By John Thackeray


An organization can become more productive by championing a hybrid model workplace that fosters and promotes a culture of inclusivity and trust. At the heart of a hybrid workforce model, are the ideas of shared ownership and trust, which can help the organization break down long-standing beliefs about productivity and performance.

Trust is one of the most important ingredients in this model and this can be facilitated by delivering creative management strategies and exhibiting clear behavioral standards. This trust requires management strategies to place a greater emphasis on behavioral standards such as accountability, transparency, and communication, creating a culture, whereby employees feel safe and appreciated within an inclusive environment.

Trust and Management Strategie

Maintaining greater leadership communication and visibility: Create new ways to engage informally with your employees. By defining and embracing new behaviors, that are observable to all, and by deliberately making space for virtual employees to engage in informal interactions—leaders can facilitate social cohesion and trust-building in their teams.

Establish team rituals to cement a strong bond of personal relationships enabling team members to have fun in a safe environment, thus improving morale. Ensuring that the transitions between respective team norms for onsite and remote are as smooth as possible, gives employees a cohesive experience, that feels designed, not random but shared.

Fostering an open environment by letting employees’ voices be heard e.g. by means of a virtual “Lunch and Learn” opportunity or a “Fly By” opportunity with an executive, thus enabling the employees, the opportunity, to share in a safe mode.

Re-evaluate your procedures and policies ensuring that the content is consistent, resilient and fit for purpose in the hybrid workplace. e.g. The importance of On Boarding has never been greater in the emphasis of team and trust, setting out and reinforcing cultural values in terms of expectations and requires considerable procedural changes to previous practices.

Measuring performance on outcomes: Instead of focusing on tasks or hours worked, focus on the outcomes and the quality of results. By focusing on results over style, regardless of location, a more productive, engaging, and meaningful work culture can be evidenced and shared. Success is evidenced by means of clear and transparent (“KPI’S’), key performance indicators.


In order to be more productive, the culture must embrace the hybrid model with a mindset of shared ownership and trust, principles, which in turn SHOULD complement, the existing values of the organization.

In February, the Federal Reserve Board is expected to release scenarios for its 2020 Comprehensive Capital Analysis and Review (CCAR) and Dodd-Frank Act stress test (DFAST) exercises. Moreover, the European Banking Association recently published templates for its EU-wide stress tests. In short, despite the fact that DFAST requirements, in particular, have been scaled back, stress testing is still extremely important for both banks and supervisors.

Since the 2008-09 financial crisis, with the help of severely adverse scenarios and other stress tests, banks have significantly increased their capital buffers relative to risk-weighted assets. The financial system, moreover, now seems much better prepared to withstand a severe shock.

Banks have also used stress tests to improve their modeling, governance and data gathering, and there is now better communication between risk managers and business executives. All of this, of course, is linked not only to greater regulation but also to banks’ understanding about the potential business benefits of the tests.

Stress testing is a forward-looking risk management tool for evaluating the potential impact of both unexpected events and changes in a firm’s financial variables – including capital, asset quality and profitability. It incorporates risk into planning by providing the “what if” scenarios for the strategic and capital planning processes.

The establishment of risk appetite, balance sheet management, risk management and capital management are all inextricably linked to stress testing. The simple objective of stress testing is to keep institutions as a going concern balancing risk capacity (capital, earnings) with risk exposure (credit, market, operational, etc.).

Ultimately, stress testing should also lead to calls for action, which may take the form of, say, developing contingency plans, reducing concentrations, determining the appropriate dividend, or raising capital through equity or debt.

There is a three-item checklist developing effective stress testing: firms must (1) understand and deploy various kinds of stress tests; (2) build a comprehensive framework for modeling different scenarios; and (3) determine whether a top-down or bottom-up approach is the best strategy for evaluating the impact of shocks to macroeconomic variables.

