Key Risk Indicators focusing on the

right risks in todays environment

Presented by:
Kristen L. Gantt, MD
Integrated Risk Advisory
RiskBusiness Americas

and

Tom Diminich, Director

IT Risk Advisory
Experis Finance

Why Invest in KRIs?

What do these significant loss events have in common?

UBS trade fraud (still under investigation)

Societe Generale trade fraud
Citibank - privacy breach
AIG CDS exposure
Madoff ponzi scheme
LTCM sudden illiquidity in portfolio
Barings concentration

HINT: Trick question.

ANSWER: After analyzing post-loss & causal factors, they all had a
good chance of being prevented or detected if Key Risk Indicators
(KRIs) provided closer to real time information that could be
aggregated, analyzed, and escalated .

2010-2011 RiskBusiness Americas LLC

Differences in Senior Management Approaches Affected Outcomes

during Financial Market Turmoil

According to the Senior Supervisors Group Observations on Risk Management

Practices during the Recent Market Turbulence March 6, 2008, these 4 things

were done well by the financial institutions that made out OK (relatively
speaking):
IDENTIFIED RISK APPETITE & CONNECTED WITH RISK MITIGATION STRATEGY

The

balance that each firms senior management in general achieved between its desire to do

business and its appetite for risk as reflected in the tone set for developing or enforcing
controls on the resulting risks ;

IDENTIFIED RISK AND TOOK ACTION The role that senior management in particular played in
identifying and understanding material risks and acting on that understanding to mitigate
excessive risks;

BROKE-THROUGH UPWARD CORPORATE COMMUNICATIONS BARRIERS The efforts that

senior management undertook to surmount organizational structures that tended to delay,

divert, or distort the flow of information up the management chain of the firm; and

BROKE-THROUGH X-DISCIPLINARY COMMUNICATIONS BARRIERS The breadth and depth

of cross-disciplinary discussions and communication of insight into relevant risks across
the firm.

2010-2011 RiskBusiness Americas LLC

Key Risk Indicator (KRI) Definitions

Simple Definition

A KRI tracks an important exposure and does it well.

From Wikipedia, the free encyclopedia

A Key Risk Indicator, also known as a KRI, is a measure used in management to indicate
how:

risky an activity is

to detect an adverse impact or prevent the possibility of future adverse impact

(Lagging , Current & Leading KRIs).

give us an early warning to identify potential event that may harm continuity of the
activity/project.

A KRI differs from a Key Performance Indicator (KPI) in that a KPI is a measure of how
well something is being done

A Macro Indicator is an external indicator that is relevant to understanding exposure to risk

based on scenario and data leading to loss.

A Specific Indicator is an internal indicator relevant to risk inherent in Business Unit s

Operations & Processes (e.g., number of unmatched trades)

A Common Indicator is an internal indicator relevant to everyone in the organization (e.g.,

Customer Complaints, Employee Morale)

2010-2011 RiskBusiness Americas LLC

Conceptual: Translating Risk Appetite to Risk Tolerance to KRIs

Typical Risk Management Responsibilities in the
Organization
Entity Level / Executive Committee
Culture Setting
Strategic Objectives & Direction Corporate Risk
Tolerance & Appetite
Code of Ethics
Corporate Policies

Identify
Factors
Affecting
Exposure
Tolerance

Management Level
Line of Business Limits / Risk Tolerance &
Thresholds
Divisional Policies
Risk Assessment & Response Decisioning
Approval Level Setting
Organizational Design

Supervisory Level
Scenario Level Risk & Control Activities
Review
Key Risk Indicators
Data Validation

Surveillance Level
Quantitative Analysis (VaR, LGD, OpVar)
Imbedded Testing
Rules-Based or Artificial Intelligence
Monitoring

Business &
Tactical Strategy
Execution

Monitor,
Aggregate,
Analyze,
Report and &
Determine
Mitigating
Action

Risk Tolerance /
Appetite

Corporate & BU
Strategic
Objectives

Corporate Risk &

Governance
Programs

2010-2011 RiskBusiness Americas LLC

Define the
KRI, Develop
Measurement
Policy &
Specify the
Threshold

Conceptual: Beginning with Tolerance & Appetite

Identify Factors Affecting Exposure Tolerance

Determine Companys
Risk Tolerance
Within tolerance, how
much Risk Appetite
both qualitative &
quantitative
Translate Tolerance /
Appetite into LOB
Strategic Business
objectives

Generally, the gap that exists between the level of potential

liability (loss of $, % share loss, rating loss) as compared
to its ability to access to capital If not taking enough
risk, may lose out on upside opportunity (look at oppty $)
Risk Tolerance

($)
Risk

$
Oppty
Access
to Capital

How much risk is the

organization able to pay for
losses as a result of risk related
events?

