ALM & Risk Control
homepage
♦️ We consider links between economic fluctuation and financial decision-making. ♣️ We care for resilience and sustaninable finance. ♠️ We consider Poker actually as game of skill and not as a game of chance. ♥️ However, weighing all interests, serious concerns regarding public health prevail.✻
— macro.finance, and we have a »Code of Ethics & Professional Conduct«
✻ This is the basic scheme, i.e. the conflict area of designing any micro-prudential or macro-prudential regulation, e.g in the financial sector. ❏ ❍.
Prohibition tends to be the worst option of regulation according to history. Hence, how to deal with it? (see Online Gambling, the AI (Cepheus Poker Project), the problem and the issue — and an EU workingpaper). For policy makers it is, in general, all about bringing externalities into financial decision making to reduce the adverse effects, e.g. regarding ecological issues (particularly climate change) as well as social issues. This is a mission.
And please always bear in mind “thoughts without content are empty, intuitions without concepts are blind” (E. Kant, A51/B76) ♔ — or, very loosly translated: "thoughts without facts are meaningless" ... and by the way, Ceterum censeo Carthaginem esse delendam! ♞
Excited to announce we are #OpenForBusiness. Reach out to us:
- Asset-Liability-Management
- Defining Strategies — Strategic & Financial Planning
- Valuation of Liquid and Illiquid Assets & Financial Products
- Asset Allocation (strategic or tactical), Setup & Control
- Financial & Risk Reporting, ALM-Guidance
- Risk Management
- Scenario Analysis incl. edge cases
- Model Validation & Stresstesting
- Capital Planning (ICAAP) & Risk Strategy/Appetite
- Liquidity Planning (ILAAP), Controlling & Reporting
- OpRisk Assessment & Quality Controlling, Guidance
- IT-Risk and IT-Security (ICT)
- Outsourcing-Control (EBA GL)
- ESG Risk Assessment, Policy & Reporting (internal, external)
- Regulatory Compliance, Compliance
- Regulatory Reporting & Communication to Supervisor
- Gap-Analysis of Requirements (old & new); detemine “Plan of Action / Attack”, i.e. comply or explain (re proportionality)
- Strengthening the Internal Control System (Effective Control Activities)
- Preparing Permission Requests & License Applications (Authorities)
- Business Optimisation
- Business Analysis & Process Optimisation (BPMN)
- Business Analytics, Intelligence & Internal Reporting (Data Science)
- Programming R, Python & SQL — Software Test & Validation (tools)
Any current issue might be raised from an audit, by the regulator or be motivated by the Management Board in due course of a Change Management Process driven by any competitive peer group, market forces or is forced by stakeholders within the organisation. The requirements are determined by context, i. e. by size, complexity and riskiness of the institution as well as by the state in the cycle of life. However, we deliver.
The macro-financial view — at first glance: Recently, let’s say during the last 30 years, a lot happened in the regional and global economic and financial arena. We learned by painful experiences that the macro-economic activity and the financial sphere are interdependent, fatally at some incidents; »cause and effect« works both ways and in feedback loops once the incident (the »shock«) is rooted in one or the other context. Banking in general went through a cycle of deregulation before the crisis (particularly in the US) and reregulation after the crisis, e. g. like the banking crisis in the US (S&L), Finland and Sweden or the aftermath of the Global Financial Crisis in 2007/08 (GFC) and now another deregulation — well, kind of … Technology cycled through boom and bust and yet we see another boom. There were some smaller scale crashes either in equity (Japan 1990) or bond markets (1994), some larger crises, at an almost global scale, like the Peso-Crisis 1994/95, the Asia 1997 crisis or Russia 1998, Argentina 1999. And we have seen these extraordinary devastating GFC in 2007/08 and the EU-wide/Greece stress in 2010), the global economic recessions and health care crises. The pandemic and climate change is ongoing. What else do we have as driving mega trends? Demography and human migration? Globalisation seems to be in retreat, and we have to bear the pain of adjustment processes accordingly — process automation and AI? The latter will change substantial shares of output and employment from industrial and agricultural production into services (by substitution) with all the short- and long-term consequences. That will most likely lead to rising needs for accelerated education for »the rest of us« … and certainly the people will need adjusted or new products in banking and new financial services (e. g. by API-Banking and Digital Transformation).