Scenario Analysis, Reverse Stress Testing and Sensitivity Analysis

There are three types of stress testing:

Scenario Analysis entails the development of historical or hypothetical scenarios to assess the impact of various events. Scenarios usually involve a coherent, logical narrative that describes how events occur and in which combination and order.

Through scenario analysis, a firm can evaluate the impact of specified scenarios on its financial position. The scenarios can be chosen based on a defined probability of occurrence – for example, a ‘one-in-a-hundred-years’ event.

The application of scenario analysis shows the complex dependencies between several risk factors and their related key performance indicators (KPIs).

Reverse stress testing assumes a known adverse outcome and then deduces the types of events that could lead to such an outcome. This type of stress testing considers scenarios beyond normal business considerations, challenging common assumptions.

Sensitivity Analysis involves changing and stressing variables, parameters or inputs without an explicit, underlying reason or narrative.

Building a Proper Framework

Stress testing planning must be plausible, consistent, adaptive and reportable. This planning must be underpinned by a robust and effective framework that uses scalable reference data and relies on the efficiency and suitability of its forecasting models.

Furthermore, the framework should test the robustness of risk models: checking the sensitivity of models to different and divergent stresses may help evaluate their effectiveness. The adequacy and practicability of risk limits and triggers must also be measured, and relevant risk drivers should be identified.

Components of a Stress Testing Framework

Forecasting the impact of stresses and scenarios on the business plan can help prove, or disprove, the viability of that plan. Stress testing, moreover, should enable the understanding of the cause-effect relationship between stresses and changes in the risk profile of a company, allowing senior management to make prompt, well-informed business decisions.

Two Approaches

There are two common stress testing approaches: bottom-up and top-down.

The bottom-up approach evaluates the impact of shocks to macroeconomic variables at the most granular level of data. It considers shocks at individual customer levels, and the results are then aggregated to give a firmwide view of the impact on the firm’s capital levels.

The top-down approach, in contrast, evaluates the impact of shocks to macroeconomic variables on a firm’s balance sheet or income statement.

There are, of course, advantages and disadvantages (see chart, below) to each approach.

Stress Testing Approaches: Pros and Cons

Bottom-Up ApproachTop-Down ApproachCombination
Less dependent on complex models and therefore, quicker to implement.Assumes a static balance sheet.Requires minimal monitoring and intervention.Model and technology intensive, making this approach time consuming.Requires continuous validation of models and underlying assumptions.Realistic modelling of linkages between changes in economic conditions and risk factors. Captures the idiosyncratic risk of the firm.Combining both or contrasting both would yield a clearer picture.
Gives an imprecise modelling of linkages between changes in economic conditions and risk factors.Doesn’t capture the idiosyncratic risk of the firm.Doesn’t capture concentration and correlation risks adequately; assumes zero or constant correlation among portfolios.May give varied results when underlying economic conditions change, even though the balance sheet composition may remain the same.Makes it difficult to benchmark peers, as the idiosyncratic risk is not separated from the systemic risk.Takes a lot of planning and preparation.

Parting Thoughts

Stress testing can shape the risk profile of your organization. It identifies risk concentrations across various business lines, allowing management to form contingency plans while also providing for the integration of business strategy, risk management and capital planning.

What’s more, it offers a forward-looking view of strategic opportunities, and promotes risk discussions that lead to enhanced internal and external risk communication.

This article was published on Global Association of Risk Professionals

LIBOR Transition

This article was published on Global Association of Risk Professionals

The volume, velocity and range of regulatory change actions today are overwhelming. By having a regulatory change management system to track and monitor regulatory change activity, you can provide your executives and regulators with more visibility and a clear outline of what you are doing to minimize compliance risk. Regulators want to see that organizations have a transparent process to manage regulatory change, and that employees have a clear understanding of their roles and responsibilities. For this, you need a clear, auditable and automated process in place with the major components of the process being planning, identification, and clear and consistent definitions.

