In his article,7 Key Elements of Effective Enterprise Risk ManagementJohn Thackeray describes how a well structured ERM system allows an organization to navigate, with some certainty, the risks posed to its business objectives and strategy. Without useful documentation and steps to broadly communicate the elements, the best planned ERM system will fail. In this article John describes what it takes to document your ERM system.

Efficacy of Risk Documents

Good written risk documentation is both an art and a science; in the perfect world blending the writer and subject matter expert as one. Unfortunately, we do not live in a perfect world and this blend is difficult to find. Too many risk documents have either been badly written by the subject matter expert and or have been deemed content light and aspirational by the writer.

To achieve clarity, the risk documentation should be written from an independent viewpoint by someone who can challenge known assumptions with a questioning mind. The risk writer will need input from the business, seek collaboration and guide the organization towards ownership of the final document. As a result, the document will be an objective piece of writing, speaking the language of the organization while being understood by the outside world.

Good documentation is a prerequisite in the successful implementation of risk management, acting as a delivery and message mechanism. Documentation must:

The documentation affects and defines the engagement with internal and external stakeholders, articulating and defining the organization’s culture, attitude, and commitment towards risk.


The board has overall responsibility for ensuring that risks are managed. They delegate the operation of the risk management framework to the management team. One of the key requirements of the board is to gain assurance that risk management processes are working effectively and that key risks are being managed to an acceptable level. Therefore, the board requires a comfort and assurance level that risk documentation is being used and isdirecting the organization toward achieving its objectives.

Here are three signals of effectiveness.

1. Cultural attitude towards risk: This establishes and confirms clear roles and responsibilities that reinforce ownership, accountability and responsibility. Documentation underpins standard practices and policies, so a commitment to the guidelines speaks to the adequacy of a firm’s internal control environment.Most companies will have a risk charter which binds the Board and senior management to a fiduciary duty of their responsibilities. It will impose a structure and governance affording a value add which directs the performance of corporate objectives in a controlled fashion.

Part of this cultural attitude towards risk is evidenced in the Review and ChallengeAsking the right questions and verifying the correct answers demonstrate an organization’s comfort level with its governance and documentation processes. There must be a structure in place that allows employees to challenge these processes, when necessary. For instance,with 360 degree feedback or employee lunches with the C suite. Both enable open communication and transparency.

Moreover, this will be evidenced through training. A commitment to training will speak volumes about the tone set from the top of the organization. Indeed, reinforcement through regular training will drive the corporate message home, ensuring a commonality of standards and purpose.

2. The right metrics. Metrics gauge the operational efficiency of documentation and selecting the right ones will ensure that employees are compliant in terms of key performance and key risk indicators. Too few or too many of these metrics can paint a distorted picture; the chosen metrics must therefore be material and relevant to the documentation. Regular reviews of these metrics will indicate whether the documentation is fit for purpose.Return on Equity, Risk adjusted capital return, return on investment are some metrics that can be adjusted for with regard to risk.

3. Continuous assessment and review of policies and procedures. Reviews should consist of assessments based on representative samples and must include testing and validation by all engaged stakeholders. Documentation needs to be recalibrated if your organization has too many – or too few – “escalation incidents.” and or exceptions. These exceptions and escalation would be actively tracked to gain an understanding of the validity of the documents.With limited resources only core and material documents would have to be reviewed and tested especially in the light of changing working conditions and impactful legislation . A structure which enforces this oversight is a sign that risk mitigation is part of the organization’s DNA.

Passing thoughts

These three signals are interlinked, each providing a layer of evidence that risk is being taken seriously by the organization.

Risk Documentation is where the written word captures the spoken word: documenting the ERM systems ensures intentions and actions are aligned – which makes for a better world.

This article was published on CFO.University


The crisis fraud risk management is born out of a highly volatile atmosphere which can upend and overwhelm even the most structured fraud risk management program. This volatile atmosphere is here with us today and comes in the form of COVID-19. COVID-19 represents the single greatest challenge to fraud risk management (“FRM”) because pandemics and their effects were never identified as a driving force in the escalation of both existing and new types of emerging fraud. Moreover, business continuity plans had an isolated focus on operations rather than people and operations, with much shorter timeframes envisaged.

“1In a new survey conducted by the Association of Certified Fraud Examiners (ACFE) about the effect COVID-19 has on fraud, 90% of respondents reported that they have seen an increase in scams targeting consumers, with 51% believing the increase has been by a significant amount. Respondents reported seeing an immediate increase in a number of specific fraud schemes. Of those surveyed, 75% said they already have encountered an increase in phishing through government impersonation, and 71% report seeing an increase in charity fraud. They also have experienced an increase in fraudulent vaccines, cures or tests for the coronavirus (66%); third-party seller and buyer scams on legitimate online retail websites (64%); business email compromise scams (62%); and cyberbreaches (61%). Link to survey: ACFE COVID-19 survey.”

Pandemic effects

There is no doubt that a Pandemic can cause economic and financial hardship on a massive scale both on an individual and corporate scale. In times of economic crisis, employees’ personal financial pressures tend to rise, which is often where the decision to steal and embezzle is rationalized. This justification can proliferate as many key individuals are wearing multiple hats with a dilution of segregation of duties. This rationalization extends to companies that face pressure to falsify their financials in order to meet earnings targets or secure and maintain financing. Constrained supply chains and reliance on key third party vendors may increase the incidence of bribery and corruption as the need to meet and support company objectives becomes paramount.

