeline Xcel is exposed to numerous sources of volatility and risk whose time frames can extend from a couple of months to decades. Our largest three sources of risk are market risk, credit risk and commodity risk which create variability in both revenue and expenses. There are also other risk issues in energy utilities that relate to plant and operating safety, social responsibility and environmental risk. Regardless of the source, our challenge is to simulate potential exposures and quantify the various risk factors. At a top level, that creates two important tasks for the enterprise risk management (ERM) team. First, of course, is performing the many sophisticated calculations and simulations based on complex models that weve created. But just as important, our team must interpret and present those numbers to the Risk Management Committee, senior management, the board of directors and
other decision-makers. We have to be able to explain what they mean before initiatives and investments can proceed. Without clear explanations, these executives cannot use the analysis to allocate billions of dollars of resources.
A grid to represent risk status

To meet this challenge, Xcel has adopted and deployed a sophisticated Risk Grid that leverages SAS risk management solutions and business intelligence software. Using familiar stoplight and dashboard metaphors, this grid highlights the projected duration, earnings per share (EPS) impact, and severity of various risks. The grid encompasses both strategic and tactical risks, including those that are reported, audited and covered in the firms Form 10-K disclosures. The significant task of identifying and capturing those risks from across the enterprise in a single grid requires a structured, methodical process. Each quarter, our risk management team meets with managers and executives from various areas of the company. We use questionnaires, conduct Q&A interviews with key stakeholders, and identify and standardize the risks and translate them into projected EPS impact our ultimate risk metric. Weve found that the business units are most eager to participate in these meetings because we provide a channel for them to communicate up the risks that they see on a daily basis.
Based on these input and analysis sessions, the Risk Management Committee decides which issues merit further elevation and inclusion in the corporate risk grid. In this manner, the business units are true participants in ERM. This provides a level of clarity and accuracy that we dont believe is possible through traditional top-down approaches. At the board level, Xcel can then make informed decisions regarding resource allocations, timings and other strategic aspects. For example, we might encounter a short-term issue relating to a plant that weve judged to be a red status risk in three to five years if the risk is unaddressed. The resulting action item might be to get the leaders of that business unit, who have visibility and responsibility, to develop a plan of action so that the Risk Management Committees calculation reduces its status to yellow and green. That might involve, for instance, capital allocations, but now the people who sign off on multibillion-dollar expenditures will have greater transparency into the risks attached to those major decisions. The Risk Grid helps Xcel over the longer term as well. For instance, we might recognize that one of our plants is on course to encounter a resource constraint issue in 2022. The facility costs nearly $1 billion to build, but given the resource constraint, it cant generate electricity in accordance with its design capability. In an era of greater regulatory
oversight and corporate accountability, the only responsible course of action is to deal with the issue today and appropriately resolve it at the lowest possible cost. Because weve identified it, we can form a task force to quantify and analyze alternative risk-adjusted strategies and return to the board with recommendations and costs, including how to recover the costs from future rates.
Begin with data

Weve invested extensively in this ERM infrastructure, but its value is directly predicated on the quality of the data transactions, prices, assumptions, forward curves and our ability to surface it to the right people in the right form at the right time. Some of this involves simple data transformation processes from hundreds of sources and locations, but thats data we must carefully audit and validate. Making the time and financial investment to perform that validation is an essential, but unsung, step in our ERM program. Then, we apply the SAS Analytics workbench, including SAS Risk Dimensions, to create simulations and scenarios and generate visual reports. Its an approach that has elevated risk management at our company. Recently, our CFO updated our current status for a leading ratings agency. When he presented the Risk Grid, the ratings team enthusiastically commented on the analysis and nomenclature driving ERM throughout
the organization. When they asked what consultants Xcel had hired to prepare the analysis, we were proud to tell them wed completed the Risk Grid ourselves. Moving forward, our executive management has made it clear what Xcels next steps will be with respect to risk management: centralized analytics. We aim to continue our ERM journey by starting to transfer our knowledge and skills in standard ways and create more uniform views to further improve the analytics used to support our capital spending and build or buy decisions.
BIO
Cary P. Oswald, Managing Director, Risk Strategy and Control at Xcel Energy Inc., has in excess of 20 years of experience in wholesale energy trading, commodity risk management and enterprise risk management. Oswald has worked for firms representing all facets of the energy industry, including exploration, refining, transportation and utilities.
Online:
Make reliable decisions amid hundreds or even thousands of variables, while improving profitability, controlling costs and enhancing operational efficiency: SAS Solutions for the Utilities industry (www.sas.com/sascom-utilities). Read about the ways other organizations in the energy and utilities industry are managing risk with SAS (www.sas.com/sascom-utilitysuccess).
Risk managements role in government
When the risk is measured in lives, the solution is chosen with care
A jetliner crashes. Executives at investment banks earn bonuses while investors and homeowners lose billions of dollars as subprime mortgages melt down. Tainted food poisons dozens. A new flu virus closes schools and panics parents. At first glance, its easy to get upset at the failures in managing the publics risk and overlook the successes. The fact is, our air travel systems, financial markets, food inspections and healthcare system are safe and successful virtually all of the time thanks to a government that, overall, effectively manages our nations collective risks risks that individuals, companies or even nongovernmental organizations like charities cannot manage alone. The US government manages public risk in numerous ways: For the common good. Whether its national defense, homeland security, or emergency and disaster response, the federal government manages a broad spectrum of risks that private individuals cannot address. Risk regulator. The federal government regulates risks between private entities and spells out who owns risks and what levels are acceptable. Shaper of risk. The government also creates opportunities through structured risks. Whether its the Small Business Administration, Defense Advanced Research Projects Agency (DARPA), or the American Recovery and Reinvestment Act (otherwise
known as the 2009 stimulus program), government can create an effective environment where risk and innovation are in balance. Risk manager of last resort. In a variety of ways, the government provides a firewall against runaway risks to ensure stability in numerous areas, such as the financial markets. The management of this risk, of course, must be counterbalanced by not encouraging moral hazard that is, expecting the government to always absolve one of the negative consequences of the risks taken. Internal risk management. Federal agencies and departments of all stripes deliver programs and services to the public. They must manage the risks inherent in their own operations to ensure citizen satisfaction and the delivery of value for money.
Introduction of ERM
At first, each risk area (strategic, operational, financial and insurable) was managed independently, in silos. However, it soon became apparent that by adopting a holistic view of their overall risk exposures and initiatives, companies could benefit by ensuring risks were not being over- or under-managed. The concept of enterprise risk management was born. Enterprise risk management (ERM) improved the executives ability to make better decisions that more accurately reflect the true nature of the risks in the business environment.
Of course, no other organization presents both the levels of complexity and risk that the federal government faces daily. For instance, consider that, through Medicare and Social Security, the US is the largest insurer in the world. Consider also the magnitude of the strategic, operational, financial and insurable risks that the government confronts daily. Not surprisingly, ERM is rapidly gaining attention in government circles as a discipline that can significantly improve governmental performance.
even if a vast number of others find relief from their pain and misery? The impact of unintended consequences is much larger at this level as well. For instance, laws to limit lead products in childrens toys can go too far if they also restrict all uses of lead in motorcycle brake and clutch pedals that pose a miniscule risk to children. Decisions to destroy batches of vegetables incorrectly thought to be tainted with salmonella can cost hardworking farmers, and their insurers, hundreds of millions of
participants may have incentive to engage in risky behaviors that can diminish the governments ability to manage risk for the good of all.
Transparency is required
For ERM to be effective, risk managers, rank-and-file employees, and executives must create decision-making behaviors that value transparency. That culture can only be achieved through objective information with attainable goals. In government settings, such information makes it virtually impossible to evade responsibility and accountability. Too often, this runs counter to the prevailing culture and necessitates a transformative change that will empower people to openly discuss assumptions, constraints and the risks that they confront. It requires boldness, even if it means that progress is measured in small steps. But, with President Obamas directives to improve transparency and collaboration, were already seeing signs of improvement.
ERM is rapidly gaining attention in government circles as a discipline that can significantly improve governmental performance.
Unfortunately, risk management in government isnt as straightforward as it is in the private sector. Not only is the magnitude of the consequences so much greater, there are also added dimensions in the form of politics and stakeholder motives that extend beyond simply measuring increases in a companys profit or loss statement. On Capitol Hill alone, there are 535 risk managers, each with differing views of the importance of risk based on local concerns and party affiliation. With every election, or news event, the priority can radically change. Government risk managers tasked with carrying out the wishes of Congress must fashion definitions of successful risk management that reflect both pragmatism and political concerns, not merely ROI. It is challenging to quantify both the probability of a negative outcome (a failure) and the impact of that failure on citizens. As a result of scale and political dimensions, it becomes daunting to stand up and answer the questions What is the acceptable level of risk? and What losses are we willing to accept in pursuit of our objectives? In a manufacturing context, this would be the limits of tolerance or quality control. But the federal government isnt a factory. Is it acceptable for some people to be injured by a new drug
dollars. However, few public officials are willing to defend decisions that may lead to even the smallest failures. And, risk without responsibility is a recipe for disaster, as weve seen in instances ranging from the losses of space shuttles to Hurricane Katrina.
The future of ERM, IT and government