Risk Appetite (Identification)
Organizations need to determine their risk appetite so that they can better determine how much risk they are capable of managing and what their risk profile looks like. To apply a risk-based approach, you must establish a set of criteria and prioritize the most relevant regulatory content against your risk profile. Your risk profile should be applied to the predefined content taxonomy and mapped to the specific risks identified as material.

Common Taxonomy (Definition)
One of the first key steps in the regulatory change management process is to define a set of criteria for content to be managed by an available taxonomy. Within that system, you should use a compliance taxonomy to filter content based on factors like geography, sector, content type, themes and organizations. It is also helpful to map regulatory taxonomies to internal based taxonomies for  structure, products and organization.

Roles and Responsibilities (Definition)
With the rise in personal liability and enforcement actions, there should be a clear job description in place and an automated compliance management system that maps regulatory change activity to relevant policies and controls. This helps teams and ownership to easily identify what requires updating and from there communicate this to the relevant individuals.

Staying Current (Planning)
A challenge for compliance teams is staying current, and continuously monitoring and analyzing regulatory developments to ensure you maintain a strong awareness of the regulatory landscape. This is important so that you can create a comprehensive, effective plan in place before a regulatory change is implemented.

Tracking System (Planning)
You need to map relevant regulatory actions to related controls and policies for which you have identified owners. This is simplified when an automated system is housed in one application, which ensures that each time a regulatory change alert takes place it gets sent directly into the business’ workflow process so the teams can perform impact assessments to determine what needs updating. A control requirement may be critical to multiple regulations, but using this approach means testing the control once and feeding the results back to each regulatory assessment.

The financial crisis of 2008 will haunt the memories of a generation and will always be the stick that dictates more, not less regulation. The smart move is to embrace regulations and to make them work for you, rather than against you, by organizing your company or agency accordingly.

This article was published on ACFE Insights

Compliance seems to be everyone’s business because, for many firms, it involves managing financial crime, money laundering and cyber risks. This means compliance has to not only be defensive, but offensive as well. Given this increased area of responsibility and scope, here are seven ways to have an effective compliance program:

  1. Metrics
    The cost of compliance, return on compliance and/or return on compliance investment will help build the business case for stronger and more robust compliance and ethics programs. Comparison with your peers will also add context to the metrics.

    Metrics include:
    1. Compliance fines/compliance costs (%)
    2. Reputational risk incidence (high, medium, low)
    3. Number of investigations and costs per remediation ($)
    4. Risk compliance assessment completed (%)
    5. Policies and procedures: revised/refreshed/rewritten (%)
    6. Training programs completed and post effectiveness surveys
    7. Regulatory visits and associated costs ($)
  2. Compliance Shareholder Relationship Management (CSRM)
    An effective compliance and ethics program is heavily dependent on relationships with both internal and external stakeholders, including regulators of all sorts. Third-party management will inevitably involve a range of stakeholders – including compliance, procurement, contracts and internal audit (as a minimum). Coordination and messaging will be of paramount importance.
  3. Change Management
    Larger companies will face increasing compliance and ethics challenges, that of reaching – and impacting – all employees. As older generations retire and younger generations enter, the way you manage your compliance and ethics program – within your team and across the organization – must adapt. With the workforce’s changing needs coupled with the industry’s changing needs, new layers of compliance and ethics arise.
  4. Reduce Compliance Fatigue
    Compliance fatigue can have a diminished compliance impact. Consider “branding” the Compliance Program as part of an exercise to raise the game.
  5. Compliance Standards
    Companies are increasingly facing a dizzying array of optional and nonoptional overlapping standards, such as ISO 19600, the international compliance management system standard. Consideration should be given to what standards and qualifications need to work now and in the future.
  6. Regulatory Responsiveness
    In short, it means that when regulators find gaps in an AML program, they don’t want to be given short shrift. They don’t want to come back the next year and see little, or nothing, was done to fix what examiners have already identified. The term “repeated” is a key one in enforcement actions throughout the year.