In this threatened environment, companies may seek to cut costs which will often target non-revenuegenerating departments e.g. compliance, internal audit, while at the same time reducing budgets for control training.

The lack of fraud assessments that are integral to a comprehensive anti-fraud program only serve to leave organizations more vulnerable to the growing likelihood of fraud. As organizations make cuts in the attempt to operate with a leaner staff, they can find themselves caught in a perfect storm for fraud: mounting financial pressures motivating employees and customers alike providing a common co-operative cause, fused with a highly toxic emotional, irrational and survival based mindset acting as a powder keg.

Social distancing from the virus has increased the online risk with fraudsters having already found ways to use coronavirus warnings as a veil for malware injections and other fraud schemes. Social distancing has meant the need and increased usage for contactless payments and with it a proliferation of social engineering attempts leading to an uptick in fraud in the space of e-commerce and online payments with an incessant increase in both identity theft and account manipulation. This increase in social engineering has escalated with the reliance on home office environments, which by themselves offer fraudsters the opportunities to both degrade and infiltrate organizations’ data and information systems.


The first thing is to realize that such a crisis raises the vulnerability of the organization to fraud and is a true test of the fraud resilience of the organization. Outlined below are three countermeasures that the fraud risk program should adopt and introduce in the new challenging environment.

1. Re-evaluate and reassess fraud policy and procedures
The existing FRM framework needs to be re-evaluated and reassessed knowing that a scan of the environment and the resultant ensuring pressures will create new emerging opportunities and stronger motives for the performance of fraud. The new normal will create new avenues as outlined above for the fraudster which may expose the soft operational underbelly of the organization. There may be a need to get ahead of the fraud curve and proactively amend and adapt the policy and procedures to reflect the new normal, e.g. a new fraud taxonomy. Existing policy and procedures that may now be compromised in terms of operational efficiency will have to be adapted in a timely fashion in respect to the redrawing of fraud risk appetites and tolerances, with greater insight and participation from stakeholders.

2. Review and renew the fraud control environment
The external environment will be constantly updating and changing according to the political pressures of the day, with both public and private organizations offering different and varied responses, leading to potentially confusing messaging. Temporary legislation will create loopholes and opportunities with the need to constantly rethink the identification and assessment of likely fraud risks that can emerge due to exceptional management measures, especially in the short-term. Exemptions that have been granted by the authorities to existing policies and procedures resulting in a relaxation of controls should be documented for future reviews and audits.

The external environment will be constantly updating and changing according to the political pressures of the day, with both public and private organizations offering different and varied responses, leading to potentially confusing messaging. Temporary legislation will create loopholes and opportunities with the need to constantly rethink the identification and assessment of likely fraud risks that can emerge due to exceptional management measures, especially in the short-term. Exemptions that have been granted by the authorities to existing policies and procedures resulting in a relaxation of controls should be documented for future reviews and audits.

3. Improve the fraud message, communication, and data channels
As the crisis continues, there is a greater need to engage and communicate the fraud message without overloading the individual with information. Sharing experiences and observations is paramount and can act as an early warning system. Fraud Risk will be elevated in conjunction and heavily correlated with the increased incidences and risks of cybersecurity and anti-money laundering. Information flows to understand this triage of threats need to be on a timely basis and aligned in a coordinated fashion from internal and external data sources such as Compliance, Information Technology, Audit and Third-Party Vendors. The organization must understand the interconnectedness of fraud with all the other risks facing the organization and be able to respond at the enterprise level.

One result of the new working environment has meant information flows have increased as the number of whistleblowers who are now either disengaged or emboldened from working at home have decided to come forth. According to a recent Wall Street Journal article, the U.S. Securities and Exchange Commission received about 4,000 tips from mid-March to mid-May, which is a 35% increase2 from the previous period last year. The whistleblowing hotlines mean that there is a readymade, low cost source and credible assessments that can be conducted providing the organization has the resources and resolve to investigate.

Fraud risk managers need to tailor their message to different audiences at a faster pace and need to be better communicators. Fraud communication needs to be reinforced and this extends to training needs, with the need to be creative, involving topics which are current, so the message is easily assimilated and on point. The importance of training needs to be emphasized and for once must be rigorously enforced with penalties for noncompliance.

With this information overload, fraud risk managers will have to provide clean, accessible, robust, and sustainable data with the need to keep vast amounts of data for future inspection and audit. The amount of big data being generated will enable the more astute to redesign their control processes using a comprehensive data management set of both public and private data sets. The data flows need to be treated in perspective with any anomalies explained with the number of false positives created by the increased data flow. Sanitization and regular inspection are a must to power the behavioral analysis which can detect those new and existing incidences of fraud.

Moreover, certain segments of the customer base will be more prone to high risks, and fraud investigators will have to employ key behavioral analysis to drive informed decisions on whether transactions are fraudulent or genuine. Machine Learning and Artificial intelligence will have to be woven into the fraud risk manager’s fabric, providing data analytics that can be used to understand device vulnerability and attacks.

These challenges will alter the role and responsibility of the fraud risk manager who will become data custodians, model risk managers and ad hoc technologists.

Passing thoughts

Crisis fraud risk management means that fraud risk managers must have an adaptable and credible plan and stay focused rather than become embroiled in the crisis themselves. The three countermeasures above offer insight and guidance to alleviate the vulnerability and mitigate the number of fraud incidences in a crisis.