E..g, Is a 28% loss is stock price

and simultaneous downgrade by
Moodys within tolerance? How
long to recover? Or like Barings /
Lehman?

Risk Appetite

Drill down to business

processes

How much risk is an

organization willing to accept in
pursuit of creating value Flip
side of performance

2010-2011 RiskBusiness Americas LLC

E.g., Only reduction in 10% stock

price, or zero tolerance for
discrimination suits - fight or
flight

Conceptual: Relating Losses to Risk Management Frameworks to KRIs

Define KRI, Develop Measurement Policy & Specify the

Threshold

1. To Develop Useful KRI

that Detects / Prevents

Exposure to Liability,
one must assess:
Loss History (Internal &
External)
Causal Factors
Relevant Scenarios
Audit & Compliance
Issues
Capital Allocation to BU

Internal /
External
Loss
(Potential
Liability)
Analysis

2. Develop Top-down &

Bottom-up Inherent /
Residual Risk Map
pointing to Processes,
Risks, & Control
Assessment (Using a
Common language big
advantage to tie to #1)
KRI Measurements
borne from intersection
of 1 & 2
2010-2011 RiskBusiness Americas LLC

Conceptual: Relating Losses to Risk Management Frameworks to KRIs

Define KRI, Develop Measurement Policy & Specify the

Threshold

1. To Develop Useful KRI

that Detects / Prevents

Exposure to Liability,
one must assess:
Loss History (Internal &
External)
Causal Factors
Relevant Scenarios
Audit & Compliance
Issues
Capital Allocation to BU

TIPS:

KRI Measurements
borne from intersection
of 1 & 2

Loss

Determine
(Potentialrelated processes, risks & controls (and their owners)
where
breakdown expected to occur AND motivational drivers.
Liability)
Analysis

2. Develop Top-down &

Bottom-up Inherent /
Residual Risk Map
pointing to Processes,
Risks, & Control
Assessment (Using a
Common language big
advantage to tie to #1)

Determine $ Appetite Threshold for Specific Risk within Controllable

Internal /
Business
Unit.
External

Dont underestimate the power of good causal analysis.

Identify a value representing existence of measurable condition in

process (e.g., # & $ Breaks) or In-Effectiveness of Control (e.g., Days
P&L Recs Past Due).

Calibrate related Thresholds starting from Red to create Amber &

Green. Clearly define specific measurement protocol.

Thresholds may be set as caps, collars or floors Set these to trigger an

alert when either touch or exceed.
Track KRIs over time to pick up on and document trends.

May use scaling math or T-Values for comparability, correlation &

composite KRIs.
Expect to review KRIs for change as risks & processes change.

2010-2011 RiskBusiness Americas LLC

Conceptual: Understanding Causes in Scenarios and Relating to KRIs

Core Drivers

M
a
n
a
g
e
m
e
n
t

H
R

Clouds

Sales/ Revenue
Targets

Resourcing
Levels

Workload

Individual
Capability

HR
Practices

Aggressive Sales

Misunderstanding

Miscommunication

Team
Function

Lo
B

Goofs

Task
Difficulty
Product
Complexity

Process
Complexity

Seismic
Vulnerability
Seismic Event

L
o
r
d

Risk Events

Oversight

Training

M
g
mt

Triggers

External /
Seismic

KRIs
2010-2011 RiskBusiness Americas LLC

Execution
Errors

Conceptual: Operationalizing KRI Program

Monitor Against Threshold, Aggregate, Analyze,

Report and & Determine Mitigating Action
Elements of a KRI Policy Include:

Start with KRI Policies,

Measurement
Specifications,
Thresholds

Determine Providers
& Consumers of
Metrics

Determine Tools /
Resource
Requirements for
Aggregation &
Analytics
Execute Data Analytics
Implementation
Test Results,
Usefulness & Actions

Definition

KRI Name

Description of What is Being Measured

Type of KRI (leading, lagging, etc.)