However, here’s another cycle: intermediation and disintermediation. Banks are facing fierce competition from so called FinTechs or BigTechs, Non-Banks or Near-Banks; sometimes called Neo-Banks or Neo-Brokers in kind of a misleading way (suggesting they do have a license which they don’t in many cases). Did you recently update your SWOT-Analysis (and PEST-Analysis)? If you know your core competencies the »word of the day« is to split and recombine to make the customer happy, i. e. meet the customers needs and preferences and add more value, undercut the costs (of own operations) or the fees (of the competitor) and still be profitable in the medium term. Or bring innovation to the table, either to the comfort of the customer or to generate economies of scale. Eventually, what is your vision and mission? And please do bear in mind — thou shall not neglect the required and appropriate Risk Management & Control, you never know what is going to happen next.
Life can only be understood backwards; but it must be lived forwards.
— Søren Kierkegaard
The Organisation & Functional View: A bank as well as any financial institution needs structure and processes which are set up according to the operational needs, adequate regulatory requirements and for the safety of the firm.
Obviously the bank needs a front office as a face to the customer / business partner. Operations, i.e. documentation, payments and settlements of transactions is located in middle and back offices as well as the unavoidable and necessary controls (4-eyes-principle front and back and another pair in accounting etc). Support by IT is needed in every part of the institution and with each and every workplace, function and process. HR and accounting goes without saying. The parts Risk Management & Control and Compliance are seen and thought as second line of defense regarding risks either to be avoided or to be managed according to internal and external requirements which includes regulatory compliance at all levels. Internal audit is last not least the third line of defense and usually has a direct reporting line into the board of directors in case of risks and damages happening.
Much of the structure and many of the processes, but not all, can be and usually will be outsourced up to a certain degree, at least at Less Significant Institutions (LSI), to keep costs bearable, e.g. for ITC. The Finance Sector is moving more and more into secure use of cloud computing by using so called as-a-service offers from Hyperscalers to keep up with the pace of innovation in technology. Risk Management cannot be outsourced in such a way though. A sustainable service agreement is for all outsourcings a »conditio sine qua non« for a rigorous controlling of KPIs and to allow audit at each level. All of these relevant and material functions still need to be assigned to an internal role and a knowledgeable internal person being responsible and being able to communicate with the external »insourcer«. An outsourcing control function is advisable, for the sake of efficiency in conjuction with the Operational Risk function and contingency planning. That said and presumed, the setup according to a core-satellite-approach is likely an efficient way of doing business based on a business model which is scalable … but please have a look at relevant regulatory concerns.
This »clock« can be used to point to the current step in the process, much like a status reporting. Why is it indicating »high noon«? Well, » … any similarity to actual banks and financial institutions, living or dead, is purely coincidental« but it is the natural starting point of procedure as well as analysis: Look at the business model and define a strategy, hence, do an assessment and get the data ready for that.
There are two generic processes of eminent importance required in a financial institutions’ risk management: (a) the strategy process and (b) the controlling process as an essential part of the framework of governance and control.
What can be done to manage the risks? It is common sense that risks that are not rewarded are to be avoided as far as possible. Rewards without risks are certainly welcome but might be »windfall profits«, hence not a sustainable element of a business model but more or less just »incidental opportunities«. If profits from rewards without risks can be called »from arbitrage activities« there may be stiff competition due to potential scalability and according to the particular entry barriers in this market. Hence, these profits might be of rather diminishing nature in the medium/long run.
Any viable business model needs a certain amount of »risk bearing capacity« (capital, retained profits and reserves). If there is no way to avoid such risks then »risk mitigation« might be an opportunity. Usual mitigation happens to be any of the following: collateral or guarantees (funded or non-funded risk-mitigation), or hedging (natural, macro or micro hedging), or buying protectiom from insurance companies or banks (possibly via derivatives). Last not least there are the residual risks that the bank or financial institution needs to bear. This risk in total needs to be covered by the the risk bearing capacity (RBC). That is a requirement by the regulator and banking supervision which in turn is set according the common sense in the wider society. The residual risk of the bank or financial institution must be limited accordingly – if material – and is the object of analysis during the controlling loop.
