Financial Enterprise Risk Management, Sweeting, Paul_2nd_ed.pdf

Unformatted text preview: Financial Enterprise Risk Management Second Edition This comprehensive, yet accessible, guide to enterprise risk management for financial institutions contains all the tools needed to build and maintain an ERM framework. It discusses the internal and external contexts within which risk management must be carried out, and it covers a range of qualitative and quantitative techniques that can be used to identify, model and measure risks. This new edition has been thoroughly updated to reflect new legislation and the creation of the Financial Conduct Authority and the Prudential Regulation Authority. It includes new content on Bayesian networks, expanded coverage of Basel III, a revised treatment of operational risk, a fully revised index and more than 150 end-of-chapter exercises. Over 100 diagrams are used to illustrate the range of approaches available and risk management issues are highlighted with numerous case studies. This book also forms part of the core reading for the UK Actuarial Profession’s specialist technical examination in enterprise risk management, ST9. PAU L S W E E T I N G is Professor of Actuarial Science at the University of Kent, where he teaches enterprise risk management. His research covers areas as diverse as longevity, pensions accounting and investment strategy. Prior to joining the University of Kent, Professor Sweeting was Head of Research at Legal and General Investment Management and Managing Director at J.P. Morgan Asset Management. Professor Sweeting is a Fellow of the Institute of Actuaries, the Royal Statistical Society and the Chartered Institute for Securities and Investment. He is also a CFA Charterholder and a Chartered Enterprise Risk Actuary. He has written a number of articles on financial issues and is a regular contributor to the written and broadcast media. Downloaded from . Stockholm University Library, on 21 Aug 2018 at 12:55:09, subject to the Cambridge Core terms of use, available at . I N T E R NAT I O NA L S E R I E S O N AC T UA R I A L S C I E N C E Editorial Board Christopher Daykin (Independent Consultant and Actuary) Angus Macdonald (Heriot-Watt University) The International Series on Actuarial Science, published by Cambridge University Press in conjunction with the Institute and Faculty of Actuaries, contains textbooks for students taking courses in or related to actuarial science, as well as more advanced works designed for continuing professional development or for describing and synthesizing research. The series is a vehicle for publishing books that reflect changes and developments in the curriculum, that encourage the introduction of courses on actuarial science in universities, and that show how actuarial science can be used in all areas where there is long-term financial risk. A complete list of books in the series can be found at . Recent titles include the following: Insurance Risk and Ruin (2nd Edition) David C.M. Dickson Computation and Modelling in Insurance and Finance Erik Bølviken Predictive Modeling Applications in Actuarial Science, Volume 1: Predictive Modeling Techniques Edited by Edward W. Frees, Richard A. Derrig & Glenn Meyers Actuarial Mathematics for Life Contingent Risks (2nd Edition) David C.M. Dickson, Mary R. Hardy & Howard R. Waters Solutions Manual for Actuarial Mathematics for Life Contingent Risks (2nd Edition) David C.M. Dickson, Mary R. Hardy & Howard R. Waters Risk Modelling in General Insurance Roger J. Gray & Susan M. Pitts Regression Modeling with Actuarial and Financial Applications Edward W. Frees Downloaded from . Stockholm University Library, on 21 Aug 2018 at 12:55:09, subject to the Cambridge Core terms of use, available at . F I NA NC I AL E NT E R PR ISE RISK MANAGEMENT Second Edition PAU L S W E E T I N G University of Kent Downloaded from . Stockholm University Library, on 21 Aug 2018 at 12:55:09, subject to the Cambridge Core terms of use, available at . University Printing House, Cambridge CB2 8BS, United Kingdom One Liberty Plaza, 20th Floor, New York, NY 10006, USA 477 Williamstown Road, Port Melbourne, VIC 3207, Australia 4843/24, 2nd Floor, Ansari Road, Daryaganj, Delhi – 110002, India 79 Anson Road, #06-04/06, Singapore 079906 Cambridge University Press is part of the University of Cambridge. It furthers the University’s mission by disseminating knowledge in the pursuit of education, learning, and research at the highest international levels of excellence. Information on this title: DOI: 10.1017/9781316882214 c Paul Sweeting 2011, 2017  This publication is in copyright. Subject to statutory exception and to the provisions of relevant collective licensing agreements, no reproduction of any part may take place without the written permission of Cambridge University Press. First published 2011 Second edition 2017 Printed in the United Kingdom by Clays, St Ives plc A catalogue record for this publication is available from the