Professional Risk Management International Association

Fraud is all around us, grabbing the headlines every single day. Fraud is a high-impact, low-probability risk with the potential to destroy a firm’s integrity and reputation very quickly. Many firms focus on the low-probability nature of fraud, and consequently fail to employ both resources and structure to address this risk. A typical fraud risk management framework includes the following components: governance, assessment, strategy and evaluation.

Let’s take a look at four steps a firm can take to develop and maintain an effective fraud risk management program.

1. Create a dedicated governance structure to manage fraud risk.

The first requirement is to build an organizational culture to combat fraud at all levels of the firm. This should demonstrate a senior-level commitment and set an anti-fraud tone that permeates the culture. To oversee all fraud risk management activities requires the development of an anti-fraud entity that, among other things, will:

2. Create a fraud risk assessment.

The next stage is to plan regular fraud risk assessments that are tailored to the fraud risk management program. To further this goal, the firm should identify specific tools, methods and sources for gathering information about fraud risks, including data on fraud schemes and trends from monitoring and detection activities. Buy‐in involves relevant stakeholders in the assessment process, including individuals responsible for the design and implementation of fraud controls.

Requirements include:

3. Design and implement an anti-fraud strategy with specific control activities.

Based on its fraud risk profile, a firm should develop, document and communicate an anti-fraud strategy to employees and stakeholders that describes the program’s activities for preventing, detecting, responding, monitoring and evaluating. The following questions can be used to guide the firm’s resource allocation in response to fraud:

4. Conduct risk-based monitoring and evaluate all components of the framework.

Collection and analysis of data — including data from reporting mechanisms and instances of detected fraud — is a must in the monitoring of fraud trends and in the identification of potential control deficiencies. Moreover, it is important to evaluate the effectiveness of preventive activities, fraud risk assessments, anti-fraud strategy, fraud controls and response efforts.

A risk-based approach to monitoring should also be implemented. This approach should consider internal and external factors (e.g., organizational changes and emerging risks) that can influence the control environment.

Every fraud risk management program can be further enhanced by fraud awareness training and by communicating results — for example, instances of fraud that have been identified and corrective actions that have been taken — to employees.

Following these four steps will help to prevent, but not eliminate, fraud. Most fraud can be staved off by a comprehensive risk management program, but as criminals and morally compromised people concoct new forms of deceit, financial institutions must remain vigilant.

This article was published on ACFE Insights

The defining issue and top global emerging risk of 2020 is climate risk, which has been gaining a sense of urgency with major implications for financial institutions. Climate change can no longer be viewed in isolation as a reputational risk bust must be seen and addressed as a financial risk that needs to be integrated into existing risk management frameworks. Climate risk is a “transverse” risk that can extend its reach into existing risk stripes. As climate risk manifests itself through existing risk stripes, climate change can also heighten credit risks for banks, as demonstrated by the recent PG&E bankruptcy. Banks need to consider how climate-driven financial risks can be embedded into current financial risk management frameworks.

Regulators have been influenced by increasing interest in both the impact and implications of climate change as a result of public awareness and the failure of governments and the United Nations to reach substantive and collective agreement. In this vacuum, central banks are starting to lead by example by including climate-related risks in their evaluations, leading to an escalation of policy pronouncements which are likely to adjust more rapidly with an intensification in the climate change debate. Increased cooperation is evidenced by The Network of Central Banks and Supervisors for Greening the Financial System (NGFS), an international cooperation and collaboration between central banks and regulators with a main aim to address the financial sector’s attempts to achieve the Paris climate goals.

Since climate change continues to have huge economic and political implications, regulators are pushing financial institutions to take climate risk issues in their analyses of country risk and sovereign ratings which will filter down into individual counterparty ratings.

The IMF’s new chief, Kristalina Georgieva, pioneered green bonds in 2008 while at the World Bank. She is discussing whether assigning different risk weightings to assets that are more or less green is fostering an important discussion that engages the financial community. Recently the US Democratic Senator Brian Schatz of Hawaii introduced a bill that would direct the Federal Reserve to subject large banks to do stress tests measuring their resilience to climate-related financial risks. The proposed Climate Change Financial Risk Act of 2019 underscores worries among policy makers over the risk posed by the financial system by the continuous and sustainable weather events which continue to plague the continental United States.

Accountability has become the weapon of choice, with financial institutions having signed up to laudable climate principles (i.e. the Equator principles); they will need to demonstrate with actionable examples how they are adhering to such principles. Shareholder and social media will apply a lens which may mean Boards will need to become climate literate at a faster pace.

The need for disclosure is paramount and this process will escalate initiatives led by the Task Force on Climate-Related Financial Disclosures of the Financial Stability Board. As an example, the Task Force is recommending that companies make their climate-related risks known to lenders and other stakeholders.

Board members are increasingly being viewed as fiduciary custodians by their stakeholders and as such there has been a need to include representation from climate science on the Board. Moreover, some Boards are openly demanding the need for organizational structural change by means of a Sustainability Committee reporting directly to them to enhance Board comfort around the climate challenges.

call to action

A call to action seems to have resonated with all stakeholders within the community as evidenced below: • The UK’s regulators — the Prudential Regulation Authority became the first regulator in the world to publish supervisory expectations that explain how financial institutions need to develop a methodology, framework and approach to managing financial risks emanating from climate change.

The Bank of England is insisting that there is a senior manager in each major financial institution responsible for managing climate risk, who can be liable for fines or a ban if there is ineffective governance and oversight.

