Erwin Boeren 270002C43V ERWIN.BOEREN@NL.IBM.COM | | Tags:  risk operational grc compliance ibm openpages solvency governance | 0 Comments | 1,902 Visits
Solvency II and the need for Operational Risk
Blog post from Erwin Boeren, Governance Risk &
Blog post from Erwin Boeren, Governance Risk &
Richard Steinberg 270004HRBG firstname.lastname@example.org | | Tags:  risk_management | 0 Comments | 780 Visits
We know that senior executives, especially chief executive officers, look to drive their organizations’ growth initiatives. Many are hard-driving, proactive, and intently focused on doing what needed to carry out strategic plans. Optimism is a typical trait, which can be contagious in getting others in the organization to work in sync towards established goals. This is what CEOs are charged to do, and a key reason why those who do it successfully get the big bucks.
With that said, experience shows that many CEOs are not sufficiently attentive to what can go wrong – that is, what future events could keep their organizations from successfully carrying out the established initiatives. Of course many CEOs and their C-suite teams do focus on such risks, and their organizations benefit from doing so. One such company is Mazor Robotics, a medical technology company based in Israel, whose CEO Ori Hadomi recently was interviewed. He makes a number of interesting observations, one of which is especially insightful – describing risk management in a particularly understandable and compelling way. He associates risk management with ensuring there’s a devil’s advocate involved in key decision-making.
He says: “One of the most obvious mistakes we found is that too often we choose to believe in an optimistic scenario — we think too positively. Positive thinking is important to a certain extent when you want to motivate people, when you want to show them possibilities for the future. But it’s very dangerous when you plan based on that. So one of our takeaways from that was to appoint one of the executive members as a devil’s advocate.” Hadomi expands on how that works, emphasizing that the assigned executive knows the right questions, and asks them in challenging assumptions and pointing out a need to be “more humble with our assumptions.” Hadomi notes that the most surprising thing is that this devil’s advocate is the V.P. of sales for international markets: “You would expect the V.P. of sales to be pie-in-the-sky all the time. But he has a very strong, critical way of thinking, and it is so constructive,” adding that one of the pitfalls of leadership is “thinking too positively when you plan and set expectations.”
I’ve worked with many large companies, and certainly smaller company executives learn from them. But the reverse also is true. In this case, the CEO of Mazor Robotics provides useful insight into how risk management can be effectively conceptualized and applied. Of course, there’s much more to risk management, including capturing the identified risks, analyzing them, and managing them with accountability for needed actions, follow up, etc. But the concept of a devil’s advocate is powerful, especially for executives who may be struggling with what risk management is about.
Richard Steinberg 270004HRBG email@example.com | | Tags:  grc risk_management | 0 Comments | 1,297 Visits
We know that MF Global, the firm run by Jon S. Corzine, recently imploded under the weight of bad bets and huge leverage. Reports say that Corzine, former U.S. Senator, Governor of New Jersey, and co-head of Goldman Sachs, did at MF Global what he did at GS – and that’s take large risks in trading. How, one could ask, could it have turned out so wrong?
Effective risk management processes have at their core identifying, analyzing and managing risks. It will be a while before we know all the details of MF Global’s risk management process, but it appears to have worked reasonably well. Wait, what – is that a misprint? Probably not.
Based on reports, Corzine knew the risks he was taking. Basically, he bet that the European leaders would act in a way to alleviate the sovereign debt crisis. He put over $6 billion of the firm’s money at risk, which with the associated leverage put the firm’s existence at risk. And the firm’s risk officers also knew, and they seemed to have done what they were supposed to – they brought the matter to the board of directors. Reports say a senior risk officer described the situation and the risks to the board, with Corzine present. The risk officer pointed out not only the nature and size of the risks, but also that risks included both potential defaults on the sovereign debt and the bonds losing sufficient value to cause a liquidity crisis at the firm. The directors listened, and decided to approve what Corzine was doing.
Now, we weren’t in the room with the directors, or inside their heads, so we don’t know whether they made a thoughtful and rational business judgment, or whether they rolled over under Corzine’s undue influence. If the latter, then they failed in their job. But if the former, then they determined that they and the firm had a risk appetite large enough to “bet the ranch.”
So, whether this is a failure of risk management will be decided as the investigations continue and more facts emerge. And of course the missing “segregated” client funds is another matter, likely centered on specific internal controls over that money and what control activities might have been overridden by more senior executives. Also at issue is whether regulators did their job effectively. It will be interesting, indeed, to learn more, as no doubt we will as the investigations unfold.