    On the issue of compliance responses, several actions in 2016 made it clear that when compliance is not supported, all are affected. Some notable enforcement actions that embodied this trend included:
    1. Raymond James: FINRA fined the institution $17 million and implemented a $25,000 individual penalty on the chief AML officer.
    2. Agricultural Bank of China: NY DFS penalized the New York branch of this Chinese institution $215 million for willful violations of AML and sanctions regulations.
  7. Compliance Convergence
    In October 2016, a FinCEN “Advisory to Financial Institutions on Cyber-Events and Cyber-Enabled Crime” represented the strongest push for collaboration to date between AML, fraud and cyber functions. The advisory called for greater teamwork between BSA/AML units and in-house cybersecurity units to identify suspicious activity. It also pushed for more sharing of information, including cyber-related information, among financial institutions to guard against and report money laundering, terrorism financing and cyber-enabled crime.

Though I cannot guarantee that these suggestions either as a whole or singularly will improve effectiveness, the implementation of such measures will go a long way in sending a message that compliance is a strong and necessary partner for the organization tackling the best and worst of times.

This article was published on ACFE Insights

On May 25, 2018, the General Data Protection Regulation (GDPR) will take effect in the EU. This important but somewhat vague rule will require businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. Moreover, it will regulate the exportation of personal data outside the EU, and any firm that does not meet its requirements could not only suffer reputational damage but also potentially be fined tens of millions of dollars.

The GDPR takes a wide view of what constitutes personal identification information: companies will need the same level of protection for things like an individual’s IP address or cookie data as they do for names, addresses and Social Security numbers.

The Basics

Once the GDPR is in effect, the current Data Protection Directive (“95/46/EC”) will be repealed. Any company that stores or processes personal information about EU citizens within EU states must comply with the GDPR, even if they do not have a business presence within the EU.

In short, the GDPR applies to all businesses and organizations established in the EU, regardless of whether the data processing takes place in the EU. Even non-EU established organizations will be subject to the GDPR. If your business offers goods and/ or services to citizens in the EU, then it’s subject to the GDPR.

The GDPR will protect the following privacy data: (1) basic identity information, such as name, address and ID numbers; (2) web data, such as location, IP address, cookie data and RFID tags; (3) health and genetic data; (4) biometric data; (5) racial or ethnic data; (6) political opinions; and (7) sexual orientation data.

Under the GDPR, individuals will have the following rights:

John Thackeray Headshot
John Thackeray
  1. The right to access. This means that individuals have the right to request access to their personal data and to ask how their data is used by the company after it has been gathered. The company must provide a copy of the personal data, free of charge and in an electronic format, if requested.
  2. The right to be forgotten. If consumers are no longer customers, or if they withdraw their consent from a company to use their personal data, then they have the right to have their data deleted.
  3. The right to data portability. Individuals have a right to transfer their data from one service provider to another – and this must happen in a commonly used and machine-readable format.
  4. The right to be informed. This covers any gathering of data by companies, and individuals must be informed before data is gathered. Consumers must opt in for their data to be gathered, and consent must be freely given rather than implied.
  5. The right to have information corrected. This ensures that individuals can have their data updated if it is out of date or incomplete or incorrect.
  6. The right to restrict processing. Individuals can request that their data is not used for processing.
  7. The right to object. This includes the right of individuals to stop the processing of their data for direct marketing. There are no exemptions to this rule, and any processing must stop as soon as the request is received. In addition, this right must be made clear to individuals at the very start of any communication.
  8. The right to be notified. If there has been a data breach that compromises an individual’s personal data, the individual has a right to be informed within 72 hours of the breach first being detected.