Barclays has joined sixteen other leading banks, the UN Environment Finance Initiative (UNEP FI) and Acclimatise, in publication of new methodologies that help banks understand how the physical risks and opportunities of a changing climate might affect their loan portfolios.

HSBC has set-up its Climate Change Centre of Excellence which analyzes the commercial implications of climate change for HSBC Group businesses and clients.

French banks such as BNP, Societe Générale, Natixis and Credit Agricole have retreated and stopped lending focused on oil and gas from shale and tar sands. These banks are pioneering in the climate space driven mainly due to France’s Energy Transition Law, which was introduced in 2015 and requires financial institutions to report on their carbon risks.

The European Union is to stop funding oil, gas and coal projects at the end of 2021. The European Investment Bank (EIB), the EU’s financing department, will bar funding for most fossil fuel projects.

Sweden’s central bank has ditched bonds issued by Australian and Canadian regions on the grounds that their carbon emissions are too high.

A shareholder in Australia filed suit against the Commonwealth Bank of Australia for failing adequately to disclose climate risk. The case was dropped after the bank released new reporting that recognized climate change as a financial risk.

A retreat from lending to companies with large carbon footprints has left some financial institutions with large industrial exposures that they had not planned or been prepared to hold.

Spanish energy company Repsol SA is cutting the value of its assets by billions of dollars because the global transition to a lower carbon economy is weakening the outlook for energy prices.

Up until now, these climate risks largely have been absent from investors’ models, but the rating agencies are at least thinking about changing their methodology and methods in assigning ratings, to incorporate climate risk.

Investment funds are now being held to a higher standard when it comes to their portfolio restrictions and guiding principles on climate-related investments.

risk identification

Financial risks stemming from climate change look at those risks as arising through three main channels: physical risk, transition risk and liability risk. Physical risks arise from climate- and weather-related events. These changes in the physical environment will create physical risks that will impact individuals, businesses and economies, consequently affecting a variety of financial transactions. Transition risks arise from the process of adjusting toward a lower-carbon economy. Policy, technology and laws relating to climate change could be accelerated, prompting a reassessment of the value of a large range of assets as costs and opportunities become apparent. This reassessment could modify the value of assets and liabilities, thereby altering the risk profile of financial institutions. As the opportunity to take voluntary steps lessens and the more immediate and demanding government requirements may become, the higher the velocity at which the transition occurs will affect the scale of disruption for affected industries.

Transition risk is likely to be the biggest area of influence on asset values in the shorter term, whereas the physical effects are likely to be the driving factors influencing asset values and economic performance in the medium to longer term.

In jurisdictions such as the US or Europe, lenders are unlikely to be held directly liable for the activities of the companies that they lend to; however, this may soon change due to increased political and social pressure. Banks acting as underwriters of bonds should assess the materiality of climate risks to an issuer’s business when drafting risk factors in the offering documents. For Board members, there is a real risk of being sued for not disclosing and alternatively being sued for making forward looking statements about climate change which prove to be incorrect.

Given the uncertainty around the future path of emissions, and their associated economic and financial impacts, a natural tool for analyzing these risks is scenario analysis. There are two primary types of scenarios fit for this purpose: climate-impact (physical risk) scenarios and transition scenarios. Climate-impact scenarios investigate the effects climate change could have on economies, societies and ecosystems,

given an assumed level of emissions; transition scenarios model how economies might adjust given a temperature target and government policy. While existing scenario analysis or stress testing frameworks can be leveraged, climate risk scenario analysis differs from the traditional use of these with longer time horizons, description of physical variables and generally the non-inclusion of specific economic parameters. The Bank of England is asking British insurers and lenders to gauge to what extent global warming might impact the value of their investments and balance sheets — and its potential to destabilize the financial markets. The three climate scenarios promulgated by the bank’s Prudential Regulation Authority are “exploratory” in nature. The hypothetical narratives are designed in a way to pinpoint risks and exposures with no pass or fail and a publication of results in aggregate without naming institutions.

how climate risk impacts existing risk types

There is a need to examine existing risk types and consider whether climate risk is sufficiently material to be incorporated and embedded into established risk frameworks. Financial risks will typically be greater for long-lived assets and liabilities (e.g., infrastructure, pensions) than short-term contracts, where risks and pricing can be more readily adjusted. There may also be consequential risks, such as concentration risk and asset-liability mismatches. The more that these types of transverse considerations are embedded into firms’ day-to-day governance and risk management processes the better firms will be able to manage and mitigate the financial risks of climate change. The risks relate to a firm’s clients, counterparties, and their own internal operations.

Moreover, credit analysis will also have to change as illustrated below to meet the climate risk challenge.

Climate change may affect the comparative market competitiveness and performance of the firm, i.e. the writing down of carbon asset values on the balance sheet.

Differential pricing and returns may have to be incorporated with the credit proposal emphasizing the basis for carbon free projects

Noncompliance with environmental regulations could result in various and different forms of liability for the project and its stakeholders as well as unwarranted publicity.

The client’s ability to refinance may be compromised once awareness of climate risks have increased, making it more difficult for a current investor to exit.

Repayment sources may be affected as income from the sale of assets or equity by clients may be diminished, as climate change will affect market values.