Collectively, these three factors government agencies reliance on IT and the reputational risk posed to senior executives by its failure; the Obama administrations mandates for an open, accountable government; and White House appointments of a CIO and CTO make government IT operational risk management an imperative. IT is also a good place to start ERM since IT risk management involves the management of strategic as well as financial risk. By initially focusing on the management of IT operational risks (the people, processes and technology needed to implement or sustain IT operations), not only can IT operational performance improve, but the beginnings of an overarching ERM framework can be laid out that goes beyond IT. Most successful ERM programs have a top-down, senior management pull (i.e., What are my agencys or departments risks?) and a bottom-up push of objective information from the working level to answer that question. Remember, strategic
Manipulating risk
In recent years, this culture of preventing all failures without fully understanding the cost has become pervasive. The elemental definition of risk and risk tolerance has changed, and thats changing the fundamental assessments of risk by adding in significant uncertainty. Issues of moral hazard are far less clear today than they were even a year ago. Its impossible to simulate scenarios because political influences can disrupt the models without notice. For instance, bondholders who have seen the bankruptcy of Chrysler and General Motors abrogate their preferred rights may fundamentally change their perception of lending risk. When long-standing rules change without any notice, and when failure cant be reasonably quantified or becomes subject to more arbitrary factors, then risk management really becomes akin to gambling. In addition, if the expectation or possibility of failure is eliminated, market
decisions cant be better than the objective information created at the program and project levels. As governments role of risk manager expands in reaction to changing risks, and perceptions of risk, IT-led ERM will take on an increasingly greater role.
The birth of enterprise risk management

After the successful conclusion of World War II and the blossoming of our modern economy, corporations began to understand the value of managing risk. It began with a focus on insuring certain financial assets and activities. However, as a global economy gained traction, it became apparent that there were a variety of risks to consider and actively manage: Strategic risks affect an organizations direction. Should the organization stay on its present course and speed or make changes to one or both? Strategic risks encompass the feasibility of the organizations overall objectives as well as underlying assumptions and constraints on how it does business. Operational risks primarily address factors that could affect the organizations daily processes. They involve the people, processes and technology needed to carry out the strategic objectives. For instance, operational risks might encompass how well IT systems function or the effectiveness of information security measures.
Robert Charette, President of the consulting firm ITABHI Corp., has advised federal agencies and FORTUNE 100 companies and written, lectured and consulted extensively on risk management strategies across the globe.
BIO
Financial risks concern the organizations financial investments. For instance, are financial resources allocated to create the best return and generate the best value for shareholders? Insurable risks can be addressed by insurance. These are pure risks meaning that no financial gain from their occurrence can be realized. They are also risks that can be generally measured and predicted.
Online:
The Presidents Management Agenda is designed to help government become citizen-centered, resultsoriented and market-based, thus promoting innovation and competition. Read about SAS for e-Government (www.sas.com/sascom-egov) . SAS solutions for government organizations span the world. Visit specific SAS country Web sites to learn about offerings in your geographical area (www.sas.com/sascom-geography). Keep risk and innovation in balance by embedding enterprise risk management into everyday processes SAS for enterprise Risk Management (www.sas.com/sascom-enterpriserisk).
Moving from stress tests to broader scenario analyses
Current events reveal the need for a better understanding of the effects of events across risk types
The Federal Reserve, rating agencies and capital providers are requiring consistent views of banks that extend far beyond a simple snapshot of capital reserves. Today, banks must embrace a richer brand of acenario analysis: executing a variety of stress tests and scenarios across all of their portfolios. The payoff extends beyond mere regulatory compliance and institutional health. It also means an enhanced competitive posture. Even in the best of economic times, stress testing a banks portfolio is a sound practice for assessing the sufficiency of capital reserves as well as the responsiveness of the institutions infrastructure and reporting process. However, as we all learned in the 2008-09 financial crisis, there were significant weaknesses in these internal stress-testing programs. The major shortcoming: an inability to assess vulnerabilities arising from interrelated events across all risk and asset
types. The inadequacy prevented institutions from seeing the interactions across risk types that surfaced in the crisis. As a result, siloed risk models in various asset classes lacked the synergy and interrelationships to properly forecast the cross-asset impact of abnormal conditions and events. Today, its much clearer that firmwide stress testing across asset classes, positions and business lines must improve in order to ensure appropriate risk capture and aggregate stress-test and risk-calculation results more consistently and effectively. However, until regulators recently stepped up their mandates for stress testing, there was no precedent or strong impetus driving banks to aggregate their information to assess vulnerabilities across risk and asset types. Although the recently completed first round of the Supervisory Capital Assessment Program (SCAP) provided some useful
Source Systems
Stress and Scenario Tests
Risk engine
Aggregation and Reporting
Market/ Static Data Front Office/ Portfolios
Define and Manage Integrated Generate Scenario Data
Reverse Stress Testing
Dashboard
Risk Analysts
Business Management and Risk Advisory Committees
A Holistic Approach Strategic: Ultimately, the vision for all financial institutions is to have one risk engine that provides the risk analytics for all areas of the business, providing truly integrated scenario analysis.
insights into 19 of the largest US banks, those tests were limited by the available data and the restriction to two basic scenarios a continuing downturn and a slightly more adverse condition. Whats more, the SCAP tests were a process nightmare. The US Treasury Department designed valid and meaningful stress tests, sent regulatory letters mandating that banks perform the tests, compiled results, compared bank submissions, adjusted values and interpreted the findings. Collectively, those tasks took three to four months. It wasnt better inside banks. As a result of these Treasury-orchestrated stress tests, most banks had to create one-time manual processes to comply processes that will be difficult to extend or repeat.
The shift to scenario analysis

