1

FINA6065W: Corporate Risk Management

Session 3

ERM Process Cycle:Risk Identification

Agenda

Risk identification – Part 1

Risk identification – Part 2

2

Risk Identification – Part 1

Risk categorization and definition

3

Risk identification components

Risk categorization and definition Qualitative risk assessment Emerging risk identification

4

5 common mistakes in risk identification

5

1) Not consistently defining risks by source

2) Not categorizing risks evenly

3) Not defining metrics clearly

4) Not identifying risks prospectively

5) Not gathering data appropriately

Risk categorization and definition

Handout: Summarized version of risk categorization and definition (RCD) tool

Applications– Catalyst - during qualitative risk assessment, or QRA– Collection and coordination - during QRA– Monitoring – for emerging risk identification– Reporting– Comparative analysis– Recording – risk event database

6

1) Define risks by source

7

Risks are commonly defined inconsistently, by both source and outcome

8

Which risks are defined by source and which by outcome?

BySource

ByOutcome

New competitorSupplier failureTechnology failureReputation damageRatings downgradeNew costly regulationsTerrorist attack

9

BySource

ByOutcome

New competitor XSupplier failure XTechnology failure XReputation damage XRatings downgrade XNew costly regulations XTerrorist attack X

Risks are commonly defined inconsistently, by both source and outcome

OUTCOMEOUTCOME

Lower Revenues

Higher Expenses

INTERMEDIATEINTERMEDIATE

Negative Media Coverage

SOURCESOURCE

Many different sources of risk can cause reputation damage

10

Poor Product Quality

Poor Customer Service

Internal Fraud or Scandal

Poor  External Relations

Reputation Damage

Lower Company Value

Higher Cost of Capital

Classic Crisis Management: Tylenol

OUTCOMEOUTCOMEINTERMEDIATEINTERMEDIATE

Ratings Downgrade

SOURCESOURCE

Ratings downgrades can be triggered by several different risk sources

11

Poor Strategy

Poor Execution

Poor Rating Agency Relations

Lower Revenues

Higher Expenses

Lower Company Value

Higher Cost of Capital

Equity Market Risk?

12

Commonly found on key risk lists Yet, not the source of risk, but an intermediate

outcome True source of risk: Unexpected economic volatility,

that drives multiple intermediate outcomes, such as – Equity market risk– Credit risk– Unexpected inflation or deflation– Unemployment– Unexpected changes in consumer spendable income

OUTCOMEOUTCOMEINTERMEDIATEINTERMEDIATEEquity Market Risk

SOURCESOURCE

Economic Volatility is Often the Source of equity Market and Other Risks

13

Unexpected Economic Volatility

Lower Revenues

Higher Expenses

Lower Company Value

Higher Cost of Capital

Credit Risk

Inflation/Deflation

Unemployment

Consumer Spendable Income

Issues caused by inconsistent risk definitions are resolved when defining risks by source

14

Common Practice

Inconsistent Definition

Best Practice

Consistent Def. by Source

Qualitative Risk Assessment

Survey participants not all considering same risk source when scoring

Consistent understanding of each risk source by survey participants

RiskQuantification

1. Difficulty identifying SMEs2. Difficulty imagining scenarios3. Incomplete scenarios

All resolved / scenarios flow logically from originating source

Risk Decision‐making

Mitigation difficult to identify, because mitigation is mostly done at source of risk

Mitigation readily identified and evaluated: source and downstream impacts apparent

2) Categorize risks evenly

15 16

Categorize risks evenly to avoid difficulties

17

Level of Abstraction Too High Too Low Appropriate

Example Talent management

Low retention of mid‐level staff in business segment X

Ability to recruit/retainSuccession planningLabor relationsEtc.

Difficulties

Poor qualitative risk assessment, since it obscuresindividual risks within category

Causes some risks to be missed, since it may omit the overarching category and its other risks

Categorize the following risks by source

Event 1: Shop-and-Spend is in trouble. The stock market went down 25% and has remained there for the past year. Aside from the fact that Shop-and-Spend had 100% of their assets in equities, business is down. People are not shopping as much lately. The gloomy economic projections have not improved since the day they were announced by the government the morning of the market crash. People have less disposable income.

18

Categorize the following risks by source

Event 2: Odd-Man-Out Auto Rental has been doing well in recent months, particularly versus its 5 main competitors in town. However, all 5 competitors have just entered into a price war, lowering their prices 50%, and Odd-Man-Out’s business has dropped off 25%. This is unsustainable, since it results in losses. But Odd-Man-Out must decide whether to lower prices or continue to lose business until prices return to normal.