The cost of insurance for clients may increase, and exclusion clauses may become more onerous. Insurance cover may no longer be available, forcing companies to self-insure, which would require them to make financial provisions to cover future losses, affecting their financial capacity.

passing thoughts

Now is the time to act on greening the financial system in order to move away from a verbal undertaking of corporate responsibility to one of sustainable leadership. The world is watching to see which financial institutions have the vision and leadership that define their role in the social and economic fabric of climate change.

This article was published on issuu

5 Hallmarks of an Effective Cybersecurity Program

This article was published on Global Association of Risk Professionals

In February, the Federal Reserve Board is expected to release scenarios for its 2020 Comprehensive Capital Analysis and Review (CCAR) and Dodd-Frank Act stress test (DFAST) exercises. Moreover, the European Banking Association recently published templates for its EU-wide stress tests. In short, despite the fact that DFAST requirements, in particular, have been scaled back, stress testing is still extremely important for both banks and supervisors.

Since the 2008-09 financial crisis, with the help of severely adverse scenarios and other stress tests, banks have significantly increased their capital buffers relative to risk-weighted assets. The financial system, moreover, now seems much better prepared to withstand a severe shock.

Banks have also used stress tests to improve their modeling, governance and data gathering, and there is now better communication between risk managers and business executives. All of this, of course, is linked not only to greater regulation but also to banks’ understanding about the potential business benefits of the tests.

Stress testing is a forward-looking risk management tool for evaluating the potential impact of both unexpected events and changes in a firm’s financial variables – including capital, asset quality and profitability. It incorporates risk into planning by providing the “what if” scenarios for the strategic and capital planning processes.

The establishment of risk appetite, balance sheet management, risk management and capital management are all inextricably linked to stress testing. The simple objective of stress testing is to keep institutions as a going concern balancing risk capacity (capital, earnings) with risk exposure (credit, market, operational, etc.).

Ultimately, stress testing should also lead to calls for action, which may take the form of, say, developing contingency plans, reducing concentrations, determining the appropriate dividend, or raising capital through equity or debt.

There is a three-item checklist developing effective stress testing: firms must (1) understand and deploy various kinds of stress tests; (2) build a comprehensive framework for modeling different scenarios; and (3) determine whether a top-down or bottom-up approach is the best strategy for evaluating the impact of shocks to macroeconomic variables.

Scenario Analysis, Reverse Stress Testing and Sensitivity Analysis

There are three types of stress testing:

Scenario Analysis entails the development of historical or hypothetical scenarios to assess the impact of various events. Scenarios usually involve a coherent, logical narrative that describes how events occur and in which combination and order.

Through scenario analysis, a firm can evaluate the impact of specified scenarios on its financial position. The scenarios can be chosen based on a defined probability of occurrence – for example, a ‘one-in-a-hundred-years’ event.

The application of scenario analysis shows the complex dependencies between several risk factors and their related key performance indicators (KPIs).

Reverse stress testing assumes a known adverse outcome and then deduces the types of events that could lead to such an outcome. This type of stress testing considers scenarios beyond normal business considerations, challenging common assumptions.

Sensitivity Analysis involves changing and stressing variables, parameters or inputs without an explicit, underlying reason or narrative.

Building a Proper Framework

Stress testing planning must be plausible, consistent, adaptive and reportable. This planning must be underpinned by a robust and effective framework that uses scalable reference data and relies on the efficiency and suitability of its forecasting models.

Furthermore, the framework should test the robustness of risk models: checking the sensitivity of models to different and divergent stresses may help evaluate their effectiveness. The adequacy and practicability of risk limits and triggers must also be measured, and relevant risk drivers should be identified.

Components of a Stress Testing Framework

Forecasting the impact of stresses and scenarios on the business plan can help prove, or disprove, the viability of that plan. Stress testing, moreover, should enable the understanding of the cause-effect relationship between stresses and changes in the risk profile of a company, allowing senior management to make prompt, well-informed business decisions.

Two Approaches

There are two common stress testing approaches: bottom-up and top-down.

The bottom-up approach evaluates the impact of shocks to macroeconomic variables at the most granular level of data. It considers shocks at individual customer levels, and the results are then aggregated to give a firmwide view of the impact on the firm’s capital levels.

The top-down approach, in contrast, evaluates the impact of shocks to macroeconomic variables on a firm’s balance sheet or income statement.

There are, of course, advantages and disadvantages (see chart, below) to each approach.

Stress Testing Approaches: Pros and Cons

Bottom-Up ApproachTop-Down ApproachCombination
Less dependent on complex models and therefore, quicker to implement.Assumes a static balance sheet.Requires minimal monitoring and intervention.Model and technology intensive, making this approach time consuming.Requires continuous validation of models and underlying assumptions.Realistic modelling of linkages between changes in economic conditions and risk factors. Captures the idiosyncratic risk of the firm.Combining both or contrasting both would yield a clearer picture.
Gives an imprecise modelling of linkages between changes in economic conditions and risk factors.Doesn’t capture the idiosyncratic risk of the firm.Doesn’t capture concentration and correlation risks adequately; assumes zero or constant correlation among portfolios.May give varied results when underlying economic conditions change, even though the balance sheet composition may remain the same.Makes it difficult to benchmark peers, as the idiosyncratic risk is not separated from the systemic risk.Takes a lot of planning and preparation.

Parting Thoughts

Stress testing can shape the risk profile of your organization. It identifies risk concentrations across various business lines, allowing management to form contingency plans while also providing for the integration of business strategy, risk management and capital planning.