Simply replicating the tests on an industrywide basis would be challenging enough. But as the thin and limited results of the first round of SCAP show, its clear that regulators and institutions alike will need to expand their view from simple stress testing. Its now clear that the SCAP tests were not a one-time exercise, and that improved stress-testing processes and analytics will remain a high priority for the foreseeable future. Mastery of these tests will not only be required to respond to regulatory requirements; they will also enable banks to perform ad hoc stress analyses and more effectively manage their economic capital.
But this first phase only hints at the scale and scope of the broader challenge. Going forward, banks will need a broader class of scenario analyses that leverage standardized processes and improved data aggregation. In simple stress testing, the bank models and calculates the effect on a particular asset class of a change to a single risk factor or set of risk factors by a given amount. For instance, what happens to the mortgagesecurities assets if equity prices decrease by 10 percent? This can be used to analyze how sensitive an asset is to a large change in a specific market factor, ie, how exposed they are. But banks need to expand stress testing across the portfolio, often called scenario analysis. This involves calculating the effects on a portfolio of stressing all underlying risk factors arising from a pre-defined market scenario. Scenario analysis is better suited to reproducing the effects of historical events, such as Black Monday, a period of loss in the banks history or a potential future event.
Needed: Integrated framework

To achieve this broader scope of testing, banks need a framework that allows managers and analysts to easily run many different market and credit risk scenarios across a variety of risk factors and portfolios. Business users and risk analysts need a graphical interface to simplify the building and reviewing of stress-test scenarios. The ability to use pre-defined scenarios
or create user-defined scenarios is critical as is a robust visualization capability to compare the impact of scenarios across specific key performance indicators. A framework that enables senior executives and business analysts alike to view consolidated results for a variety of stress-test scenarios, and that can extend and enhance the ability to perform sensitivity and what if analyses, would be a powerful asset, especially in the current challenging economic conditions. Coverage of asset types and consistency of criteria are large barriers to more effective stress tests and scenario analyses. That coverage is hindered because disparate information prohibits a consolidated view of all assets. Whats more, multiple versions of data, valuation methods and models persist throughout the process. Financial institutions need an integrated approach to risk evaluation to understand events that have effects across risk types (e.g., market risk, credit risk and operational risk) that, when combined, could result in exposure beyond isolated test results. Clear regulatory and industry standards for stress tests are essential to align asset classes and risk measurement methodologies across the industry for use within banks and between the banks and regulators. These standards for stress testing and scenario analysis would help remove some of the subjectivity from asset valuation and provide a more consistent risk calculation methodology.
Information from stress testing and scenario analyses provides tremendous benefits to financial institutions. The results point to specific operational gaps, vulnerabilities and threats that the banks can address. This makes the institutions stronger, more competitive and better positioned to provide better services to customers.
Three Ways to Improve Stress Testing

1. Break down the silos Transition stress testing from its narrow silo view to look more broadly across the firm. Dont focus solely on areas where it is known that theres elevated risk. Implement a framework to aggregate enterprise position data to look at all asset classes. 2. Implement a flexible framework for integrated stress testing and ad hoc analyses The business driver is to provide a desktop stress-testing solution that allows analysts to immediately react to changes in the market by defining possible stresses and scenarios and observing their effects on the exposure in their portfolios, without the need for intervention by another party/department. 3. Continually refine the process Banks should continually test and refine their models to validate their scenarios. Back-testing of models with historical data and events can increase the confidence in those models as part of an overall model-validation strategy to manage model risk.
BIO
Mike Stefanick is Director of Global Risk Practice for SAS. Prior to joining SAS, Stefanick served as Vice President of Risk Architecture and Finance Transformation with SunTrust Group, and as Chief Architect and Vice President of Business Risk Systems for Fifth Third Bank. He also has extensive consulting experience with many financial institutions. Mike.Stefanick@sas.com
Spreadsheet risk
Spreadsheet programs have worked their way into organizational reporting, in part because of the low initial price and employees pre-existing knowledge. Additionally, the flexibility with which data can be manipulated and calculated and easy access and existing possibilities make spreadsheets a tool of choice. However, on the report receivers side, there is abundant criticism: Lack of access to original data. Difficult version control. No documentation. Partially unintelligible macros. Revision lacks data security and traceability. These problems have led some boards of directors and IT managers to consider spreadsheets to be a serious risk. In fact, with regard to regulatory compliance, in particular Basel II, IAS and SarbanesOxley, there is even talk of overuse and overreliance on spreadsheets.
and leads to correspondingly complex, convoluted spreadsheets. Calculations are most often compiled for analysis as macros or small, embedded programs from each department. Each departments spreadsheet is then compiled as part of a report portfolio, which is printed and provided to management or forwarded to other responsible parties as a risk-inherent e-mail attachment.
Risk management and control

Financial supervisors and accountants increasingly require that spreadsheet processing be based on a secure, transparent and traceable foundation. Policies and processes are established to determine the risk and set organizational policies to guarantee this structure. Risk management and control are responsible for the identification and evaluation, supervision and management, and communication of risks and strategy.
Immediate reporting requirements

In addition to the risk management and control requirements, which result from the organizational point of view, there are also immediate reporting requirements. Correct and traceable It is common for two analysts to present spreadsheets with different results on the same subject. Regular and automated Spreadsheets are tailored for interactive use, and even after intensive macro programming, only rarely offer more than a half-automated procedure. Although
Report creation process

Understanding the advantages and criticism begins with report creation. CSV files that are generated in operational systems or analysis data pools are usually the foundation for the reporting process. This limits direct access to databases and means that the imported raw data must be prepared before analysis can begin. This manual and time-consuming process is further hindered by the limited data quantity per worksheet
difficult to implement, data preparation should be a regular, automated, standardized process. Early identification of risks and exceptions An important element of automated processes is the early identification of risks and exceptions. Depending on the size of the organization, there are abundant limits and risk indicators to be monitored. Distribution and communication Finally, the information must be consolidated and distributed, often under tight deadlines. The reports are provided to users in printed form and through the intranet.
Organizational equipment
A final component to consider when evaluating the risk of spreadsheets is the organizational equipment appropriate for the organizations strategy and risk situation. The primary tasks to allow automated procedures and ensure availability of a secured system are: Provide flexible allocation of the IT systems. Secure the integrity, availability, authenticity and reliability of data. Develop operational and emergency recovery concept. Of course, these tasks lie beyond the scope of spreadsheets, but when utilized they must work together with all of the aforementioned components. Most spreadsheets are already limited because of the hardware and do not necessarily fit with the organizational strategy.
establishes an infrastructure to accommodate regulatory requirements. These problems are familiar to leading spreadsheet producers: Microsoft combines Microsoft Office Excel with Microsoft Office SharePoint Server, based on a Windows Compute Cluster Server 2003, to provide sufficient calculating capacity; and Office PerformancePoint Server 2007 combines server-based components with Excel as the user interface. This strategy ties with industry analysts suggestions that spreadsheet use should be confined to those areas that are noncritical. SAS holds the view that, with the new Microsoft strategy, at least the largest problems related to the use of spreadsheets are being considered. But are they the solution for the regulatory challenges? According to a December 2005 Gartner study, Server-Based Version of Excel, Organizations should not assume, however, that, just because the application is server-based, it inherently provides a high degree of integrity and consistency. The risk to organizations is that, if the application is not managed, they will wake up one day to find a plethora of serverbased spreadsheets without the ability to easily manage or control them.
In this regard, SAS believes that spreadsheets, even in the new packaging, can only meet the regulatory requirements of modern organizations in a limited capacity. The primary reason lies in the tight interlocking of data, methods, reporting and infrastructure. The less overlap between various suppliers that need to be supported, the fewer the losses and the more predictable the solutions. SAS Business Intelligence software offers the solution to this apparent dilemma. It constitutes an analytical platform and architecture in which spreadsheet programs take their natural place as a building block.
Online:
Read more about the risks posed by spreadsheets in A New Dimension in Risk: Spreadsheet Risk (www.sas.com/sascom-newdimension). For more information about SAS Business Intelligence read The SAS Enterprise Intelligence Platform: SAS Business Intelligence www.sas.com/sascom-businessintelligence).
Multidimensional vs. flat view

Analytics software enables the collection, classification, analysis and interpretation of a wide range of data for better decision making. Aberdeen Group, in its January 2009 report, Beyond Spreadsheets: The Value of BI and Analytics, identified business intelligence and analytics as the most important technology to affect businesses in the next two to five years. The research firm found that many organizations will use a flawed strategy to try to extract business intelligence using spreadsheets. Organizations are falling back on spreadsheets as a means of providing the output from BI systems to users who either do not have the analytical skills required, or for whom access to BI capabilities is simply too expensive. This thought process may be erroneous when the costs associated with uncontrolled use of spreadsheets are factored in, Aberdeen reported.
For more insight into Aberdeens research, read Mining Data for Intelligence, Creativity and Insights (http://www.sas.com/resources/asset/104190_0909.pdf) by Sandra Gittlen
Whats the solution?

