1

An “Inside” View of PRISM

A PRISM Primer for OthersCredit Union Summer School

May 23rd 2013

Justin McCarthy, Governance, Risk and Compliance Centrejmccarthy@ucc.ie http://ie.linkedin.com/in/justincmccarthy/

2

AgendaA Primer on PRMIA- What is PRISM?- Impact and Probability Risk are different…- Impact and how to understand it…- Probability Risk… how will it affect you?- Risk Mitigation and Engagement Tasks- Final Thought…- Questions and Answers

An important disclaimer“When I joined the Central Bank, I signed a confidentiality agreement... they very kindly gave me a copy of this when I left... and a gentle reminder of the consequences of breaking it. Everything in this presentation can be found in the Central Bank of Ireland's excellent PRISM Explained document. To prove this I have included quotes from the document where needed...all quotes are in italics and can be found in PRISM Explained...”

3

Justin McCarthyJustin McCarthy is based at University College Cork, Ireland. His work here is to help establish a publically funded centre for Governance, Risk and Compliance in the Financial Services industry. This work allows him to learn of many new risk initiatives, meet risk practitioners & thought leaders and to interact with staff and members from other Governance, Risk and Compliance bodies.

Justin has worked in risk roles in many firms, including Bank of America Merrill Lynch, PricewaterhouseCoopers and with the Irish Financial Regulator. This work has allowed him to see the changes in risk management since through and beyond the recent global financial crisis. His work on the PRISM risk based supervision framework with the Irish Regulator included exposure to banking, funds and insurance risk practices as well as the quantitative work done on the related impact models.

Recently he organised and chaired the 2012 GRC Summit Ireland which included speakers such as Bob Mark, Colin Lawrence from the FSA / BoE and William Mason, formerly of the Central Bank of Ireland. See videos at:http://www.youtube.com/channel/UCxauT65bYylpGWNFybX8N9g

He is the co-Regional Director of the Irish PRMIA Chapter and is the co-chair of the EMEA Regional Directors committee. He serves on several PRMIA working groups and sits on the PRMIA Education Committee and is the chair of the new C-Suite Committee.

He was on the planning committee of the PRMIA Global Event in New York in 2012 and helped facilitate the PRMIA case study at the recent FSA Risk Symposium in Cambridge, England. Justin has a BSc from University College Cork and an MBA from the Michael Smurfit Graduate School of Business at University College Dublin.

Justin McCarthy, Governance, Risk and Compliance Centre @ UCC, Ireland.

jmccarthy@ucc.ie

http://ie.linkedin.com/in/justincmccarthy/

http://grcjustin.blogspot.com

http://www.prmia.org

4

What is PRISM?

To quote “PRISM Explained”, PRISM makes it "easier for our supervisors to challenge the financial firms they regulate, judge the risks therein and take action to mitigate those risks".

In more detail:• 4 impact categories based on the size of the firm and the harm it would cause should it fail• The level of supervisory engagement is based on a firm’s impact category• Supervisors make judgements on probability risk categories, based on information gathered

through their engagement with the firm• Supervisors are supplied with Risk Guidance Material that aids in deciding the probability risk

category of a firm – e.g. Open Questions• Other material includes Key Risk Indicators, Memo Scores, Peer Group Reports and Central

Risk Scores• Risk Mitigation Programmes (RMPs) will be agreed for any probability risk category rated MH- or

greater

The PRISM system is a platform that assists supervisors in implementing this new risk based supervision approach…

The important thing here is "judgement" - quantitative or "black box systems were understood by few (and bitter experience indicates that even those few had limited understanding) and thus were not subject to adequate challenge".

5

Impact and Probability Risk are different…• Impact is increasing from Low (Left) through to

High (Right);• Impact is calculated using information received by

the Central Bank in items such as regulatory returns.

• These are "combined to calculate an impact score for each firm so that, for each sector, we have a list of all the firms in that sector ordered by impact. These lists were used to divide all regulated firms into four categories: high impact, medium-high impact, medium-low impact and low impact."

• Probability Risk is decided by the supervisors in the Central Bank• They have to make a judgement on the risk of a firm. "Supervisors

will form judgments on the risk probability posed by the firm in relation to each category. PRISM is a judgement- based system in that supervisors of higher impact firms will be required to make a conscious choice as to the riskiness of a firm at each level in each category.“

• Important note "our low impact firms, we aim to regulate to avoid sector-wide issues - such as widespread mis-selling by intermediaries - but there are circa ten thousand low impact firms and we will not seek to prevent individual failure. Rather, we will supervise these firms reactively - ensuring that an administrator or liquidator is appointed when they fail and that there is an orderly revocation of authorisation and winding-up in accordance with insolvency legislation"

6

Impact and how to understand it…• Impact metrics are covered in appendix C of

PRISM Explained• Let's keep this simple… a simple model is that

balance sheet size drives the impact of firms in a sector...