What’s more, it offers a forward-looking view of strategic opportunities, and promotes risk discussions that lead to enhanced internal and external risk communication.

This article was published on Global Association of Risk Professionals

Fraud risk management should both inform and shape any third-party risk management program in conjunction with all the other risk disciplines. Now more than ever, with increased regulation and risk, organizations must conduct vigorous, structured and regular due diligence on third-party intermediaries. The risks posed by these parties are many and varied, ranging from cybersecurity to business disaster. With third parties accessing regulated company information, the likelihood and impact of IT security incidents are on the rise.

Regulators are looking for the methodology, the approach and the sustainability of programs designed to capture and mitigate these risks. Moreover, regulators are seeking evidence on how a program and its processes are embedded and aligned within an organization’s risk culture and risk appetite.

Possessing a robust, structured program to mitigate these risks can protect corporate reputation and shield executives, board members and other management from personal and professional liability. At its core, such a program incorporates a risk-based approach, which is a methodical and systematic process of knowing the company’s business, identifying its risks and implementing measures that mitigate those risks.

The diagram below portrays the key considerations which are explained further below.



Each third-party relationship brings with it several multidimensional risks that extend and traverse across suppliers, vendors, contractors, service providers and other parties. An effective third-party risk management process begins by comprehensively identifying third-party risks. This risk identification process should be followed by an analysis of the specific drivers that increase third-party risk. Moreover, your organization needs to understand its universe of vendors and how the third-party ecosystem engages, interacts and connects with its internal and external operating environment.

With an understanding of its risk appetite for vendor risk, a risk framework can be developed with a coherent and consistent set of policies and procedures which define the paradigm of anobjective risk assessment model, crucial in creating a risk profile for third parties. The policies and procedures will, furthermore, describe the implementation of the system, resources, acceptable mitigants, roles and responsibilities.


Your organization should take a risk-based approach to third-party screening and due diligence. Stratify your third parties into various risk categories based on the product or service, as well as the third-party’s location, countries of operation and key contributions. An important part of the process will be to mitigate an over-reliance on any key third party.


Standardized contracts are a must, outlining the rights and responsibilities of all parties, with suitable metrics in place to sustain the relationship. Given the importance of supply chains today, the contract should identify any subcontracting to a fourth party. The key is to contractually bind third parties to inform and get approvals on any fourth-party involvement and ensure that fourth parties are in the scope of screening and risk management processes. Understanding the business continuity process and the compliance requirements of the third party are also important considerations in the selection process.


Monitoring is essential as it will ensure that performance standards set by the program are being implemented and followed with the imposition of well-defined metrics to measure the effectiveness of the program. Continuous third-party monitoring and screening is the key to helping companies make informed decisions about their third parties, with screening against global sanctions lists, law enforcement, watchlists and adverse media reports.


The termination process is often overlooked, but it’s so crucial in the negotiation. It should take what-if scenarios into account, with various trigger points that allow your organization to extricate itself from the relationship in an orderly and timely fashion.

Third-party risk management is one of the top emerging risks, and fraud risk management needs a seat at the risk table to both impact and inform the program but more importantly keep it relevant with regard to outside influences. Fraud risk management can no longer be a silent partner when it comes to third-party risk management.

This article was published on ACFE Insights

If a company wants to minimize the effects of risk on its capital and earnings, reputation and shareholder value, it must implement a comprehensive enterprise risk management (ERM) program. A successful ERM framework not only aligns a firm’s people, processes and infrastructure but also yields a benchmark for risk/reward and aids in risk visibility for operational activities.

Ultimately, ERM should provide a firm with a competitive advantage – but what factors should be evaluated as one goes about developing it? Here are seven key components that must be considered:

1. Business Objectives and Strategy

Risk management must function in the context of business strategy, and the first step in this integration is for the organization to determine its goals and objectives. Typical organizational strategic objectives include market share, earnings stability/growth, investor returns, regulatory standing and capital conservation.

From there, an institution can assess the risk implied in its strategy implementation and determine the level of risk it is willing to assume in executing that strategy. The firm’s internal risk capacity, existing risk profile, vision, mission and capability are among the factors that must be considered when making this determination.

All strategies are predicated on assumptions (beware of those that are unspoken and unverified) and calculations that may or may not be accurate; the role of ERM is to challenge these assumptions and, moreover, to execute the strategy. ERM and strategic management are not two separate things. Rather, they are two wheels of a bicycle that must be built uniformly to contribute to the stability of the whole.

2. Risk Appetite

Risk direction is defined by the risk appetite, which in turn is defined as “the amount of risk (volatility of expected results) an organization is willing to accept in pursuit of a desired financial performance (returns).”

Joh Thackeray Headshot
John Thackeray

A risk appetite statement is the critical link that combines strategy setting, business plans, capital and risk. It reflects the entity’s risk management philosophy and influences the culture and operating style. A firm’s existing risk profile, risk capacity, risk tolerances and attitudes toward risk are among the considerations that must be taken into account when developing the risk appetite.

The risk appetite statement should be developed by management (with board review) and must be translated into a written form. The overall risk appetite is communicated through a broad risk statement, but should also be expressed, individually, for each of the firm’s different categories of risk.

An effective risk appetite statement needs should be precise, so that it cannot only be communicated and operationalized but also aid in decision making. More importantly, it needs to be broken down into specific operating metrics that can be monitored.

Once the risk appetite is set, it needs to be embedded, and then continuously monitored and revised. As strategies and objectives change, the risk appetite must also evolve.