British Library. ISBN 978-1-107-18461-9 Hardback Cambridge University Press has no responsibility for the persistence or accuracy of URLs for external or third-party Internet Web sites referred to in this publication and does not guarantee that any content on such Web sites is, or will remain, accurate or appropriate. Downloaded from . Stockholm University Library, on 21 Aug 2018 at 12:55:09, subject to the Cambridge Core terms of use, available at . Contents Preface page xi 1 An Introduction to Enterprise Risk Management 1.1 Definitions and Concepts of Risk 1.2 Why Manage Risk? 1.3 Enterprise Risk Management Frameworks 1.4 Corporate Governance 1.5 Models of Risk Management 1.6 The Risk Management Time Horizon 1.7 Further Reading 1 1 3 5 6 8 9 10 2 Types of Financial Institution 2.1 Introduction 2.2 Banks 2.3 Insurance Companies 2.4 Pension Schemes 2.5 Foundations and Endowments 2.6 Further Reading 11 11 12 14 16 18 19 3 Stakeholders 3.1 Introduction 3.2 Principals 3.3 Agents 3.4 Controlling 3.5 Advisory 3.6 Incidental 3.7 Further Reading 20 20 20 31 42 48 51 53 4 The Internal Environment 4.1 Introduction 4.2 Internal Stakeholders 54 54 54 Downloaded from . Stockholm University Library, on 21 Aug 2018 at 12:55:10, subject to the Cambridge Core terms of use, available at . vi Contents 4.3 4.4 4.5 4.6 Culture Structure Capabilities Further Reading 55 57 60 60 5 The External Environment 5.1 Introduction 5.2 External Stakeholders 5.3 Political Environment 5.4 Economic Environment 5.5 Social and Cultural Environment 5.6 Competitive Environment 5.7 Regulatory Environment 5.8 Professional Environment 5.9 Industry Environment 5.10 Further Reading 62 62 62 63 63 65 66 67 88 92 99 6 Process Overview 101 7 Definitions of Risk 7.1 Introduction 7.2 Market and Economic Risk 7.3 Interest Rate Risk 7.4 Foreign Exchange Risk 7.5 Credit Risk 7.6 Liquidity Risk 7.7 Systemic Risk 7.8 Demographic Risk 7.9 Non-life Insurance Risk 7.10 Environmental Risk 7.11 Operational Risks 7.12 Different Definitions of Operational Risk 7.13 Residual Risks 7.14 Basis Risk 7.15 Further Reading 103 103 103 104 104 105 106 107 109 111 112 113 117 124 125 125 8 Risk Identification 8.1 Introduction 8.2 Risk Identification Tools 8.3 Risk Identification Techniques 8.4 Assessment of Risk Nature 8.5 Risk Register 8.6 Further Reading 126 126 126 129 132 133 133 Downloaded from . Stockholm University Library, on 21 Aug 2018 at 12:55:10, subject to the Cambridge Core terms of use, available at . Contents vii 9 Some Useful Statistics 9.1 Location 9.2 Spread 9.3 Skew 9.4 Kurtosis 9.5 Correlation 9.6 Further Reading 134 134 135 137 137 139 145 10 Statistical Distributions 10.1 Univariate Discrete Distributions 10.2 Univariate Continuous Distributions 10.3 Multivariate Distributions 10.4 Copulas 10.5 Further Reading 146 146 149 180 204 225 11 Modelling Techniques 11.1 Introduction 11.2 Fitting Data to a Distribution 11.3 Fitting Data to a Model 11.4 Smoothing Data 11.5 Using Models to Classify Data 11.6 Uncertainty 11.7 Credibility 11.8 Bayesian Networks 11.9 Model Validation 11.10 Further Reading 228 228 230 235 243 249 264 267 275 280 281 12 Extreme Value Theory 12.1 Introduction 12.2 The Generalised Extreme Value Distribution 12.3 Generalised Pareto Distribution 12.4 Further Reading 286 286 286 290 292 13 Modelling Time Series 13.1 Introduction 13.2 Deterministic Modelling 13.3 Stochastic Modelling 13.4 Time Series Processes 13.5 Data Frequency 13.6 Discounting 13.7 Further Reading 294 294 294 295 298 318 319 322 Downloaded from . Stockholm University Library, on 21 Aug 2018 at 12:55:10, subject to the Cambridge Core terms of use, available at . viii Contents 14 Quantifying Particular Risks 14.1 Introduction 14.2 Market and Economic Risk 14.3 Interest Rate Risk 14.4 Foreign Exchange Risk 14.5 Credit Risk 14.6 Liquidity Risk 14.7 Systemic Risks 14.8 Demographic Risk 14.9 Non-life Insurance Risk 14.10 Environmental Risk 14.11 Operational Risks 14.12 Further Reading 326 326 326 339 351 351 372 374 375 384 391 391 392 15 Risk Assessment 15.1 Introduction 15.2 Risk Appetite 15.3 Upside and Downside Risk 15.4 Risk Measures 15.5 Unquantifiable Risks 15.6 Return Measures 15.7 Optimisation 15.8 Further Reading 397 397 398 401 402 415 417 418 425 16 Responses to Risk 16.1 Introduction 16.2 Market and Economic Risk 16.3 Interest Rate Risk 16.4 Foreign Exchange Risk 16.5 Credit Risk 16.6 Liquidity Risk 16.7 Systemic Risk 16.8 Demographic Risk 16.9 Non-life Insurance Risk 16.10 Environmental Risk 16.11 Operational Risks 16.12 Different Definitions of Operational Risk 16.13 Further Reading 429 429 432 446 450 450 457 457 459 461 463 463 465 473 17 Continuous Considerations 17.1 Introduction 17.2 Documentation 476 476 476 Downloaded from . Stockholm University Library, on 21 Aug 2018 at 12:55:10, subject to the Cambridge Core terms of use, available at . Contents ix 17.3 Communication 17.4 Audit 17.5 Further Reading 477 479 480 18 Economic Capital 18.1 Introduction 18.2 Definition of