Non-Compliance Factors and Penalties

Failure to comply with the GDPR may be disastrous in terms of reputational and financial risk. Penalties can be imposed based on certain factors, including: (1) the nature, gravity and duration of the infringement (e.g., how many people were affected and how much damage was suffered by them); (2) whether the infringement was intentional or negligent; (3) whether the controller or processor took any steps to mitigate the damage; (4) technical and organizational measures that had been implemented by the controller or processor; (5) prior infringements by the controller or processor; (6) the degree of cooperation with the regulator; (7) the types of personal data involved; and (8) the way the regulator found out about the infringement.

The following sanctions can be imposed for non-compliance:

The GDPR requirements will force US companies that handle personal data on EU citizens to change the way they process, store and protect customers’ personal data. For example, companies will be allowed to store and process personal data only when the individual consents – and for “no longer than is necessary for the purposes for which the personal data are processed.” Personal data must also be portable from one company to another, and companies will also be required to erase personal data upon request.

GDPR, however, cannot supersede any legal requirement for an organization to maintain certain data – e.g., it does not apply to HIPAA health record requirements.

How to Build an Effective Framework

Let’s now discuss 12 steps your organization can take to implement and maintain an effective GDPR risk management program:

  1. Establish a strong governance structure, with clear roles and responsibilities that involve all stakeholders from all parts of the organization. The GDPR defines several roles that are responsible for ensuring compliance: data controller, data processor and the data protection officer (DPO).

The data controller defines how personal data is processed and the purposes for which it is processed. The controller is also responsible for making sure that outside contractors comply. Data processors, meanwhile, maintain and process personal data records, and can be internally or externally sourced.

The GDPR holds processors liable for breaches or non-compliance. Even if the processing partner is entirely at fault for non-compliance, it’s possible that both your company and the processing partner – such as a cloud provider – will be held liable for penalties.

  1. Ensure that you have clear policies in place to prove that you meet the required global data hygiene standards. Establish a culture of monitoring, reviewing and assessing your data processing procedures, aiming to minimize data processing and retention of data, and building in safeguards.

Risk privacy impact assessments will also need to be conducted to review any risky processing activities and steps taken to address specific concerns.

  1. Conduct a risk assessment. It’s important to understand not only what data your company stores and processes on EU citizens but also the risks that surround that data. Remember, the risk assessment must outline measures taken to mitigate that risk, and a key element of this assessment will be to uncover all shadow IT that might be collecting and storing PII. (John, what does “PII” stand for?)
  2. Implement measures to mitigate risk. Once you’ve identified the risks and how to mitigate them, you must put those practices into place – i.e., you may need to upgrade existing risk mitigation measures.
  3. Test incident response plans. The GDPR requires that companies report breaches within 72 hours. How well the response teams minimize the damage will directly affect the company’s risk of fines for the breach. Make sure you can adequately report and respond to breaches within the 72-hour window.
  4. Prepare for data security breaches. Put in place clear policies and well-practiced procedures (playbooks) to ensure that you can react quickly to any data breach and notify regulators on time.
  5. Write privacy risk into the risk taxonomy. This will ensure that privacy is embedded into any new processing or product that is deployed.
  6. Analyze the legal basis on which you use personal data. Consider what data processing you undertake. If you do rely on obtaining consent, review whether your documents and forms of consent are adequate – and check that consents are freely given, specific and informed.
  7. Check your privacy notices and policies.
  8. Bear in mind the rights of data subjects, such as the right to data portability and the right to erasure. If you store personal data, consider the legitimate grounds for its retention.
  9. If you are a data supplier to others, consider whether you have new obligations as a processor. GDPR imposes some direct obligations on processors, which you will need to understand and build into your policies, procedures and contracts.

Consider whether your contractual documentation is adequate and, for existing contracts, check who bears the cost of making changes to the services because of the changes in laws or regulations. If you obtain data processing services from a third party, it is very important to determine and document your respective responsibilities.

  1. Ensure that you have a legitimate basis for transferring personal data to jurisdictions that are not recognized as having adequate data protection regulation. It will be particularly important to keep track of cross-border data transfers with any international data transfers, including intra-group transfers.