3. Culture, Governance and Taxonomy

The risk appetite statement should be conveyed through culture, governance and taxonomy. These three factors help an organization manage and oversee its risk-taking activities.

A strong risk culture – set from the top and augmented by comprehensively defined roles and responsibilities, with clear escalation protocols – is a must for successful ERM implementation. Strong, well-thought-out risk management principals, combined with ownership and culture training, help promote, reinforce and maintain an effective risk culture. Evidence of this strong risk culture can be seen in open communication, both in conflict resolution and top-down/bottoms-up decision making. 

Operating and support areas, from the perspectives of engagement, training and support, must be included in a healthy ERM program. In fact, with tone from the top, these areas can become partners and even owners with the ability to manages outcomes, ensuring transparency and accountability.

Good ERM is about understanding change and managing that change within the overall mandate – rather than in isolation. Intertwined with this change is a need for a risk taxonomy, which can help better identify and assess the impact of the risks undertaken.

4. Risk Data and Delivery

It’s all about the data – more specifically, collecting, aggregating and distributing the correct data. Risk data and delivery must be robust and to scale, so that the information collected, integrated and analyzed can be translated into cohesive, credible narratives and reports.

5. Internal Controls

The internal control environment helps senior management reduce the level of inherent risk to an acceptable level, known as residual risk. Undoubtedly, it is one of the most important tools in the risk manager’s toolbox.

Residual risk is the level of inherent risks reduced by internal controls. An effective control environment must encourage and allow for a consistent structure that is balanced and realistic, within the context of a company’s internal workings.

6. Measurement and Evaluation

Measurement and evaluation determine which risks are significant, both individually and collectively, as well as where to invest time, energy and effort in response to these risks. Various risk management techniques and tools should be used to measure and quantify the risks, on both aggregate and portfolio levels.

To meet the requirements of different stakeholders and oversight/governance bodies, all risks, responses and controls must be effectively communicated and reported. The oversight/governance bodies are tasked with ensuring that a firm’s risk profile aligns with its business and capital plans.

7. Scenario Planning and Stress Testing

Given that management must address known and unknown risks, tools like scenario planning and stress testing are used to help shed light on these missing risks and, more importantly, the interconnection of these risks. Armed with this information, the organization can develop contingency plans to model these risks and to at least counter their effects on future operational viability.

Parting Thoughts

ERM is not a passing fad. Indeed, it is now instrumental to the survival of an organization.

It allows an organization to navigate, with some certainty, the risks posed to its business objectives and strategy. In short, ERM is good business practice.

This article was published on Global Association of Risk Professionals

Models are all around us — integral and important to operational efficiency — but the risks that they sometimes pose can materially impact the financial well-being of even the most well-structured organizations. In order to understand the risks, we must first define what a model is and what the inherent risks are when operating a model.

A model refers to a quantitative method, system or approach that applies statistical, economic, financial or mathematical techniques and assumptions to process data into quantitative estimates. In other words, it’s a methodical way to process and sort data. A model consists of three components:

  1. An input
  2. A processing element
  3. An output

To build on that idea, model risk is the potential for the misuse of models to adversely impact an organization. Model risk primarily occurs for three reasons: a) data, operational or implementation errors; b) prediction errors; and c) incorrect or inappropriate usage of model results.

Models exist and assist in the identification, assessment and evaluation measurement. It can also assist in monitoring both nonfinancial risks like behavioral analysis and financial risk like credit risk.

It therefore makes sense to warehouse these different models under a central Model Risk program. Such a holistic program can offer a consistent approach in addressing the challenges outlined below.

Challenges of a model risk program

Model risk programs can have the following inherent challenges:

What to include in your model risk program framework

In order to address these challenges, I would recommend incorporating the following nine model risk documentation components that enable the framing of your model risk program.


9 risk documents that help frame the model risk program

  1. A clear and consistent organizational narrative documented in writing covering principles, objectives, scope, model risk program design (including standards) model risk appetite, model risk taxonomy, controls and industry regulations.
  2. A policy describing the oversight and governance which will include the roles and responsibilities of all stakeholders and participants.
  3. Well-thought-out and actionable model risk management policies and procedures to include:a.    Data management policyb.    Model validation policy and requirementsc.    Model documentation requirements for both in-house developed models and third-party vendor models.
  4. Policy and procedures to include the completeness of the current model inventory and process of updating on an ongoing basis.
  5. Policy and procedures which will risk rate the model’s materiality to the function of the organization.
  6. A model development and implementation policy which incorporates the following considerations:a.    Integration into new products b.    Planning for model updates and changesc.    Planning for additional uses of existing models
  7. A model validation policy which incorporates the following considerations:a.    Evaluation of conceptual soundness, methodology, parameter estimation, expert and other qualitative datab.    Assessment of data inputs and qualityc.    Validation of model outcomesd.    Assessment of ongoing monitoring metrics and performancee.    Model risk scoring
  8. A documented model issue management and escalation process which will describe the issues, cataloguing of issues, issue remediation and action plans.
  9. Disaster and contingency planning policy for approved models describing the Plan B in case of model failure, corruption or cyberattack.

 The payoff of so much documentation

Model risk is very real, and I’ll be honest — it requires a heavy lift in documentation. But by covering your bases, the documentation will provide a consistent set of standards, which articulate guiding principles that cover the model process and provide comprehensive guidance for practice and standards on an enterprise-wide level.