The risks posed by spreadsheet use in critical areas are obvious and far outweigh the advantages. From a regulatory viewpoint, spreadsheets are singularly insufficient to meet reporting and management requirements. The challenge is finding a solution that enables normal work as much as possible and yet also
Benchmarking the quality of risk management from a business-centric perspective
As we enter a new era for risk management in financial services, a key challenge for stakeholders involves benchmarking the quality of a risk management program from a business-centric perspective its ability to simultaneously add revenue-generating value and comply with governance requirements. The fact is, many business-driven risk-management initiatives look great on paper until they fail to prevent dramatic losses in abnormal markets. The right solution measures exposure across all risk types and all books of business, provides timely access to an integrated risk-data infrastructure, and rewards a consistent optimization of risk adjusted returns. The failure to benchmark risk-management from a business-centric perspective and make that risk transparent has wreaked havoc on both Wall Street and Main Street. For example, if the risks of the subprime market were transparent, todays chaos might have been substantially reduced. Further, a lack of transparency can lead to fears that the institution may be hiding potential losses. This dynamic contributed to the unraveling of structured investment vehicles (SIVs), the marking down of illiquid portfolios, the struggles with rolling-over financing (such as short-term asset-backed commercial paper) and a dramatic increase in foreclosures. Timely access to and dissemination of information has become an important dimension of superior risk management.
A three-dimensional approach
A three-dimensional benchmarking approach is useful for evaluating the quality of risk management from a business perspective. It should cover policy, methodology and infrastructure. Policies The core of a superior enterprise risk management (ERM) business approach includes having the right policies to support the idea that risk tolerance is integrated and consistent with business strategies and vice versa. Policies should also call for back-tested risk measures and limits on the amount-at-risk to be expressed in meaningful terms. Risk should be properly disclosed internally and externally on a granular and integrated portfoliomanagement basis. Methodologies Superior risk solutions use value-at-risk (VaR) and stress-test methodologies to predict actual losses integrated across all risks and books of business. For example, businesses should be able to perform VaR and stress-test analysis across each risk type (e.g., each Basel risk type: market risk, credit risk, and operational risk). Mathematical models and positions should be properly vetted and valued. It is essential that the methodologies to control risk are used for such things as calculating the economic capital (i.e., pass the use test), regulatory capital management, pricing deals and performance measurement.
Infrastructure Even with strong policies and methodologies, a superior infrastructure is required to properly manage risk as well as enable a business to exceed its risk-adjusted revenue objectives. This includes software to flexibly integrate data management, risk analytics, and reporting of market, transaction and legal data. SAS Risk Management for Banking (www.sas. com/sascomfsiriskmanagement) delivers functionality for all major risk types and allows banks to meet the requirements that are at the core of superior risk architectures (see Figure 1). The endto-end solution encompasses integrated data models, data-quality management, advanced analytics and reporting. It comprises applications for market risk, credit risk, asset and liability management risk, and firmwide risk that can be used either individually or in a combination of risk application flows. This allows business units to independently and separately calculate the various measures of risk (see the middle layer of Figure 1). As noted in the methodologies discussion above, it is essential for the software to enable the organization to independently and separately stress test its individual
Firms that understand the strengths and limitations of integrated applications and quantitative tools and that can aggregate appropriate levels of internal and external loss data can reap benefits from their wide deployment.
and firmwide risk. Further, the software should allow the organization to compute economic capital and risk-adjusted performance measures at the firmwide level (see right hand side of Figure 1). All solution components are highly configurable to enable users to meet the needs of an organizations specific requirements on data, models, analytics and reporting.
Model risk
Today, forward-thinking businesses are proactively embedding complex risk models within integrated applications that drive assessments of product development and pricing. However, these models themselves contain inherent risk that can lead to dire repercussions. Continually, the shock of volatile markets has demonstrated that quantitative financial approaches are a double-edged sword.
Figure 1: SAS Risk Management for Banking
Firms that understand the strengths and limitations of integrated applications and quantitative tools and that can aggregate appropriate levels of internal and external loss data can reap benefits from their wide deployment. Further, they can use an integrated risk engine to thoroughly analyze their scenarios using simple dashboards that use warnings to highlight the amount of their model risk. Alternatively, if business units fail to recognize and appreciate the model risk embedded in their businesses, they may experience dramatic losses in socalled highly improbable markets. There are several model risks to monitor and prevent. Model error Model error refers to cases where the model contains mathematical errors or, more likely, simplifying assumptions that are misleading or inappropriate. The most frequent model error is assuming that the distribution of the underlying asset is fixed when, in fact, it changes over time. Practitioners know that volatility is not constant and often find themselves struggling to balance complexity (to better represent reality) and simplicity (to improve the utility of their models). For example, practitioners mistakenly assume that rates of return are normally distributed. Extreme events have become more likely and are not welldescribed by a normal distribution. Models can be oversimplified by underestimating risk factors that must be accounted for and assuming that perfect capital markets exist. The lack of liquidity in turbulent markets accompanied by correlations moving toward 1 is also a major source of model risk. Models must complement VaR through coherent
scenario analysis that incorporates macroeconomic scenarios and stress testing. Implementation error Within a poorly integrated risk environment, a model might be implemented incorrectly, either by accident or as part of a deliberate fraud. A model developed and approved for one product may be inappropriately used for another product (e.g., a bond with embedded options is erroneously priced with a plain vanilla bond-pricing model that does not account for its optionality). Even if a model is correct, the danger remains that it will be incorrectly implemented. For example, implementations relying on numerical techniques exhibit inherent approximation errors and limited ranges of validity. In models requiring Monte Carlo simulation, large inaccuracies can creep in if insufficient simulation runs or time steps are implemented. Data error Another important component of model risk is a failure relating to input data. The lack of proper input data creates a classic garbage in, garbage out dynamic. For example, the input data for selecting the best risk model may be incomplete. Further, input data to estimate model parameters of the risk model (such as volatilities and correlations) may be invalid. Well-designed, integrated applications enable businesses to know how frequently their input data is refreshed across all risks. For example, businesses can adjust their parameters
Integration
Adequately capture relevant data relationships. For example, does information about insurer-wrapped CDO tranches link to information about the insurer, including current ratings information? Data integrity is essential do risk exposure roll-ups reconcile with financial statements? Capture all exposures across the organization, such as bespoke deals held ad hoc on traders spreadsheets. Users should have easy access to current and historical data and reuse data in any form they require (within limits set by security requirements). Users should be able to analyze data across any dimension, including the ability to filter or summarize information. Summarizing data by credit rating and geography may lead to insight that further drill-down by weighted-average maturity would be useful. Extensibility refers to the ability to bring into the environment new types of data for valuing instruments with relevant linkages and the appropriate level of data quality. How soon is data (deal information, market data, revaluations, etc.) available after the occurrence of the relevant business event? Data is easily traceable from reports back to its source. It is difficult to have confidence in information that has been tampered with.
Integrity Completeness Accessibility Flexibility
Extensibility Timeliness Auditability
Table 1: information risks within each risk management function and a view of the essential components of each function.
periodically such as after an important economic event according to both qualitative judgments in highly illiquid markets and retrospective statistics. The statistical approach is in some sense backward looking, while a manual adjustment relies on a personal assessment of likely future developments in relevant markets. Information quality error Information interacts with risk management policies, methodologies and infrastructure in subtle ways. It is imperative to assess information risk in a structured, methodical way like any other operational risk. Table 1 describes information
risks within any particular risk management function and provides a view on its essential components.
Conclusion