Causal Types Driving KRI Rationale

Risk Being Mitigated Driving KRI Rationale

Version # & Release date of KRI

Specifications

Threshold Metric Definitions & Escalation Procedures

Measurement Methodology / Data collection & validation procedures

Data Source(s) Application / Data Provider(s)

Links to Metadata & Centralized Referential Data Libraries

Organizational Unit

Process, Risk & Control Type

Geographic Location

Product Type(s)

Financial Statement Line Item

Other

2010-2011 RiskBusiness Americas LLC

Conceptual: Operationalizing KRI Program

Post Implementation
Use Test Validation

Operationalize KRI
Measurement &
Monitoring

Evaluate existing technology

for monitoring / workflow
capabilities & determine
platform;

Review the program

objectives are working as
intended through objective
review;

Determine providers (inputs)

and consumers (outputs) of
individual KRI metrics;

Validate results of KRI

information to management
actions

Configure platform with KRI

policies based on
organizational hierarchy link
to risk taxonomy;

Track management actions

are managed through
appropriate prioritization &
budget allocation

Design data input

mechanisms (e.g., Manual,
API);
Determine and configure
reporting parameters; and

Fully functioning workflow

around measuring,
monitoring, and responding
to KRI feedback loop;
Accompanying firm-wide
policies & procedures

2010-2011 RiskBusiness Americas LLC

Deliverables

Deliverables

Test the process (inputs,

function, outputs) vs. goals

Management Reports &

Presentation to Risk
Committees

Conceptual: Operationalizing KRI Program

Post Implementation
Use Test Validation

Operationalize KRI
Measurement &
Monitoring

Before
starting, these are key To Dos:
Evaluate existing technology
Review
the
for monitoring
workflow
Define /Organizational
Topography:
Lines
ofprogram
Business, Business
objectives are working as
capabilities & determine
Units, Cross-Functional Units
platform;
intended through objective
review;
Determine
providers
(inputs)
Establish
C-Level
Buy-In
and consumers (outputs) of
Validate results of KRI
individual
KRI metrics;
Pre-Plan
Communication Structures
(i.e., not used for
information to management
compensation,
discussed throughactions
Risk Management)
Configure
platform with KRI
policies based on
Determine
Appropriate
Level of Resources
are Available
to
Track management
actions
organizational
hierarchy
link
to risk taxonomy;
are
managed
through
Implement a Reliable KRI Development Process
appropriate prioritization &
Design data input
Develop
Implementation Planbudget
e.g., allocation
Targeting a Pilot Area
mechanisms
(e.g.,an
Manual,
API); with Biggest Expected Return for Time Spent
Determine and configure
reporting parameters; and

Deliverables

Deliverables

Use
Test
At the (inputs,
end of the day, KRIs should:
Test
the -process
function, outputs) vs. goals
Prompt Timely Management Risk Response (Documented)

Be Consistent Comparable withManagement

other business
units/lines
of
Reports
&
Fully functioning workflow
Presentation
to
Risk
business
(Apples : Apples)
around
measuring,
Committees
monitoring, and responding

Be
Relevant

Ties
to
risk
tolerance
/ appetite
to KRI feedback loop;
Accompanying
firm-wide
Be Transparent
Easily understood in common business
policies & procedures

language function

Be Complete Data validation to ensure accurate / complete

2010-2011 RiskBusiness Americas LLC

Conceptual: Todays KRI Reporting has Become more Visual

2010-2011 RiskBusiness Americas LLC

Practical Examples

2010-2011 RiskBusiness Americas LLC

Developing Key Risk Indicators

4 Key Questions - Summary

Identify
Factors
Affecting
Exposure
Tolerance

1. What Are the Worst Losses/Near Misses Over the Past

10 Years Caused in this Business Unit? Your
Competitors Units? (95 99% CL)
2. What Would be the Level of Loss I Could Tolerate vis-vis my Business Unit Strategic Plan? [Specify the
Threshold]

Specify KRI &

Threshold

Monitor the
KRI Threshold

3. How Often Would I Need to Monitor the Risk

Indicators & To Whom Would I Escalate to Take
Action in Enough Time to Mitigate Loss? [Monitor the
Threshold]
4. What Common Language & Technology Platforms can
I Leverage to Build a Sustainable KRI Program?