You may have heard the news about an SAT cheating scandal, where students were accused of accepting payments or paying others to take the test for them. It seems to have started at Great Neck North High School on Long Island, New York, which I happen to know well – it’s where I went to the high school, which has a proud heritage of being regularly rated among the top high schools in the nation, with a high percentage of graduates going on to top colleges. Rumors of the cheating is reported to have sounded alarms with the school principal, who did the right thing in reporting to the proper authorities.
What’s relevant from a risk management and control perspective is what the College Board, which owns the SAT, and the Educational Testing Service (ETS), which administers the tests, have done. Based on reports, prosecutors relayed that the first thing ETS said was that there’s no problem – the cheating was an “isolated incident,” and the SAT is “secure.” At a state senate meeting, where legislators and school officials accused both the College Board and ETS of having lax security and a system that failed to punish cheats, ETS said if cheating is discovered the score is cancelled, and the student can get a fee refund and retake the test – that’s it! No one, not the high school nor any college, is notified. ETS claimed that state law prohibits it from releasing information about cheating, but prosecutors say that’s just not so. ETS’s approach of downplaying the problem is all the more surprising in light of past problems. Media reports speak to extensive incorrect scoring of tests and losing test results in England in 2008, with the UK Parliament calling their operation a “shambles.” And going back to 1983, cheating was suspected in California.
We can learn lessons from what’s happened here. Importantly, as with ETS, this isn’t the first time the College Board has had a serious problem with the SAT. Regular readers of this blog may remember my posting of a year ago that highlighted what the College Board did when it learned of problems with incorrect scoring of test results. At that time the president said, to the dismay of many, that it wasn’t necessary to look back to see what caused the incorrect scoring – that it would take too long, and in any event it was sufficient only to re-score the tests results. There was no interest in looking at the risks related to incorrect scoring and determining how they could be managed going forward! There was no attempt at risk identification, analysis and mitigation to deal with potential future problems; rather, it was like putting the organization’s collective head in the sand. Well, maybe the College Board has learned something – when this cheating scandal broke, the College Board president said it has hired a former FBI director to investigate security matters.
There’s little doubt that for both the College Board and ETS their reputations and indeed survival may well depend on academic communities having confidence in their ability to identify in advance what could go wrong, and take prudent actions to proactively prevent problems – to ensure the test results are those of the identified students and accurately reflect their performance. Anything less is unacceptable. And those organizations must fully understand that reputations are intertwined. Although the College Board outsources SAT test administration to ETS, that of course doesn’t mean it removes responsibility, certainly not in the eyes of the marketplace. It doesn’t work that way. It’s critical that these organizations get their risk management and crisis management right, with an appropriate level of coordination.
Erwin Boeren 270002C43V ERWIN.BOEREN@NL.IBM.COM | | Tags:  openpages grc ipad solvency reporting | 0 Comments | 1,665 Visits
With Cognos 10.1.1 released you must have noticed the ability of having your reports and dashboards on mobile devices like iPad and iPhone.
With these mobile capabilities CROs (Chief Risk Officers) will now have the ability to measure risk from their mobile devices. For volatile risk areas like Market and Credit Risk this can make a huge difference.
IBM developed a risk monitoring system for CROs where one single version of the truth is provided of different risk areas like Credit Risk, Market Risk, Counterparty Credit Risk, Liquidity Risk, Basel II, Solvency II and Operational Risk. Not only does a CRO have the ability to monitor all these risk areas but he can also monitor the correlation between those risk areas and he is able to respond immediately to changes. Responses can immediately be formulated in the integrated social media platform.
One version of the truth and guaranteed quality of your data is simple to say but how do you govern this? This is where IBMs investment in data models starts to pay off. Since decades IBM develops and maintains data models for financial services including out of the box technical and business definitions. This enables organizations to come to one definition of risk over the entire organization. Taking definitions centrally will add value in the process of taking down the silod approach we spoke about in earlier articles. It will also help you in the accountability process of the business. Finally it is the business that should own the business definitions.
As discussed in our previous published blog (The convergence of GRC and Performance Management) Business Analytics capabilities like risk forecasting, risk adjusted profitability calculations, scenario planning and predictive risk analysis are part of this risk monitoring system called FIRM (Finance Integrated Risk Management).