Economic Capital 18.3 Economic Capital Models 18.4 Designing an Economic Capital Model 18.5 Running an Economic Capital Model 18.6 Calculating Economic Capital 18.7 Economic Capital and Risk Optimisation 18.8 Capital Allocation 18.9 Further Reading 481 481 481 482 483 484 485 486 487 490 19 Risk Frameworks 19.1 Mandatory Risk Frameworks 19.2 Advisory Risk Frameworks 19.3 Proprietary Risk Frameworks 19.4 Further Reading 491 491 507 521 526 20 Case Studies 20.1 Introduction 20.2 The 2008 Global Financial Crisis 20.3 Barings Bank 20.4 Equitable Life 20.5 Korean Air 20.6 Long Term Capital Management 20.7 Bernard Madoff 20.8 Robert Maxwell 20.9 Space Shuttle Challenger 20.10 Heartland Payment Systems 20.11 Kim Philby 20.12 Conclusion 20.13 Further Reading 528 528 528 534 537 540 542 544 545 546 548 549 550 550 21 Solutions to Questions References Index 552 573 586 Downloaded from . Stockholm University Library, on 21 Aug 2018 at 12:55:10, subject to the Cambridge Core terms of use, available at . Downloaded from . Stockholm University Library, on 21 Aug 2018 at 12:55:10, subject to the Cambridge Core terms of use, available at . Preface I found myself writing the first edition of this book during a time of crisis for financial institutions around the world. The global financial crisis was under way, and it was clear that poor risk management had played a part – both within firms and on a macro-economic scale. As a result, regulations were strengthened. For banks, Basel III was introduced. This brought capital requirements that were stronger yet more flexible, and a new focus on liquidity. For insurance companies, planning for a new regulatory regime was already well underway. However, the financial crisis meant that Solvency II included measures to provide some protection for insurance companies from capital market volatility. In the years since the crisis, the stability of financial institutions has largely been maintained. However, we are still in a time of enormous uncertainty. With interest rates reaching new lows around the world, the efficacy of monetary policy is now being questioned. And from a local perspective, the decision of the United Kingdom to leave the European Union could have global implications, both economic and political, even if the nature of these implications remains to be seen. On a smaller scale, the issue of cyber risk is of growing importance. Hackers seem regularly able to gain access to supposedly secure account information through attacks on firms’ IT systems. Individuals are also at risk from phishing emails, which can lead them to infect their computers with malware, or even to hand over personal data explicitly. These and other forms of cyber risk are causing ever growing losses for individuals and for financial institutions. But risk management techniques are also developing. For example, Bayesian approaches are being used increasingly to model complex networks of risks, even extending to the calculation of capital requirements. In this second edition, I have tried to address these changes as well as updating the book more generally. I have also added questions at the end of each chapter, to try to help understanding of the various topics covered. More questions can be Downloaded from . Stockholm University Library, on 21 Aug 2018 at 12:55:10, subject to the Cambridge Core terms of use, available at . xii Preface found at ; a QR code for this site is given at the end of this preface. Despite these changes, the principle behind the way in which these risks should be approached remains the same – in particular, all risks should be considered together. Whilst identifying the extent – or even the existence – of individual risks is important, it is even more important to look at the bigger picture. Such an approach can highlight both concentration and diversification. And, of course, risk is bad only if the outcome is adverse. Upside risks exist, and without them, there would be no point in taking risks at all. This second edition has benefited greatly from the views of those kind enough to comment on the first edition, particularly Patrick Kelliher. I am also grateful to the team of reviewers for the Japanese translation to the first edition, led by Professor Naoki Matsuyama. Finally, I must mention again those whose work was so helpful with the development of the first edition, namely Andrew Cairns and Lindsay Smitherman. Downloaded from . Stockholm University Library, on 21 Aug 2018 at 12:55:10, subject to the Cambridge Core terms of use, available at . 