2010-2011 RiskBusiness Americas LLC

Simple Analogy Progression from Tolerance to KRI

PROGRESSION FROM TOLERANCE to

KRI:

TOLERANCE Must achieve top 5 place to enter Worlds;

otherwise, reputation risk and total loss of sponsor funding
APPETITE Must achieve 1st through 3rd place to sustain
quality financial sponsorship & strong reputation

THRESHOLD History shows boat speed trumps boat to

boat tactics focus on closing boat speed gap.

CAUSES Reasons for slow boat speed = crew weight

placement , sail design & trim Most variable? Weight &
trim
KRI POLICY SUGGESTIONS Boat Speed?

Set up 7 KRI Tell Tails in Luff of Sail at different

heights (wind velocity & direction varies at heights).

Trimmer (Risk Mgr) Evaluates direction of streaming

at different levels AGGREGATED view, will show
boat is operating slower than expected or at optimal
speed
ACTION if SLOWER Trimmer immediately adjusts sails
or escalates to skipper to change point of sail
Continuous communication.

2010-2011 RiskBusiness Americas LLC

Relevant Case Progression from Tolerance to KRI

Significant Loss through Trader Fraud:

TOLERANCE to KRI:

IMPACT - $2.3 BN in losses, stock plummeted 28%

and severe company reputation damage and potential
Moodys downgrade. Arrest 2 counts accounting / 1
count misuse of position

TOLERANCE Examples: 10% drop in stock

price, drop in revenue by 10% or more, capital
increases to cover loss exposure by more than
5%

PROFILE - Single Trader at Delta-One Desk (EFT)

with computer science education & experience in back
office. Believe it started by made a bad trade in 2008
and trying to make it back and covering it since.

APPETITE Upper limit of capacity for losses

based on targeted forecasted revenues & capital
levels the firm seeks to attain

METHOD - Significant speculative long positions in

EFTs made, which were not covered leaving company
100% exposed to market risk
Fictitious covered trades in DAX, Euro Stoxx, and S&P
500 same trades since 2008 closed & then reopened

THRESHOLD Difference between risk

exposures and risk appetite used to set limits in
each appetite category

CAUSES Both internal and external /

systemic
Confirmations not set out, or expected in
return for EFT Trades

Was able to hide the fake hedge trades as OTC

settlement is over 3 days, or longer (systemic risk of
fragmentation in Euro clearing market)

Taking advantage of longer than usual

clearing & settlement in EU

Also, two-way confirmations not always sent out by

company, or expected back by some EU banks on
these type trades
UNCOVERED: Fake trades set to roll-over,
perpetrator no longer able to cover extreme losses
wrote confessional email.

Not sure if Mgmt overseeing Gross

positions in Delta-One desk; and
expected margin requirements related
fee postings
KRI POLICY SUGGESTIONS?

- IndexUniverse Sept 19, 2011

2010-2011 RiskBusiness Americas LLC

KRIs In Action: Risk Mapping to Causal Factors (the old Due to

Statements)

Business Unit #1 Inherent Risk Analysis: Equities Derivatives

CAUSAL
DRIVERS
Breakdown
Due to:

LOSS EVENT
TYPES:

Employment
Practice &
Workplace
Safety

Clients,
Products and
Business
Practices

Business
Disruption &
Failure

Damage to
Physical
Assets

Execution,
Delivery &
Process
Mgmt.

Internal
Fraud

External
Fraud

Strategy

n/a

n/a

Loss of Key
People w/o
Succession
Planning

Product Design
Tied to
Inadequate
Market Liquidity

Dept. BCP Plan

Does not Work
w/Firm-Wide
Plan

Selection of
Business
location prone
to damage

Aggregate
Trading Limits
Are Exceeded /
Trade Partner
Selection Risky

Management

Abuse of
Signing
Authority

n/a

UnderDocumented
Termination
Process

Poor Oversight
Over
Application of
Compliance
Rules

Not Providing
Employees with
BCP Training

n/a

Trade or
Margin Fees
not Collected or
Accounted for /
Gross Positions
not Monitored

Conduct

Employee
Cover-up
Poor
Performance
or Error

n/a

Sexual
Harassment /
Comp Plan
Encourages
Risky Conduct

Trade
relationship
established w an
inappropriate
counterparty not
in interest of the
firm