A business unit should periodically benchmark the quality of its policy decisions against best practices. The quality of riskadjusted returns depends on the type of business strategies that a business chooses to engage in. A business would also benefit from benchmarking the quality of its risk management practices executed by each organizational unit that touches the transaction from writing the initial trade ticket to ensuring a well-defined separation of
responsibilities exists across the front office, middle office and back office functions. Furthermore, the benchmarking exercise should examine how the models and the supporting infrastructure are deployed to measure risk in both normal and abnormal markets. Models that work well in normal markets often dont work well in either bubble or turbulent markets. Credit-rating agencies and regulators are increasingly pressuring firms to upgrade the quality of their risk management program as well as upgrade their risk-based capital assessment methodology. Regulators have introduced programs to make regulatory capital measures more risk sensitive through programs such as Basel II and are working to introduce more sophisticated measures of funding liquidity risk. Over time, there will be a more standardized and harmonized approach as companies increasingly demand that their organizations use integrated ERM systems. Boards are increasingly more accountable and legally liable for risk management. Senior managers in well-run organizations are emphasizing risk literacy and are more focused than ever on improving their knowledge and understanding of risk management in order to meet their fiduciary responsibilities. Chief risk officers in these firms, with the backing of the board and senior management, are adopting best-ofbreed risk management approaches through a substantial upgrade in risk policies, measurement and infrastructure.
BIO Robert M. Mark, PhD, is the Chief Executive Officer of Black Diamond Risk, which provides corporate governance, risk management consulting, risk software tools and transaction services. Mark is also the Founding Executive Director of the Masters of Financial Engineering Program at the UCLA Anderson School of Management. He serves on several boards as well as on Checkpoints Investment Committee. In 1998, he was awarded the Financial Risk Manager of the Year by the Global Association of Risk Professionals (GARP). He is the Vice Chairperson of the Board of the Professional Risk Managers International Association (PRMIA). Online:
Gain more insight into how financial organizations are approaching risk management as a result of the financial crisis. Read After the Storm (www.sas.com/sascom-storm). Make SAS RiskAdvisory (www.sas.com/sascomriskadvisory) and SAS Risk News (www.sas. com/sascom-risknews) part of your risk management team.
Risk-adjusted pricing framework
Drive growth by closely aligning cost structure with real costs
Risk-based pricing is the alignment of loan pricing with its expected risk. Typically, a borrowers credit risk is used to determine acceptance or denial of the loan application. It may also be used to drive the loan price. Borrowers whose risk is high will be charged a higher interest rate. Risk-based pricing builds on the net interest margins calculations by adding to the cost of funds (cost of transactions and account maintenance, cost of expected loss and of capital for the unexpected loss due to the risk of default). A risk-based pricing framework should guide a firms growth strategy by clearly defining within which market segments to compete and which represent a hedge. This strategy would balance the risk and reward ratio during credit on-boarding. One of the major factors in the latest credit crisis was the lack of risk-adjusted pricing when defining which credit to on-board or pass over. This approach pursued in a race for growth led to large provision, which will end in large losses that have yet to be documented as charge-offs. Risk-based pricing allows the bank to price the risk of issuing credit according to its cost by closely aligning the cost structure with real costs. The components of the equation include cost of funds, transactions and account maintenance, as well as the cost of collections and cost of unexpected and expected loss (expected is the reserve capital and unexpected is the cost of capital set aside for each credit exposure).
Risk-based pricing isnt new. It has evolved from a partially risk-based methodology to the current fully risk-based pricing strategy. During the partially riskbased era, banks were using a tier- or segment-based pricing framework that evaluated a category of exposures rather than the individual profile of an exposure. Other methods used to approximate the risk component costs include looking at historical charge-off rates, historical delinquencies and other proxies, which, in certain cases, can be fairly accurate. In the post-Basel world, however, banks should leverage the work done for regulatory compliance in processes like risk-based pricing. Basel provides some guidance with respect to LGD (loss given default) for product types and borrower profile as well as ready-made formulas for the computation of unexpected loss at the exposure level that should help smaller banks in setting up a risk-based pricing framework. The computation of PD (probability of default) at the obligor level may be the single best thing to come out of the Basel framework, thereby providing a good analytic approximation for less sophisticated banks.
Systemic issues
Segmentation and risk driver identification are the foremost issues that can cause problems with a risk-based pricing process. If you allocate cost along the wrong segments or use the wrong risk drivers to apply costs,
over time the portfolio risk will differ significantly from its original forecast. Two other significant elements that may affect systemic risk are acceptance and exceptions. Its important to gain acceptance from affected business units (BU) from the beginning. Without acceptance of the framework, compliance to the process will be spotty and ineffective. In the case of exceptions, it is often unrealistic to think that a risk-based pricing framework can be followed implicitly from the start. If the BUs negotiate exceptions, it is important to track and report the exceptions performance. Exception tracking will validate that risk-based pricing is working as it should. If a risk-based price is right but the BU has created exceptions to get lower rates for customers, the riskadjusted return (return less loan losses) for that BU will be lower than expected because the spread is too low for the customer risk profile. This further validates the risk-based price. The acceptance rate concept allows a BU executive to evaluate the trade-off between levels of return at given riskbased prices. BUs will also want to know how many deals are being lost because of the increased spread and if their units will be required to adjust sales strategies to compete in a segment where the riskbased price is closer to market rates (i.e., where they have a competitive advantage). A full understanding of risk-based pricing allows the BUs the flexibility to choose
between making 10 deals with a 20 percent risk-adjusted return or 15 deals with a 16 percent risk-adjusted return. These exceptions represent the banks additional risk. Performance of the exceptions signals that the banks sales instincts are on the mark or need to be adjusted. Tracking performance is an important element to ensure success of the risk-based pricing framework. When complemented by comparison of acceptance rates, market rates and portfolio performance, performance tracking can help drive growth strategy on a riskadjusted basis.
Excerpt based on Risk-Based Pricing: The Steps to Initiate a Risk-Adjusted Framework by Laurent Birade.
BIO
Laurent Birade is a Senior Risk Consultant with the SAS Enterprise Risk Practice. Laurent.Birade@sas.com
Online:
For a more in-depth discussion, read Risk-Based Pricing: The Steps to Initiate a Risk-Adjusted Framework (www.sas.com/sascom-riskbasedpricing) by Laurent Birade. Clark Abrahams, Chief Financial Architect at SAS, challenges broken credit scoring methods in his blog and books. Read Generalizing A common and natural tendency may pose problems (www.sas.com/sascom-ClarkAbrahams).
Mind the Basel gap
Will proposed new regulations create a safety net for the system?
The financial crisis signaled the need for a real paradigm shift in prudential regulation, but this apparently has not yet happened. It is now evident that boards and senior bank management had great difficulty in appreciating the magnitude of the risks being taken in their market departments, and actually understood the implications of those risks even less. This is likely to become even more of an issue after implementation of the current financial market regulation proposals. In their response to the crisis, policymakers and regulators seem intent on further complicating the already complex maze of financial market rules by amending existing fringe rules. The Basel capital adequacy rules, implemented in the EU with the Capital Requirements Directive, serve as the centerpiece of prudential regulation of the banking sector. Initially proposed in 1988, the rules were substantially amended in 2005, generalizing the use of credit ratings for risk weightings in the external ratings-based approach and the use of internal models for more advanced financial institutions. Basel sets a minimum capital requirement of 8 percent for the banking book, but the differentiation of risk weightings prevented supervisors from noticing the growing degree of leverage in the financial system. For example, the Belgian bank Dexia, an early casualty of the crisis, had a Basel Tier 1 ratio of 11.4 percent in June 2008, but a core capital ratio of only 1.6 percent! In the context of the current crisis, a key weakness in the risk-weighting system of the Basel framework is the strong bias toward real estate. Capital charges for mortgage lending stand at half that applied to commercial loans and can go to 35 percent for residential mortgages. In response to the crisis, these core rules are not being fundamentally reconsidered, but rendered even more complex in a host of amendments. This was not changed by the G-20, which, at its last meeting in Pittsburgh, stated that Basel II should be implemented globally by 2011. Rather than going for a profound regulatory review, the G-20 re-affirmed its commitment to the Basel II framework, to be complemented when the economic recovery is assured by a leverage ratio, capital buffers, counter-cyclical provisioning and liquidity risk requirements.
Amendments under consideration