1 An Introduction to Enterprise Risk Management 1.1 Definitions and Concepts of Risk The word ‘risk’ has a number of meanings, and it is important to avoid ambiguity when risk is referred to. One concept of risk is uncertainty over the range of possible outcomes. However, in many cases uncertainty is a rather crude measure of risk, and it is important to distinguish between upside and downside risks. Risk can also mean the quantifiable probability associated with a particular outcome or range of outcomes; conversely, it can refer to the unquantifiable possibility of gains or losses associated with different future events, or even just the possibility of adverse outcomes. Rather than the probability of a particular outcome, it can also refer to the likely severity of a loss, given that a loss occurs. When multiplied, the probability and the severity give the expected value of a loss. A similar meaning of risk is exposure to loss, in effect the maximum loss that could be suffered. This could be regarded as the maximum possible severity, although the two are not necessarily equal. For example, in buildings insurance, the exposure is the cost of clearing the site of a destroyed house and building a replacement; however, the severity might be equivalent only to the cost of repairing the roof. Risk can also refer to the problems and opportunities that arise as a result of an outcome not being as expected. In this case, it is the event itself rather than the likelihood of the event that is the subject of the discussion. Similarly, risk can refer to the negative impact of an adverse event. Risks can also be divided into whether or not they depend on future uncertain events, on past events that have yet to be assessed or on past events that have already been assessed. There is even the risk that another risk has not yet been identified. When dealing with risks it is important to consider the time horizon over which they occur, in terms of the period during which an organisation is exposed to a Downloaded from . Stockholm University Library, on 21 Aug 2018 at 12:55:10, subject to the Cambridge Core terms of use, available at . 2 An Introduction to Enterprise Risk Management particular risk, or the way in which a risk is likely to change over time. The link between one risk and others is also important. In particular, it is crucial to recognise the extent to which any risk involves a concentration with or can act as a diversifier to other risks. In the same way that risk can mean different things to different people, so can enterprise risk management (ERM). The key concept here is the management of all risks on a holistic basis, not just the individual management of each risk. Furthermore, this should include both easily quantifiable risks such as those relating to investments and those which are more difficult to assess such as the risk of loss due to reputational damage. A part of managing risks on a holistic basis is assessing risks consistently across an organisation. This means recognising both diversifications and concentrations of risk. Such effects can be lost if a ‘silo’ approach to risk management is used, where risk is managed only within each individual department or business unit. Not only might enterprise-wide concentration and diversification be missed, but there is also a risk that different levels of risk appetite might exist in different silos. The concept of risk appetite is explored in Chapter 15. Furthermore, enterprise-wide risks might not be managed adequately with some risks being missed altogether due to a lack of ownership. The term ‘enterprise risk management’ also implies some sort of process – not just the management of risk itself, but the broader approach of: • • • • • • recognising the context; identifying the risks; assessing and comparing the risks with the risk appetite; deciding on the extent to which risks are managed; taking the appropriate action; and reporting on and reviewing the action taken. When formalised into a process, with detail added on how to accomplish each stage, then the result is an ERM framework. However, the above list raises another important issue about ERM: that it is not just a one-off event that is carried out and forgotten, but that it is an ongoing process with constant monitoring and with the results being fed back into the process. It is important that ERM is integrated into the everyday way in which a firm carries out its business and not carried out as an afterthought. This means that risk management should be incorporated at an early stage into new projects. Such integration also relates to the way in which risks are treated since it recognises hedging and diversification, and should be applied at an enterprise rather than a lower level. ERM also requires the presence of a central risk function, headed by a chief Downloaded from . Stockholm University Library, on 21 Aug 2018 at 12:55:10, subject to the Cambridge Core terms of use, available at . 1.2 Why Manage Risk? 3 risk officer. This person should be responsible for all things risk related, and in recognition of his or her importance, the chief risk officer should have access to or, ideally, be member of the board of the organisation. Putting an ERM framework into place takes time, and requires commitment from the highest level of an organisation. It is also important to note that it is not some sort of ‘magic bullet’, and even t...
View Full Document