This article was published on ACFE Insights

OPERATIONAL RESILIENCE IS defined as the ability of firms, industries, and sectors as a whole to prevent, respond to, recover, and learn from operational disruption. It is a set of techniques that allows people, processes, and informational systems to alter operations in the face of changing business conditions.

Enterprises that are operationally resilient have the organizational competencies to ramp up or slow down operations in a way that provides a competitive edge and enables quick and local process modification.

A resilient enterprise is able to recover its key business services from a significant unplanned disruption, protecting its customers, shareholders, and reputation—and, ultimately, the integrity of the financial system. But enterprise operational resilience is about more than just protecting the resilience of systems; it also covers governance, strategy, business services, information security, change management, run processes, and disaster recovery. Avoiding disruption to a particular system that supports a business service contributes to operational resilience.

Thus, operational resilience is an outcome. Operational risk, meanwhile, is a risk—which, if not properly controlled, threatens operational resilience. Therefore, in order to achieve operational resilience a firm must first manage operational risk effectively.

The Operating Environment and the Influence of Regulators

The operating environment for financial firms has changed significantly in recent years, with many adverse and material events becoming a near certainty. Regulators now want operational resilience to be a process that boards and senior managers are directly engaged with and responsible for through governance and assurance models.

Regulators are promoting the principles that foster effective resilience programs and their benefits for firms, customers, and markets. In July 2018, the U.K.’s financial services regulators—the Bank of England, the Prudential Regulation Authority, and the Financial Conduct Authority— brought the concept of operational resilience into the limelight with the publication of a joint discussion paper, “Building the UK Financial Sector’s Operational Resilience.”

The key requirements noted in the discussion paper include the following:

What It All Means

The Bank of England and other central banks are likely to be more interested in system-wide scenarios of disruption and common vulnerabilities (for example, firms relying on third parties), while individual firms will often focus on and test firm-specific scenarios.

Central banks may wish to test whether firms collectively have adequate resources to deal with a severe operational disruption and whether firms may be undertaking their contingency planning without the availability of common resources.

This is especially relevant in the payments system and may require a common sharing of payment capability if a firm’s systems were to be compromised. The idea of sharing a competitor’s payment platform may seem absurd, but the need to ensure for the greater good may outweigh an individual firm’s vested interests.

The Bank of England’s approach is built around two key concepts: impact tolerances and business services.

Impact tolerance is defined as a firm’s tolerance for disruption in the form of a specific outcome or metric. Crucially, tolerance is built on the assumption that disruption will occur and that the tolerance remains the same irrespective of the precise nature of the shock. The tolerance is causeagnostic. So, rather than concentrating risk mitigation solely on minimizing the probability of a disruptive event, impact tolerance focuses the board and senior management on minimizing the impact of a disruption. Impact tolerance thus provides a focus for response, recovery, and contingency planning alongside traditional operational risk management.

Impact tolerance is then linked to a business service. Doing so provides a clear focus for firms’ efforts to enhance their operational resilience, which may include, for example, plans to upgrade IT systems, business continuity exercises, and communication plans. Importantly, the focus is on business services—not IT systems.

What Will Your Institution’s Approach Be?

Firms should be taking six critical actions to support and evolve their approach to operational resilience:

  1. Identify critical services: This is the discovery phase. The enterprise should begin by documenting its business services and mapping them to the underlying technology (cloud infrastructure, data centers, applications, etc.) and business processes (disaster recovery, cyberincident response plans, etc.).
  2. Understand impact tolerance: In this phase, the underlying technologies and processes are then assessed against key performance indicators or key risk indicators. This assessment is used to create a risk score for each business service, which is then reviewed against agreed-to impact tolerances. Through the use of scenarios, firms need to estimate the extent of disruption to a business service that could be tolerated. Scenarios should be severe but plausible and assume that a failure of a system or process has occurred. Firms must then decide their tolerance for disruption—that is, the point at which disruption is no longer tolerable.
  3. Know your environment: Using the assessment, the firm develops a remediation plan that gives priority to the business services with the largest disparity between risk score and acceptable impact tolerance. Having been communicated to the regulators and aligned with their expectations, the remediation plan is then funded and executed, and the business service is reassessed for resilience. This should incorporate third parties, which are the second-largest root cause of operational outages after missteps in change management.
  4. Operationalize the program: The operational resilience program must be able to evolve with the business. Firms should understand which external or internal factors could change over time and which trends could impact the key business services identified, then adjust their resilience plans accordingly. An important step in the process is testing, which is also prioritized by the risk materiality of key business services. Tests such as the simulation of disruption events can advance the enterprise from having informed assessments to demonstrating capabilities to stakeholders and regulators.
  5. Robust and coherent reporting: For boards and senior management, risk metrics and reporting provide an important insight into the effectiveness of the operational resilience program. Having a robust communication policy and strategy that uses all forms of media and engages with all stakeholders is essential to any resilience program.
  6. Collaboration: Firms should work together, pool resources, and share information—in short, develop noncompetitive solutions to a shared threat—to the extent possible.


Operational resilience is essentially an upgrade that moves operational risk management from passive to active. Operational risk management, once the poor sibling of credit and market risk management, has stepped into the limelight because its importance can no longer be overlooked. That being the case, it needs upscaling and upgrades of both resources and vision to bring ORM programs to a more resilient state. Given the number of pressing regulatory programs, firms must weave operational resilience into their infrastructure and mindset.

This article was published on The RMA Journal