Maintain 5 percent for securitization or skin in the game. A first proposal to amend the Basel directive has been under discussion since June 2008. It requires banks in credit risk transfer products to hold at least 5 percent (initially 10 percent) of the securitization issuance to provide the right incentives in originate and distribution activities. This amendment is counterproductive, as it undermines securitization and forces banks to increase their balance sheets, whereas they should be reduced. Provisions of MiFID (Markets in Financial Instruments Directive) could address conflicts of interest in securitization activities. Additional elements of the amendments, which were adopted by the EU in April 2009, include tighter rules for large exposures and rules on special hybrid capital items. Additional rules on executive compensation. A consultation was launched at the end of April 2009, following the agreement reached at the G-20 Summit, introducing the obligation for credit institutions and investment firms to establish and maintain remuneration policies and practices that are consistent with effective risk management. Generally speaking, remuneration should not encourage excessive risk-taking and should be in line with the long-term objectives of the firm. Payment of bonuses should be deferred. Excessive remuneration packages can lead to extra capital charges. In our view, such rules can be easily circumvented and are thus impossible to enforce.
A true paradigm shift?

The pillars of Basel II could be kept: capital requirements, supervisory review and market disclosure. But the risk-weighting system and the use of internal models should be scrapped in favor of a simple, transparent capital requirement. Moreover, the balance between the various pillars needs to be strengthened. Market disclosure is not taken seriously enough in Europe, as the debate surrounding stress tests demonstrates. In addition, external risk audits should be performed by external firms and submitted to supervisors, and then disclosed in an annex to the annual report. As banks risk management practices left much to be desired, an external assessment by specialized firms of these internal controls and procedures would be a useful addition to the control by supervisory authorities.
Other elements indicating a paradigm shift would be the introduction of a narrow banking system, or the application of a safety net, with depositor protection to a limited part of the banking system. Everything falling outside would be subject to pure, free market forces. In addition, to avoid too-big-to-fail and domino effects, strict anti-trust and competition policy rules would be imposed. More interesting proposals for fundamental reform of the capital adequacy system could be conceived, but to our knowledge, they have not surfaced. Given the depth of the financial crisis and the huge policy failures, more new thinking should be devoted to the future of prudential regulation.
BIO Karel Lannoo is Chief Executive Officer of the Centre for European Policy Studies. CEPS is one of the leading independent European think tanks, with a strong reputation in economic and foreign policy research. Lannoos areas of expertise include the European Monetary Union, banking and financial markets, financial market regulation, corporate governance, retail finance and consumer credit, and EU business policies. He has published books and articles in specialized magazines and journals on EU, financial regulation and corporate governance. Lannoo has also spoken at several European Parliament and European Commission hearings and participated in studies for national and international bodies (EU institutions, OECD, ADB, World Bank).
Increased capital requirements for the trading book and higher capital charges for certain securitization positions. Specific risk-capital requirements for all net positions in the trading book would be set at 8 percent of the relevant banking book risk weight. Resecuritization exposures should be completely deducted from capital, rather than be risk-weighted. Dynamic provisioning. Not yet formally proposed but under discussion for quite some time is a requirement for banks to establish extra capital buffers in good years, which could be used in bad years. The size of the buffer would be calculated as a percentage of the total outstanding loans, as is currently practiced in Spain. The July 2009 Council of Finance Ministers meeting urged the European Commission to come forward with proposals on the subject. Special liquidity requirements. Also not yet formally proposed, but under consideration by regulators, are harmonized liquidity requirements for EU-based banks. Liquidity is not regulated at the EU level, but is left to the member states, which use qualitative or quantitative requirements, or a mixture of both. These requirements were also imposed without distinguishing between branches and subsidiaries of host-country financial institutions.
XBRL: eXtensible business reporting language

The new language for risk reporting
In a fast-changing discipline like enterprise risk management, half the challenge stems from the tactical need to ensure all stakeholders are able to share information using a common language and pre-defined terms. The fact is, reporting in financial services risk management circles has largely been characterized by a mixture of incompatible formats, vocabularies, definitions and formulas. There is little agreement on terms and what they mean. Today, companies need a single global standard for measuring, predicting and communicating the various components of enterprise risk and reporting loss events to regulators. Implemented properly, that standard could lead to better-defined data that can be aggregated, trended and analyzed for better risk forecasting, creating a more robust insurance market and enabling some companies to remove certain risks from the balance sheets. Increasingly, risk experts are pointing to extensible business reporting language (XBRL). XBRL is an emerging XMLbased standard to define and exchange business and financial performance information. It provides a standards-based way to communicate business and financial performance data using metadata set out in taxonomies. These taxonomies capture the definitions of individual reporting elements as well as the interrelationships of the elements. Recently, IBM proposed creating an XBRL
taxonomy targeted at risk management that would standardize risk assessments and loss reporting and give regulators the risk pulse of a financial system.
XBRL and COREP