There are more options in the context of non-financial risks *2). Operational risk can be mitigated by more or better technology and of course quality management, and business process optimisation incl. proper automation. Conduct risk is adressed by good governance and an implementation of effective risk & compliance culture that empowers the people and shares responsibility with them. The internal governance, risk & control framework (incl. compliance) shall reflect all this, represented in the policies & procedures of the bank or financial institution.
Risk Classification
❌ 1.) Financial Risks
example scenarios (pretty generic)
| financial risk | driver |
|---|---|
| credit risk | ❖ impairment & default ❖ rating migration ❖ spread change |
| counterparty risk | ❖ substitution of position |
| settlement risk | ❖ non/late delivery |
| liquidity risk | ❖ cashflow mismatch ❖ hair cuts ❖ asset prices (AfS) |
| funding risk | ❖ availability of funding (markets dry up, credit lines gone) ❖ maturity mismatch ❖ spread change |
| market risk | ❖ asset prices ❖ currency (fx) rates ❖ interest rates ❖ spreads (basis/benchmark) ❖ volatilities |
| non-public investment risk | ❖ risk in alternative investments (private equity valuation etc) |
| concentration risk | ❖ diversification effects missing |
| climate risk | ❖ as far as this concerns the above financial risks, implicit |
❌ 2.) Non-Financial Risks
example scenarios (highly individual)
| non-financial risk | driver |
|---|---|
| operational risk | ❖ damages to assets ❖ damages to clients/customers ❖ damages to stakeholders ❖ losses due to interruptions ❖ losses due to clients/stakeholders ❖ lost profits due to errors. ❖ verity risk (receivables purchased) ❖ fraud internal ❖ fraud external ❖ money laundering |
| trading risk/losses | ❖ limit monitoring & limit system off-track ❖ limit breaches go without remedial actions |
| business risk | ❖ revenue, costs or income off track (opposed to plan) ❖ cost management bad ❖ business planning all but conservative |
| strategic risk | ❖ competition ahead of the curve ❖ market transition or disruption ❖ technology change missed ❖ business model does not deliver |
| governance risk | ❖ weak risk culture ❖ missing root-cause analysis ❖ no performance tracking |
| human resources risk | ❖ drain & underperformance ❖ project mis-management ❖ cost for recruitment to be higher |
| model risks | ❖ models oversimplified ❖ validation issues |
| ITC risk & security | ❖ business analysis & risk assessment incomplete ❖ testing & simulation insufficient ❖ bad quality: dependencies external (SLA) ❖ bad quality internal: policies & procedures ❖ bad change management (incl. projects) ❖ bad communication (errors & crises) ❖ contingency plans too simple ❖ incident reporting & remediation too slow ❖ HR certification & re-certification missing ❖ outsourcing control inefficient ❖ budget breach |
| data privacy & security * | ❖ GDPR compliance (privacy protection customers) ❖ policies & procedures insufficient ❖ outsourcing control inefficient ❖ pot. fines & legal costs, damages due to breaches |
| compliance risk & regulatory risk |
❖ fines are due when breaches of law, rules and regulations occur ❖ new regulations deadline missed or implementation quality bad ❖ quality in regulatory returns ❖ punctuality of regulatory returns ❖ compliance in regulatory requirements ❖ communication to the regulator/supervisor (incl. deposit insurance) |
| climate risk | ❖ credit ratings selectively affected due to transition ❖ defaults go up due to economic adjustments (technology) ❖ devaluation of »black« bond/equity exposure relative to »green« ❖ consumer habit & preferences change for good ❖ damages due to climate change to physical assets |
| legal risk | ❖ fines and legal costs likely if disputes cannot be solved at arms length |
| conduct risk | ❖ fines probable if damages are external effects, e.g. market abuse |
| health & safety risk | ❖ hygiene at work ❖ safety at work ❖ safety on the way to work ❖ contingency plan for pandemic etc |
| social responsibilities | ❖ leadership climate ❖ customer care ❖ charity |
| social media risk | ❖ customer dis-satisfaction goes viral ❖ contingency plan not existing or not working |
| reputational risk | ❖ as far as a hit of reputation concerns other risks, like through adverse selection, human resources drain, business risk, strategic risk and regulatory risk etc. |