How does it work?
The universally adopted method of managing exposures to non-financial risks in financial institutions (operational, cyber, model, conduct and fraud risks) is Risk and Control Self-Assessment (RCSA). Risks are identified and their potential to cause unexpected losses is assessed using a system of traffic light reports.
Whereas RCSA is effective in identifying non-financial risk exposures, the use of colour-coding to gauge their likely financial impact disenables risk exposure aggregation. To state the obvious, you can’t aggregate colours. This means that real or near real-time analysis of accumulating risk exposures via management dashboards through techniques such as trending, ranking, benchmarking, and monitoring actual exposures against risk budgets and operating limits are not available. This severely inhibits C-suite executives, boards and regulators in the fulfilment of their oversight and governance responsibilities.
SERRAQ’s solution is ‘Risk Accounting’. Risk Accounting introduces a new additive risk metric – the ‘Risk Unit’ or ‘RU’ – that is designed to express all forms of non-financial risk. Risk Accounting enhances the analytics produced by RCSAs through algorithms generated from a sophisticated set of SERRAQ approved risk-weights attached to RCSA outputs and associated operating and accounting data. The algorithms enable the production of comprehensive analytics, encompassing both granular and aggregated non-financial risk exposures, reported in management dashboards using the new risk metric, the RU.
The Risk Accounting method generates three core risk metrics applied to the reporting categories typically used in management accounting – business line, cost centre, legal entity, product, customer, location and risk type. The three core risk metrics are:
- Inherent Risk RUs (IRUs): how much risk in the aggregate has been created?
Representative of ‘maximum possible loss’
- Risk Mitigation Index (RMI): how effectively have risks been managed and mitigated?
- Residual Risk RUs (RRUs): how much risk remains that has not been managed and mitigated effectively?
Representative of ‘exposure to risk’
The Portfolio View
Non-financial risks cannot be effectively managed without first constituting the complete portfolio of controlled and audited non-financial risks. A ‘Portfolio View’ is the essential foundation for effective risk control, public disclosure, the application of tried and tested portfolio risk management methods (trending, ranking, limit-setting, limit-monitoring and benchmarking) and the introduction of advanced analytical techniques… AI, FinTech, RegTech etc.
The portfolio view is enabled through Risk Accounting allowing non-financial risks to be analyzed in RUs at both the granular and aggregate levels.
Exposure to non-financial risks include operational, cyber, model, conduct and fraud risks and exist where a financial institution fails to adequately plan, organise, manage and control its internal risk-mitigating activities and processes. In contrast, exposure to financial risks exists where a financial institution intentionally creates external financial exposures with customers, intermediaries and counterparties for a projected return.
Unexpected losses are financial outcomes associated with a financial institution’s failure to accurately identify, quantify, aggregate and report its accumulating exposures to financial and non-financial risks and, consequently, cannot know whether such exposures are within risk appetite limits approved at the Board level. In contrast, expected losses are stochastically determined accounting estimates of projected financial outcomes associated with accepted financial and non-financial risks where the amount of accepted risk has been accurately quantified and is within risk appetite limits approved at the Board level.
Note: In the recent past, most notably during the financial crisis of 2007/8, financial institutions of all sizes around the globe suffered material, sometimes catastrophic unexpected losses. These were invariably due to their inability to effectively identify, quantify, aggregate and report their internal exposures to non-financial risks. In many instances, the result was extreme accumulations of unidentified and unreported exposures to non-financial risks that eventually turned into losses.
In contrast, external exposures to financial risks have intrinsic monetary value that can be readily identified and quantified in natural currency, aggregated and reported. In short, the global financial crisis of 2007/8 happened because a financial institution’s amount of exposure to external financial risks was typically known and accounted for whereas its amount of exposure to internal non-financial risks was typically unknown. Risk Accounting resolves this conundrum.
Key Attributes of Risk Accounting
The Risk Mitigation Index (RMI) is a measure of risk culture as it blends qualitative and quantitative risk attributes from across the enterprise into a single metric. Accordingly, risk governance is focused on planning and implementing strategies aimed at continually improving the RMI.
The risk appetite statement is a schedule of approved risk limits in RUs by business component, product and risk type that are set at the granular operating level and aggregated at the Board level for approval. Risk Accounting supports the budgeting and forecasting of accepted non-financial risks in RUs and monitors and reports accumulating excesses over approved RU limits in near real-time.
The amount of exposure to non-financial risks expressed in RUs is auditable. Risk Accounting requires business component and process owners to report their risk status by completing Best Practice Scoring Templates (BPSTs) which involves either picking an applicable risk benchmark or confirming compliance with industry-consensus best practices. Consequently, BPSTs are objective, measurement-based inputs that can be subject to audit which is not the case with risk & control self-assessments that use a subjective assessment metric, e.g. red/amber/green, that is not auditable.
Monetary Value of an RU
One of SERRAQ’s longer term aims is to calculate the monetary value of an RU (RUm) by modelling non-financial risk loss data correlated with related context information in the form of Residual Risk RUs. Once determined, the RUm can be used to estimate non-financial risk related expected losses (Residual Risk RUs x RUm).
Expected losses calculated in this way can be used to risk-adjust audited financial statements, similar to CECL accounting provisions for credit risk. This creates the possibility to lobby regulators to adopt the RUm in the determination of regulatory capital requirements for non-financial risks providing a high degree of risk sensitivity, simplicity and comparability in capital adequacy calculations.
“…represents a sizeable step forward in the search for a practical global solution to enterprise risk management (ERM)”
“…the London Whale trading loss… Here, the (method) would bloom”
“…a very useful conceptual framework that could serve as a baseline for fulfilling the needs of BCBS 239, with a relatively simple to implement approach”
“…the first mechanism proposed to integrate the major components of risk in a large institution”
“The integration of accounting and risk measures (both economic and regulatory) makes an important contribution to making risk-adjusted returns transparent”
“The framework… harmonizes all quantifiable risks and valuation uncertainties into one consistent framework without getting bogged down with specific risk models, methodologies and calibrations”
“…(the) approach could be a meaningful way of establishing a common metric for operational risk, an area in risk management which, after many years, is still lacking analytical rigour”
“…(the) proposed framework is both novel in addressing the limitations of existing ERM risk measurement frameworks and practical in adapting the control and reporting frameworks that already exist in accounting and general ledger systems”
“…I think it is a good way of thinking about the operational risk associated with different underlying risk classes but, as the authors point out in the paper, it is not intended to be a substitute for capital at risk.”