• The bigger your balance sheet, the higher your impact and thus the further to the right on the diagram your firm will fall.

• Driven by regulatory returns… the only convenient way to change the impact category of a firm is to do something like reducing the balance sheet size.

• You can influence Probability Risk... See next slide• The Central Bank did do a consultation on this impact approach - see CP49... if you didn't

comment then, then it may be too late...

7

Probability Risk… how will it affect you?• Supervisor in the Central Bank has to make a judgement on the probability risk of a

firm. "Supervisors will form judgments on the risk probability posed by the firm in relation to each category. PRISM is a judgement- based system in that supervisors of higher impact firms will be required to make a conscious choice as to the riskiness of a firm at each level in each category."

• "Overall Risk Rating" is the overall Probability Risk for a firm. • Driven by the categories below… the supervisor will review the firm for Credit Risk, Market Risk etc.• For each category there are sub categories, so for Credit Risk, the supervisor will record their

judgement on items such as the "Concentration of Credit Risk" for a firm.• Can be guided by Key Risk Indicators or KRIs - supervisor might look at the data for how

concentrated a firm is in it's lending to a certain set of customers or customer segment.

8

Impact and Probability Risk… A Review…

• Impact measures the cost or damage the failure of a firm would have to the economy. It is calculated from regulatory returns. 

• In the above firm A's failure would have more of an impact on the economy than firm B. In a simple model based on just balance sheet size, we would expect Firm A to have a larger balance sheet in Euro than firm B.

• The only way to move a firm between impact categories is to reduce the impact score. For Firm X to move to the same impact category as firm Y, it would have to do something like reduce it's balance sheet size.

• Probability Risk is based on the judgement of the supervisor as to the probability that a firm will fail.• In the above firm C has been judged to have a higher probability risk than firm B. This is based on

the judgement of the supervisor and not just data such as KRIs.• A firm can move between probability risk ratings by mitigating their risks and showing the supervisor

the results of this... they will then change their judgement of the probability risk of the firm and it will move to a lower overall probability risk rating.

• Thus firm X could move to a overall risk rating of firm Y by showing risk mitigation.

9

Engagement Tasks and Risk Mitigation• A firm is supervised based on their impact category – compare

a large firm with a multi-billion Euro balance sheet to one with a million Euro balance sheet.

• "Firms in each impact category will be supervised through the completion of engagement tasks. We will engage with all firms at a level that corresponds to their impact category; the higher the impact category, the higher the level of engagement.“

• Examples of these in Appendix A of PRISM Explained:

• What happens if you are judged to have a higher probability risk in one of the risk categories or sub categories

• "Any risk category which is probability rated as medium-high or high must be mitigated. If a supervisor rates a firm medium-high or high probability in any risk category, he or she will be prompted by the PRISM application to open a Risk Mitigation Programme (RMP) issue, explaining the nature of the risk. Having opened the issue, the supervisor will construct one or more outcome-focused actions to reduce the risk to an acceptable level by a given deadline."

10

Engagement Tasks and Risk Mitigation

Impact Category

Engagement Level

Assess Probability

Risk

Internal Quality Control

Risk Mitigation

Plan

Re-assess Firm

11

Closing Thought…

To quote Deputy Governor Elderfield at the launch speech for PRISMhttp://www.centralbank.ie/press-area/speeches/Pages/AddressbyDeputyGovernorMatthewElderfield.aspx in December 2011:"A further quality control mechanism built into the PRISM framework is giving firms a chance to comment on draft Risk Mitigation Programmes.  Once Risk Mitigation Programmes are written using the PRISM application, we plan to share them with firms in draft form, giving each firm ten working days to highlight factual inaccuracies, and, if it wishes, to propose alternative actions to mitigate unacceptable risks. 

Our plans to share drafts and listen to alternative risk mitigation suggestions are conditional on industry interacting appropriately.  We do not plan to soften our risk mitigation in response to feedback from firms that they are too demanding or too difficult.  We are introducing the sharing of draft Risk Mitigation Programmes on the basis that firms will react to them in an intelligent fashion, letting us know promptly when an issue is inaccurate but not seeking to deflect us from our desired outcome.  The final judgement on what must be done to mitigate unacceptable risks to financial stability and the consumer will remain with Central Bank supervisors. 

I believe in constructive dialogue and I believe in giving firms the chance to say how the outcomes we seek can be delivered in a better or more efficient way.  I also don’t believe that we are ever going to get every issue and every action right first time – hence my desire to trial this interaction with firms to help us quality assure our risk mitigation programmes.  I’d urge all firms to use this opportunity wisely."

12

An “Inside” View of PRISM

A PRISM Primer for OthersCredit Union Summer School

Questions and Answers?