This article was published on Global Association of Risk Professionals

On January 1, 2018, the accounting methodology for credit impairment will be dramatically overhauled, requiring European financial institutions to move from an incurred credit loss (past) to an expected credit loss (future) model. That date, of course, is the implementation deadline for the IASB’s International Financial Reporting Standard 9 (IFRS 9)

IFRS 9 and its US counterpart, CECL, will bring major changes to financial statements, presenting challenges and ratcheting up uncertainty in the process. Banks and investors will see major differences in reported numbers (particularly when compared with historical financial reports), and will collectively need to rationalize the extent to which these differences are due to accounting rule changes versus something more fundamental to the portfolio.

IFRS 9 not only significantly increases the volatility of earnings but could also force the reduction of balance sheets; the freeze or disposal of certain businesses; and a need for banks to boost their capital influx (to stay above regularity minimums). Under the standard, credit loss projection volatility is expected to exceed both historical derived norms and calculations required by Basel 3 for credit risk.

What’s more, financial institutions’ will have to transition from a loan loss provisioning model that is based on existing default events (the current model) to one that accounts for losses over the lifetime of a loan. The provisioning will move from a framework that relies on common metrics – such as days past due and other likely default indicators – to one where the lifetime loss estimates can vary based on multiple, less transparent factors.

John Thackeray Headshot
John Thackeray

More specifically, IFRS 9 follows a dual credit-loss measurement approach in which expected credit losses (ECLs) are measured in stages to reflect deterioration over different periods, ranging from a 12-month loss to a life-of-loan loss.

IFRS 9 has three types of loan stages: (1) stage 1 loans must recognize expected ECLs over a 12-month period; (2) stage 2 loans must measure lifetime ECLs; and (3) stage 3 loans must calculate lifetime ECLs plus a haircut to future interest revenues. Banks, moreover, must draw these provisions from the same pool of retained earnings used to buttress common equity tier 1 capital, meaning a spike in ECLs will result in an equal plunge in capital ratios.

Loss estimates under IFRS 9 must be recalculated at quarterly intervals to reflect new information about credit and economic conditions that come to light during each reporting period; this will require a determination to be made about whether probability of default (PD) for each specific loan has increased since the initial loan recognition. If PD has increased, capital may need to be reallocated.


The new financial accounting standards are principle-based, are not prescriptive and do not recommend any single approach. Furthermore, the Financial Accounting Standards Board (FASB) will allow institutions to adopt approaches based on their complexity and size, leaving lots of room for interpretation.

Compounding this problem is the fact that both CECL and IFRS 9 require firms to forecast the predictable future. Since loss provisions reflect the future, different macro scenarios need to be applied – including some that could have a negative impact. For example, a sudden, sustained economic downturn that affects multiple sectors and that occurs between reporting dates could force an en bloc downgrade of loans, resulting in a steep rise in provisioning that could eventually lead to capital shocks.

The challenges involve significant and far-reaching decision making, revolving around (a) initial impact and gap assessment; (b) interpretation of the standard; (c) ownership of the program; (d) stakeholder contributions and integration; (e) retooling and repurposing of credit models; (f) asset classifications and categorization; (g) data collection; and (h) inventory requirements for stress testing and scenario development.

All of these challenges should be addressed in a consistent, prudent fashion via a policies and procedures document that should clearly explain the organization’s definition of default. It should furthermore provide an interpretation of what the organization considers a “significant deterioration of credit risk” while outlining the assumptions it makes about ECL models, qualitative factor adjustments and macroeconomic overlays.

Essential elements in the policies and procedures document should also include the firm’s governance, framework, objectives, principals, controls, methodology, strategy and allowable permitted mitigants to address earnings volatility. Most importantly, it should depict the firm’s reporting and communication plan for auditors, investors and regulatory bodies.