XBRL adoption has been slower in the US, although it has been pushed by both the IRS and the SEC. Since Europe has such a diverse range of reporting entities, pan-European regulators have embraced XBRL more emphatically. For instance, it has been widely adopted in many European countries, thanks to the aggressive promotion of the Central European Banking Committee and its Common Reporting (COREP) standard. All financial services companies in countries where COREP has been adopted must report in COREP and, increasingly, regulators in various countries are calling for their companies to use XBRL in their filings. Essentially, the COREP reports have become a set of XBRL taxonomies. SAS solutions for risk management can address XBRL COREP reporting. SAS performs all of the calculations that a company may require using standard definitions and the companys internal terms, definitions and formulas. The SAS XBRL COREP engine is based on a set of configurable metadata to map the actual company data to the XBRL definitions. It allows the institution to report COREP templates directly in XBRL format. From this point of view,
With XBRL and appropriate taxonomies, producers and consumers of financial data can shift their resources from time- and cost-intensive manual processes to focus on analysis.
the XBRL format is analogous to PDF or Excel formats. Once the metadata is defined, the XBRL engine produces the final instance files and the company needs only to check those with internal validation tools. It is worth noting that CEBS (Committee of European Banking Supervisors) issued the standard COREP formats, leaving each country regulator to extend these base taxonomies to include specific information such as local labels and more detailed data about some facts. The XBRL engine can manage these country specific extensions as well. Our consulting teams in Europe have done exactly that for SAS customers. For instance, for a major bank in Finland, SAS managed taxonomy extensions that enable it to produce more data. All that was required: a few changes to the metadata. The same strategy would also enable a US-based bank to issue COREP reports to European regulators simply by adopting the appropriate XBRL taxonomy.
cesses to focus on analysis using software that can validate and manipulate XBRL information. For instance, searches for particular data that might have previously taken hours can be completed instantly using XBRL. Despite the enormous potential that XBRL offers to facilitate apples-toapples comparisons, a truly global effort is required to generate the necessary momentum to implement this standard. There must be a concerted and sustained effort to define what the metrics are, how to calculate them and what dimensions are used for those metrics. Once the schema is complete and approved, there must be an international regulatory body to enforce
the use of XBRL and associated taxonomies. Once in place, all stakeholders will be in a better position to generate the same risk reports and improve their ability to manage, regulate and hopefully, reduce risk exposures.
BIO Ivano Dei Giudici is an Enterprise Data Warehousing and Reporting Technical Advisor, and a Risk Management and SAS Solutions Architect for the financial services sector. Hes based in Italy and specializes in projects for Italian and European banks. Ivano.DeiGiudici@ita.sas.com
XBRL defined
XBRL is a language for the electronic communication of business and financial data. It is revolutionizing business reporting around the world. XBRL provides major benefits in the preparation, analysis and communication of business information, and offers cost savings, greater efficiency, and improved accuracy and reliability to all those involved in supplying or using financial data. XBRL stands for eXtensible Business Reporting Language. It is one of a family of XML languages that is becoming a standard means of communicating information between businesses and on the Internet. XBRL is being developed by an international nonprofit consortium of approximately 450 major companies, organizations and government agencies. It is an open standard, free of license fees. XBRL is already being put to practical use in a number of countries, and implementations of XBRL are growing rapidly around the world. - Source: XBRL International
Increase speed, reduce cost

XBRL can enable new levels of speed and sophistication in all areas of business reporting and analysis especially risk management. Those benefits occur in the ability to automate and accelerate challenging reporting processes, reduce costs, improve accuracy and reliability, and enhance the overall analysis and decision-making processes with respect to risk issues. With XBRL and appropriate taxonomies, producers and consumers of financial data can shift their resources from time- and cost-intensive manual pro-
Shaping Europes regulatory framework

Balancing growth and risk to ensure future financial security
To say that the current economic and financial crisis is a decisive and testing time for the European single market is an understatement. Since the crisis broke in late 2008, the institutions of the European Union (EU) in Brussels have lost little time in developing measures to restore confidence to the financial markets and reassure EU citizens and businesses alike. The European financial services industry has witnessed a relentless stream of draft legislation from the European Commission (EC) and European Parliament introducing greatly strengthened and rigorously applicable regulations covering not only the financial markets but also the key market actors.
Safety-first approach to reform

No sector of the financial services industry has remained immune to new regulation, whether it is banking, securities or insurance. The list of existing and pending legislation is lengthy, and it is not finished. The efforts by the EU institutions to deliver responsible and reliable financial markets for the future largely in cooperation with the financial services industry represent, at best, a work in progress. Here are some of the highlights of the EUs safety-first approach to reform of financial regulation since early 2009.
the amount that a firm must have on hand in order to cover risk and protect its depositors. In May 2008, the European Parliament voted on part of the CRD, which required originators (financial institutions) to retain 5 percent of securitized products before selling them on the market. The revision tightens the definitions of core capital, limits the amount of short-term exposure banks can have to one another (maximum: 25 percent), introduces colleges for supervision of groups and places controls on the securitization process. Members of the European Parliament also called upon the EC to introduce legislative proposals to regulate the over-thecounter (OTC) derivatives market. The EC aims to improve the transparency and standardization of OTC products and introduce a centralized counterparty clearing system, backed by pan-EU supervision. Separately, the EC is expected to produce a legislative proposal on derivatives and other complex structured products from a capital requirements perspective.
Credit rating agencies

The European Parliament adopted a regulation in April 2009 mandating registration and supervision of credit rating agencies. Essentially, this law also prohibits Credit Rating Agencies (CRAs) from providing advisory services and allows them to rate financial instruments only if they have sufficient quality information on which to base their ratings. It requires CRAs to disclose the
Capital requirements directive

The Capital Requirements Directive (CRD) was originally devised to establish uniform capital requirements for both banking firms and nonbank securities firms. It established
models, methodologies and key assumptions on which they base their ratings, publish an annual transparency report and appoint at least three independent directors on their board to oversee the impartiality and quality of the work.
Hedge funds and private equity

The EC has proposed a directive regulating the alternative investment fund manager (AIFM), which is expected to be approved, with amendments, in the fall of 2009. The draft law requires AIFMs to be registered with the financial regulator in their jurisdictions and to demonstrate that they are suitably qualified and can provide proof of the valuations and safer-keeping of assets. Minimum levels of capital will be imposed, together with annual disclosure on the investments strategy and objectives. The directive only applies to those AIFMs managing a portfolio of more than 100 million euros. A higher threshold of 500 million euros applies to AIFMs not using leverage (and having a five-year lock-in period for their investors), as they are not regarded as posing a systemic risk. A threshold of 100 million euros implies that roughly 30 percent of hedge fund managers, managing almost 90 percent of EU-domiciled hedge fund assets, would be covered by the directive.
assets and liabilities annually and adhere to capital requirements based on the underlying risks as opposed to volume of business. It also stipulates that insurance groups recognize the importance of risk management in running their business by assessing the types of risk to which they are exposed and managing those risks more effectively through the establishment of risk management systems, processes and controls.
oversight, early warning and crisis mechanisms, and cooperation with global players. Several high-level regulatory issues arose as a result of the de Larosire report.
A European systemic risk council

A systemic risk council, chaired by the European Central Bank but encompassing representatives from central banks and the European Commission, will monitor cross-
Assessing and managing risks with business analytics is no longer a luxury and cannot be left until economic recovery takes place.
A last-minute carve-out was negotiated deferring the need for a pan-EU supervisory structure for large cross-border insurance groups. Insurance firms will continue to have their capital assessed on a country-bycountry subsidiary level.
border macro-prudential issues and put in place an early risk warning mechanism. The EC is expected to act on this in June with a crisis prevention white paper discussing tools for early intervention to prevent a crisis.
A European system of financial supervision Results of de Larosire

The de Larosire group, named after its chairman Jacques de Larosire, was commissioned by the EC president in Oct. 2008 to develop a plan including a new regulatory agenda, stronger coordinated supervision and effective crisis management procedures. The group produced the de Larosire report. It included a framework of supervision for the EU financial institutions and markets that would strengthen European cooperation related to financial stability and The future system will comprise a decentralized structure with national regulators overseeing individual financial institutions. This will strengthen the powers of the three coordinating bodies at the EU level for banking, insurance and securities (CEBS, CESR and CIOPS).
Solvency II
A comprehensive law passed by the European Parliament requires insurance firms to conduct market-consistent valuations of their
Future legislature and initiatives