19

Categorize the following risks by source

Event 3: SteadyGrowth Bank is about to go under. For 80 years, it has steadily grown based on a business of lending exclusively to the businesses run by members of the 5 most powerful families in the area. Last month, it was revealed that one of the families had been defrauded of all their wealth and is now bankrupt, with no remaining collateral. The outstanding loans from that one family represents more than all the bank capital. (The risk to be categorized is from SteadyGrowth’sperspective.)

20

Categorize the following risks by source

Event 4: SectorBet Entertainment has a quirky habit of making risky bets on market sectors, from time to time, but almost always wins. The CFO always gets nervous when the CIO takes these bets, and has warned of the massive concentration risk this involves. The bets usually consists of investing 50% of all of its assets in bonds issued by the top 3 players in a given industry sector. This year, the bet has been on drug companies heavily focused on one type of cancer, which just this week became irrelevant, due to an unexpected cure discovered by medical science. These drug companies are now having trouble issuing debt securities, and have had to raise the interest rate offered on their new issues. (The risk to be categorized is from SectorBet’s perspective.)

21

Categorize the following risks by source

Event 5: UnGuard Delivery is located downtown adjacent to a federal building in a major U.S. city. Yesterday, a terrorist car bomb exploded just outside the federal building, completely destroying both the federal building and UnGuard’s headquarters. Virtually all of UnGuard’s top management, including its top 25 salespeople, were killed in the blast. It was unusual for such a concentration of key employees to be present at UnGuard’s headquarters, but they were hosting a special event in their largest meeting room, which was closest to the location of the bomb.

22

Categorize the following risks by source

Event 6: Two weeks ago, TrustMe Energy, a highly-secretive alternative energy company revealed that it must restate its last two years worth of financial statements. The restated financials will have significantly reduced profits. Shareholder litigation plans were announced this morning. Regulators are investigating. Competitors are moving to attack TrustMe’s partnering relationships. The Wall Street Journal has already had three front page articles revealing ever-increasingly embarrassing details of the fiasco, including sources at the SEC that report they have uncovered massive fraud by the CFO and CEO of TrustMe.

Chinese shoe company's CEO, COO, cash go missing

23

Quiz / Exercise #2

Quiz/Exercise #2 (GROUP) discussion within group, group gets one grade

24

Risk identification components

Risk categorization and definition Qualitative risk assessment Emerging risk identification

25

We covered risk categorization and definition last session

5 common mistakes in risk identification

26

1) Not consistently defining risks by source

2) Not categorizing risks evenly

3) Not defining metrics clearly

4) Not identifying risks prospectively

5) Not gathering data appropriately

We covered 1 and 2 last session

Risk Identification – Part 2

Qualitative Risk Assessment

27

Qualitative risk assessment steps

1) Identify participants2) Send advance communication3) Conduct qualitative risk assessment survey4) Conduct consensus meeting

28

Step 1: Identify participants

Typically 2-3 dozen Members of C-suite (e.g., CEO, CFO, etc.) Heads of major business segments and one of

their direct reports Executive risk owners (e.g., head of I/T, head of

HR, head of legal, etc.) A couple of independent directors A couple of valued employees with long service Table 4.3

29

Step 2: Advance communication partly to prepare survey participants Inputs needed from survey participants

– Type of key risks (e.g., large impact to company value)– Number of key risks to provide (e.g., three to five)– Credible worst-case scenario for each key risk– Likelihood/severity scores for each key risk they identify

and for those identified by other participants ERM background

– Describe framework; define risk by source and as deviation from baseline strategic plan projection; etc.

Risks to consider (e.g., those in RCD tool) Definition of metrics

30

3) Define metrics clearly

31

Typical Frequency-Severity Scoring Guide for Qualitative Risk Assessment

32

Frequency Severity

5 Very high 1‐in‐5 or greater chance of occurring

5 > $100M

4 High 1‐in‐10 chance of occurring

4 $50M ‐ $100M

3 Moderate 1‐in‐20 chance of occurring

3 $25M ‐ $50M

2 Low 1‐in‐50 chance of occurring

2 $10M ‐ $25M

1 Very low 1‐in‐100 or less chance of occurring

1 < $10M

Clearly defining frequency and severity avoids sub-par results due to inconsistent scoring

33

Common Practice Best Practice

Frequency

No guidance on risk scenario• Armageddon?• Most likely scenario?

Participants are all scoring different risk scenarios

Focus on credible worst case scenarioParticipants are all scoring a similar risk scenario

Severity

No clear definition of metric• Earnings hit?• One time or cumulative?• Hit to market capitalization?• Other?

Single, consistent metric that captures all impacts: Δvalue

• Provide brief tutorial to give feel of enterprise value metric

For example, a $10 million impact on … what metric? Table 4.5 or Table 4.6 Time Horizon?