Given the significant part played by technology and systems, a technology framework document is also a must. This should be regularly updated with respect to adaptions and interpretation of rules changes, and it should demonstrate how the integrated loan loss provisioning platform will support a variety of runs on a month-end basis. Moreover, it should explain in detail how the loan loss provisioning platform is integrated with the firm’s accounting software.


In December 2015, the Basel Committee on Banking Supervision (BCBS) published its guidance on credit risk and accounting for expected credit losses. It highlighted three IFRS-specific requirements banks should consider when designing and operationalizing their implementation plan.

With respect to defining and measuring significant deterioration in credit risk, the BCBS is of the view that delinquency data should only be used in rare circumstances and that lifetime ECLs should be anticipated and recognized before a missed payment occurs. In its guidelines, moreover, the BCBS states that banks should have processes in place that enable them to determine significant credit risk on a “… timely and holistic basis, so that an individual exposure, or a group of exposures with similar credit risk characteristics, is transferred to [lifetime expected credit losses] measurement as soon as credit risk has increased significantly, in accordance with the IFRS 9 impairment accounting requirements.”

The BCBS guidance also recommends that banks establish policies and specific criteria for what constitutes a “significant” increase in credit risk for different types of lending exposures. It’s important to follow these guidelines, since regulators across multiple geographies will likely expect alignment of credit risk assessment across products, business units and jurisdictions.

Modeling of lifetime expected losses will likely be at the forefront of IFRS 9 implementation efforts, along with issues pertaining to data quality, availability and collection. Implementation cannot be seen as a one-off effort; the systems, data and reporting mechanisms must be both scalable and repeatable.

Risk Mitigants

Banks can suppress loan-loss volatility by establishing a loan allocation strategy prior to the implementation of the regime – e.g., through a plan for how their assets will be sorted into their respective buckets, and how they will move between them, by the go-live date. One strategy would be to consider pre-emptively downgrading loan books that are most at risk of a rise in PD by shifting them into the next bucket down, effectively front-loading any resultant capital hit and helping smooth profit-and-loss volatility.

A well organized and integrated organization has the following characteristics: (1) time series availability for PD and for loss-given default (LGD) modelling; (2) a demonstrated capability of building sophisticated, validated and properly documented models; (3) established procedures for monitoring model performance; (4) established default definitions; and (5) model governance that meets the minimal standards of the European Banking Authority (EBA).

These competencies will allow an organization to have a better ability to repurpose existing credit risk capital models to provide the point-in-time estimates required under IFRS 9.

Parting Thoughts

The introduction of IFRS 9 is a sea change for credit impairment. The lessons learned through IFRS 9 deployment should offer valuable guidance to organizations that need to implement CECL in the US.

This article was published on Global Association of Risk Professionals

In order to understand the risks in financial derivative contracts, one must first understand derivatives and the purpose for which they are employed. A financial derivative is the security or financial instrument that depends or derives its value from an underlying asset or group of assets. They are simply contracts between two or more parties. The value of such a contract is determined by changes or fluctuations in the underlying reference asset value. Financial derivatives are contracts for differences performed with the exchange of cash flows.

There are two groups of contracts: exchange and custom. Exchange contracts are traded on a recognized exchange, with the counterparties being the holder and the exchange. The contract terms are non-negotiable and their prices are publicly available, e.g., futures and listed options. Custom contracts are traded off-exchange with specific terms and conditions determined and agreed by the buyer and seller—e.g., forwards and swaptions.  The primary difference is standardization versus customization. Both types of contracts have secondary risks as explained below but the credit risk of custom contracts is elevated since, unlike the exchange, there is no guarantee of the contingent credit risk.