The new regulation for Insurance companies, Solvency II requires organizations to plan their risk assessments and capital requirements 2 to 5 years ahead and to reflect impact on financial positions when a risk materializes. All this means that an integrated approach to risk management is a must. In next blogs we will go deeper into the Solvency II regulation.
Erwin Boeren 270002C43V ERWIN.BOEREN@NL.IBM.COM | | Tags:  analytics grc busness management openpages ibm erwin boeren performance risk | 0 Comments | 1,761 Visits
Last year IBM acquired OpenPages as a strategic move into the area of Governance, Risk and Compliance. The lasest announcement to acquire Algorithmics (quantitative risk management) shows the continuous commitment of IBM in the GRC market. GRC software will integrate into the Business Analytics Software group, the area where the former acquisitions like Cognos, SPSS and Clarity systems already resides.
Now that Risk Management is evolving, more and more organizations are starting an enterprise approach to risk management. And this is where I see the need for Risk and Performance Management convergence.
In past Risk Management implementations I see that a major portion of time and budget was spent on Risk Reporting and Dashboarding. Especially the need for self service reporting, where users can ad hoc create their own risk reports, is growing. We do not want to wait in the queue waiting for our report to be created. 2 days later you missed the opportunity to respond and the loss is there.
With this self service capability the question automatically pops up 'can I trust my data'. And now we are back in the area of data governance. This is exactly where the area of Performance Management is today.
Apart from these reporting and dashboarding capabilities Enterprise Risk Management means alignment of risks and controls to the strategic initiatives of the organization. What will prevent me from reaching my business goals? Isn't this defined as a risk? And how will we prevent this from happening? Wasn't that defined as a control?
Even more interesting are questions like, 'What if I was able to perform risk scenario planning?', 'What if I could predict risks from happening?' or 'What is the correlation between the risks that have materialized?'.
And there is the proof that Risk Management and Performance Management have lots in common and should be integrated. Lets call it Business Analytics.
Governance, Risk & Compliance Leader
IBM IOT Southwest Europe
John Kelly 270004J7VQ firstname.lastname@example.org | | Tags:  grc enterprise operational risk | 0 Comments | 2,901 Visits
This week I had the pleasure (aside from the Sunday morning flight) of attending the RMA Annual Risk Management Conference in Washington, DC. Based on the standing room only crowd (even in the second repeat session), I’d have to say one of the most popular topics was “Developing a Risk Appetite” delivered by Bill Perotti of Frost Bank and Bob Rose of Brookline Bank. The duo defined Risk Appetite as “the amount of risk you will take in pursuit of a desired financial return”, which makes sense, but an effective risk appetite exercise, the presenters emphasized, really needs to be taken to the next level to reflect risk tolerance in all key areas of enterprise risk management (operational risk, credit risk, reputation risk, compliance risk, liquidity risk, sustainability, etc.).
Several examples were provided for how to develop a risk appetite statement for each of these key areas. One example included Operational risk and provided an example of how to create a risk appetite statement:
Operational Risk Appetite example:
We are committed to implementing practices and controls that will minimize financial losses from failures of systems, people and processes.
Quantitative measure examples:
Most importantly, risk appetite statements should reflect your company’s mission statement and values. Benefits outlined in the session included:
Of course the direction and communication on risk appetite needs to start at the top with the board of directors and CEO and be communicated and demonstrated throughout the organization. Looking forward to more informative sessions.
If you’re into playing poker or watching it on TV, you probably know the name Full Tilt Poker – the web site for playing Texas hold ’em and presumably other poker games. You may know of Howard “The Professor” Lederer and Chris “Jesus” Ferguson and have seen them on TV wearing Full Tilt Poker hats. On-line players put real money into supposedly secure accounts to use as they gambled on line on this company’s and other off shore web sites. One analyst estimates U.S. players alone bet $14 billion each year in on-line poker.
The name is Kweku Adoboli, and you’ll be hearing a lot more about him. He works – or rather, worked – at UBS, Switzerland’s largest bank. He graduated from the well-regarded University of Nottingham, and moved up at UBS. What did he do? Well, UBS executives say he engaged in unauthorized investment trades, and cost the bank $2 billion! We’re no longer talking in terms of millions, or even hundreds of millions – but billions of dollars – enough to wipe out the bank’s profit for the entire quarter and send its stock price tumbling.
Two recent events involving hurricanes provide insight into what risk management is about. Many of us who live in on the east coast of the U.S. know all too well the damage wrought by Irene. And many in the Florida are dealing with damage to the University of Miami “Hurricanes” football team.