The EU financial market landscape will be subject to increased oversight by international colleges of supervisors for large
cross-border financial groups, but with greater attention paid to banks internal risk management. One aspect of the new supervisory structure with greater emphasis on information-sharing between national supervisors and much welcomed by member states is the need to establish a far more consistent set of cross-border supervisory rules to avoid divergent interpretation of directives, reduce gold plating and promote prompt transposition of directives at the national level. All of this will be accompanied by a fundamental review of Basel II, gradual increase to capital requirements and an introduction of stricter rules for offbalance sheet items.
the new trading platforms and nontraditional stock exchanges; and extending rules to cover certain types of derivatives.
Retail investment products

The EC Communication on Retail Investment Products is expected to aim at improving citizens accessibility to longterm savings products, access to credit and rights to financial products. An important dimension will be the need for wider protection of investors and financial consumers: Further measures will be proposed to reinforce bank depositor, investor and insurance policyholder protection, as well as the effectiveness of marketing safeguards. Measures are also being drafted to ensure responsible lending and borrowing, all of which are due in autumn 2009.
measures to bring their governance, risk and compliance programs in line. Assessing and managing risks in this environment with the right business analytics is no longer a luxury and cannot be left until economic recovery takes place.
Prudential capital
Legislative proposals will be introduced to increase the quality and quantity of trading-book activities, tackle complex securitization, and address liquidity risk and excessive leverage.
Conclusion
The impact of these legislative changes on the financial services industry banking, insurance and securities can be best encapsulated in two key features: actively managing risk and prompt tracking of regulatory changes. Both factors are fundamental to compliance and increasingly enforceable on a cross-border scale in Europe. Avoiding asymmetrical risk assessment across frontiers, while identifying timely opportunities for growth, means that financial service companies need to review and update their information and communication technology processes and techniques to effectively monitor emerging EU regulatory
Updating MiFID and market abuse directives

The Markets in Financial Instruments Directive (MiFID) review will embrace provisions affecting exchanges, including business codes related to investment banks, dealers and brokers; client categorization requirements; best execution requirements; and trade transaction reporting. The Market Abuse Directive review will include revisions such as expanding the scope of the rules covering share, commodity and energy dealers; widening controls covering
BIO David Doyle, PhD, is a Senior Policy Adviser with Brunswick Group, Brussels, specializing in European Union (EU) financial services. He joined Brunswick in 2009 as a seasoned lobbyist and public affairs expert in the EU financial services environment, operating between Brussels, Paris and London. Doyle is a former diplomat with more than 20 years of service spanning bilateral and multilateral postings on mainland Europe. He is a member of the joint Members of the European Parliament-EU industry body The Kangaroo Group and is active in the TABD Taskforce on Capital Markets. Online:
Get a head start on Solvency II compliance with SAS: Achieve Solvency ii Compliance with SAS (www.sas.com/sascom-riskbrochure). Effectively monitor risk across the enterprise with SAS for enterprise Risk Management (www.sas.com/sascom-enterpriserisk).
Staying the course
The current economic situation has altered many assumptions about business and markets. In driving corporate strategy, risk management involves much more than just a set of best practices and the transferring of risk. It involves clear identification of the risks accepted. Factors that are believed to drive risk and the data that are predictive of risk should be openly communicated, but this is not limited to a companys internal risks. As the economist Frank Wright said in 1921: Profit is reward for taking risk. Companies should not only be selective in which risks they take, but also be willing to pounce when the opportunity presents itself. This involves tracking the risk position of competitors in order to understand competitive advantages. Risk management is not an exercise in paranoia, but rather an approach to understanding uncertainty, exposures, opportunities and limits in order to make educated investments. It requires executive involvement, an emphasis on making datadriven decisions, open communication and the discipline to think through scenarios and ready responses. A great many of the winners coming out of the current economic crisis will be those that not only held a bit more cash, but had a bit more information than their competitors and were able to seize a window of opportunity. These lessons show that risk management is really about the identification of key information and its use in the decision-
making process. It is not about guidelines or the execution of conventional mathematical models. Preparing for the unknown requires having the best information, not the industry-accepted best practice. The risk management team belongs on the corporate strategy team, not on the phone with insurance brokers.
Excerpt from Fortune Favours the Well-Prepared (www.sas.com/sascomfortunefavours) by Russell Walker. Article originally published by Financial Times.
BIO
Russell Walker, PhD is the Assistant Director of the Zell Center for Risk Research at Kellogg. His expertise is in the application of analytics in business, with specific emphasis to marketing and risk management decisions. His research interests include how organizations deploy analytics, the use of information in enterprise risk management, managing strategic risk, and emergence of data creators in the post-Information Age.
SAS for Banking Credit Risk Management | Credit Scoring | Fair Banking | Fraud Management Anti-Money Laundering Market Risk Management | Operational Risk Management
What if you could join the 33% of nancial institutions poised to come out of this economic crisis stronger and more resilient?
You can. SAS gives you The Power to Know.
SAS software is used by more than 3,100 nancial institutions worldwide, including 96% of banks in the FORTUNE Global 500.
www.sas.com/resilient for a free special report
SAS and all other SAS Institute Inc. product or service names are registered trademarks or trademarks of SAS Institute Inc. in the USA and other countries. indicates USA registration. Other brand and product names are trademarks of their respective companies. 2010 SAS Institute Inc. All rights reserved. 54597US.0510
SAS INSTITUTE INC. WORLD HEADQUARTERS SAS CAMPUS DRIVE CARY, NC 27513 USA

When Weathering The Storm Is Not Enough

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

When Weathering The Storm Is Not Enough

Uploaded by

Copyright:

Available Formats

riskinsights

Enterprise risk management

Waynette Tubbs Waynette.Tubbs @sas.com

Access this report online:

Enterprise risk management 01

Data is the solution

Enterprise risk management 02

A perfect storm: Lessons learned?

Research reveals a need for enterprise risk awareness, risk culture

Enterprise risk management 04

Regulatory road map

Hoping for a risk-free environment

Enterprise risk management 06

Making a case for data management for risk in insurance

Change the risk management view

Streamline, reduce costs long-term with a TCO analysis

Enterprise risk management 08

Surviving the global collapse

Australias banks plot a straight course through threatening winds

Enabling our customers to meet responsible lending standards

Surviving the global financial crisis

Enterprise risk management 10

Enterprise risk management 12

Liquidity risk in the spotlight

Current measures and procedures

10% 3% 12% 2% 4%2% 5% 8% 3% 12% 3%

Figure 1: Main challenges in adopting an eRM strategy

Connecting the dots

Enterprise risk management 14

Figure 1: Operational risk management: A shared means to understanding firmwide risk.

Implement participative governance

Stop looking to regulatory for answers

Conclusion Integrate technology, people and process

Enterprise risk management 16

The whole is more than the sum of its parts

Enterprise risk management 18

Corporate survival using the SOAR methodology

SOAR: Set metrics

Enterprise risk management 20

SOAR: Observe and analyze

BIO Greg Monahan is a consultant and a former practice

Risk management at Xcel Energy

The Risk Grid allows informed allocation of billions of resource dollars

A grid to represent risk status

Enterprise risk management 22

Begin with data

Risk managements role in government

Enterprise risk management 24

The future of ERM, IT and government

The birth of enterprise risk management

Enterprise risk management 26

Moving from stress tests to broader scenario analyses

Stress and Scenario Tests

Aggregation and Reporting

Market/ Static Data Front Office/ Portfolios

Define and Manage Integrated Generate Scenario Data

Reverse Stress Testing

Business Management and Risk Advisory Committees

The shift to scenario analysis

Needed: Integrated framework

Enterprise risk management 28

Three Ways to Improve Stress Testing