Financial derivatives can be used for a variety of purposes but are mainly used for hedging—i.e., in the reduction of risk. They are used to hedge interest rates, inflation, equity, foreign exchange, price risk, and commodities. While these derivatives are set for a purpose of reducing a primary risk, the employment of these transactions gives rise to secondary risks embodied in the trade—namely market and credit risk. Market risk is the sensitivity to movements in prices, foreign exchange, commodities, interest rates, and inflation. The result would be a diminishing real return in the value of the cash flow. Credit risk is the risk that the counterparty with whom the trade was transacted defaults and is unable to perform its obligation. The result would be a need to replace the existing contract if possible with another counterparty.


The following metrics can be used to monitor and measure credit replacement risk exposure. These include notional value of contracts, current mark-to-market, expected exposure, and stressed future potential exposure. Some of these metrics are more refined than others. Notional contracts provide information regarding the total size of a product with a counterparty. Unlike bonds and loans, the notional value of a derivative does not reflect the actual risk, since the long and short positions may have different maturities, coupon details, options, and terms. Current mark-to-market is a snapshot of the current exposure to a counterparty typically adjusted to reflect any netting (e.g., ISDA agreements) and collateral arrangements. This, however, does not consider any future sensitivity changes.

The latter two metrics need more calculation and calibration. Expected exposure represents the expected positive mark-to-market profile of a swap or portfolio of transactions reflecting any netting and collateral arrangements at different points in the future. The paths can be generated using a Monte Carlo simulation with implied market volatilities and correlation parameters. Stressed future potential exposure is a further distillation to the expected exposure but is enhanced by using stressed parameters (e.g., worst case historic volatilities/correlation parameters).

Counterparty risk is managed with the approval of an internal credit review and assigning—based on that review—risk limits for each counterparty. Risk limits would be based on: internal/external counterparty rating, market capitalization, maturity buckets, and product types. This internal credit review is for all counterparties including exchange counterparties. The entire process above would be embodied in a policy and procedures document with the inclusion of roles and responsibilities and governance oversight.

Further counterparty risk mitigation can take the form of collateral arrangements and collateral management. Collateral is used to facilitate trades between two parties by providing security against the possibility of default of a counterparty. Bespoke contracts—i.e., OTC derivative exposures—are managed via credit support annexes  under International Swap and Derivatives Association Master Agreements (ISDAs) setting out collateral arrangements.  Credit support agreements are used for derivative transactions as a way of reducing the mark-to-market exposure to a counterparty. Under a credit support agreement the counterparties agree to collateralize the net mark-to-market exposure of the portfolio with a defined pool of eligible assets (e.g., cash, government bonds). The collateral is transferred to the other party when the portfolio of transactions under the respective agreement is a net negative amount for the transferring party. For exchange traded contracts, collateral in the form of margin is mandated as per the exchange requirements.


The most common industry tool to measure market risk is value-at-risk (VaR). The tool is commonly deployed and serviced by third parties’ providers. VaR as a single metric conveys a single consolidated view of the exposure all assets and liabilities have to risk sensitivities such as interest rate, FX, credit, inflation, equity risks, etc. VaR calculates an expected loss amount that may not be exceeded at a specified confidence interval over a given holding period, assuming normal market conditions.  The higher the portfolio’s VaR, the greater its expected loss and exposure to market risks. Firms typically have VaR limits at both the individual and enterprise level.  VaR has its doubters and critics but nevertheless it remains the standard tool.

Further enhancement involves active market risk management incorporating both netting and hedging. Netting is the combination of trades, both long and short, on financial derivative instruments and/or security positions which refer to the same underlying asset, irrespective of the contract’s due date. Hedging refers to combinations of trades on financial derivative instruments and/or security positions which do not necessarily refer to the same underlying asset, with the sole aim of offsetting risks linked to positions taken through other instruments/positions.


The identification, assessment, control and monitoring, of both credit and market risk is an ongoing process and needs to be reviewed on a regular basis. The whole process must be well documented by means of a policy and procedures document. While you cannot totally eradicate credit and market risk, you can mitigate by monitoring, being aware, and taking active steps.

This article was published on The Risk Management Association Website