Credible Worst Case Scenario

Severity

|Credible Worst Case Likelihood

Step 3: Conduct qualitative risk assessment surveys Reiterate key points in advance communication For each potential key risk, gather:

– Description of risk– Credible worst-case scenario– Frequency score– Severity score

Keep participant on track regarding identifying:– Only key risks, and– Risks defined by source

Accumulate list of potential key risks, asking each subsequent participant to score any risks not identified by them

Return to prior participants to gather their scores on risks identified subsequent to their interview

35

4) Identify risks prospectively

36

Identify risks prospectively to avoid the “fighting the last battle” syndrome

37

Diagnosis “Fighting the Last Battle” Syndrome

Cause Over‐emphasis in risk identification process of past events

SymptomSome risks on key risk list merely because of a recent past event burned into management’s memory

Prognosis

Qualitative risk assessment scoring will be skewed, over‐emphasizing risks with recent occurrencesSome risks that should be on the radar may be crowded out

• Morgan Stanley Settles Gender Discrimination Case for US$54 Million;

• Countryfile's Miriam O'Reilly wins BBC ageism claim

5) Gather data appropriately

38

The right data, at the right time, in the right way

39

Common Practice Best Practice

What data?

Frequency scoreSeverity scoreAdditional data

• Historical experience data• Mitigation in place/planned• Etc.

Frequency scoreSeverity score

(only purpose: identify key risks)

When?Additional data: during risk identification phase (too early), and for all risks

Selected additional data: during risk quantification (when needed), and only for key risks

How ?

TemplatesNot well‐received Inconsistent time and effortsDifficult to correct errorsLess confidential

InterviewsWell‐receivedConsistent time and effortEasy to fix errorsMore confidential

Table 4.7 Example of Larger-Tan-Necessary Data Request

40

Step 4: Conduct consensus meeting

Discuss any widely divergent views and arrive at a consensus– Define risk-ranking criteria Table 4.10– Rank the risks– Dispersion analysis bimodal and highly disparate

Select key risks from among the potential key risk data set produced

41

Figure 4.7 Example of Selecting Key Risks

42

Table 4.11 Example of Key Risk List

43

QRA’s 3 results: Key risk list Tool to monitor Advancement

of risk culture

Emerging Risk Identification

44

Emerging risk identification

Monitoring known risks– Use non-key risks identified in qualitative risk assessment

Environmental scanning for unknown risks– Critical to set expectations with principles

o ERM cannot prevent risks from occurring ERM cannot foresee the unforeseeable Events will occur that are unexpected and that are not on the key risk list

– Techniqueso Attend industry conferenceso Research industry journalso Serve on industry committeeso Conduct comparative analysis of competitors’ disclosed riskso Read ERM surveyso Make other investments in information / intelligence gatheringo Ivory Tower may not be just…

45

Killer risks Share three qualities:

1) Politically difficult to introduce2) Easily identifiable3) A leading indicator of high-severity risk events

Arrogance (AIG example)– Less focus on competitors, market trends– Overestimation of strengths– Underestimation of vulnerabilities

Concentration of power / information– Less transparency / accountability– Lack of negotiating leverage– Lack of backup resources– Examples: rainmaker (AIG and more example); mastermind

(CFO example); critical supplier; large customer; large distributor Possible Risk Mitigation

46

Killer risks – Arrogance is a Leading Indicator of Failure

47

Time

Success

Struggle

Excel

Dominate Arrogance

Failure

Compete

Wake-up call?

Quiz/Exercise 3a and 3b

Each group further divides into subgroups I and D

EXERCISE 3a – PAIRS– Subgroup I as interviewers; Subgroup D as directors (strategic RM

experts).

EXERCISE 3b – PAIRS– Subgroup D as interviewers; Subgroup I as directors (operational RM

expert).

READ INSTRUCTIONS FOR BOTH 3A AND 3B BEFORE STARTING EITHER EXERCISE

[In 3a, 3-4 students of a group work in the subgroup and servein the interviewer role and the others in the director role; and in 3b, they switch roles.]

48

49Back 50Back

51Back 52Back

53Back

Rainmakers

Orange County bankruptcy (1994): Robert Citron

Barings Bank (1995): Nick Leeson

Sumitomo Corporation (1996): Yasuo Hamanaka

LTCM (1998): John Meriwether; Merton Miller, Myron Scholes

Allied Irish Banks (2002): John Rusnak

Amaranth Advisors hedge fund (2006): Brian Hunter

Societe Generale $7.2B trading loss (2008): Jérôme Kerviel UBS $2.3B trading loss (2011): Kweku Adoboli

JP Morgan Chase $6.2B trading loss(2012): Bruno Iksil

54Back