Unintentional
lack of
knowledge to
carry out BCP

Intentional
destruction or
theft of
company
property

Negligence in
Employee
Performance in
Carrying Out
Duties

Processes

Conflicting
Duties s/u in
Organization

Fraudulent
Trade Partner
Documents

n/a

Customer
Identification /
KYC Not
properly
performed

Procedures for
BCP not Clearly
/ Accurately
Communicated

n/a

Trade
Policies/Proced
ures Unclear /
Confirms not
Received

Technology

Logical
Access
Security
Breach

Firewall
Security Lax

n/a

Corporate Credit
Application
Under-Functions

Systems will not

Recover within
Required Time

Data is
Corrupted

System to
System
transmission
error

External
Factors

n/a

Damaging
n/a
Massive
Viruses being
Defaults in
Introduced in 2010-2011 RiskBusiness Americas
Corporate
LLC
Cyber Attacks
Credits in US

Outsource
Vendors Fail in
the event of a
Disaster

Fire, Flood

Clearing Firm
Parties Defer
Settlement

KRIs In Action: Risk Mapping to Causal Factors (the old Due to

Statements)

Business Unit #1 Inherent Risk Analysis: Equities Derivatives

CAUSAL
DRIVERS
Breakdown
Due to:
Strategy

LOSS EVENT
TYPES:
Internal
Fraud

External
Fraud

n/a

n/a

Employment
Practice &
Workplace
Safety

Clients,
Products and
Business
Practices

Business
Disruption &
Failure

Damage to
Physical
Assets

Loss of Key
People w/o
Succession
Planning

Product Design
Tied to
Inadequate
Market Liquidity

Dept. BCP Plan

Does not Work
w/Firm-Wide
KRI
Plan

Selection of
Business
location prone
to damage

Management

Abuse of
Signing
Authority

n/a

UnderDocumented
Termination
Process

Poor Oversight
Over
Application of
Compliance
Rules

Conduct

Employee
Cover-up
Poor
Performance
or Error

n/a

Sexual
Harassment /
Comp Plan
Encourages
Risky Conduct

Bad IB deal
made not in
interest of the
firm

Process

Conflicting
Duties s/u in
Organization

Fraudulent
Trade Partner
Documents

n/a

n/a

Customer
Identification /
KYC Not
KRI
properly
Measurement:
performed

# Disabled
UserIDs
Corporate /Credit
Application
password
Under-Functions
resets
Periodic
(daily?)
Massive
Defaults in
Information
Corporate
Security
Officer

Technology

Logical
Access
Security
Breach

Firewall
Security Lax

External
Factors

n/a

Damaging
n/a
Viruses being
Introduced in
Cyber Attacks 2010-2011 RiskBusiness Americas
Credits LLC
in US

Measurement:
# Gross
Not Providing
n/a
Trades
Employees with
Exceeding
BCP
Training
Set
Threshold
Daily
Unintentional
Intentional
Trade
lack
of
destruction or
knowledge
to
Supervisor
/ theft of
carry out BCP
company
Risk Mgr
property
Procedures for
n/a
BCP not Clearly
KRI
/ Accurately
Measurement:
Communicated

# / $ Open
3pty OTC
Systems
will not
Data is
Confirms
wRecover within
Corrupted
no Cash Flow
Required Time
Weekly
Report to
Outsource
Desk Risk Fire, Flood
Vendors Fail in
Mgr
the event of a
Disaster

Execution,
Delivery &
Process
Mgmt.
Aggregate
Trading Limits
Are Exceeded /
Trade Partner
Selection Risky
Trade or
Margin Fees
not Collected or
Accounted for /
Gross Positions
not Monitored
Negligence in
Employee
Performance in
Carrying Out
Duties
Trade
Policies/Proced
ures Unclear /
Confirms not
Received by
Trade Partner
System to
System
transmission
error

Clearing Firm
Parties
Deferred
Settlement

Aggregating KRIs

Requires Common Language for Process, Risk Event Types, Control

Types, and Causal Factors / Drivers & Data Aggregation Platform

Private Wealth Mgmt (LOB)

Institutional Securities (LOB)
Securities Operations(Back Office)
Fixed Income (Front
Office)
Equity
Derivatives
(Front
Office)

2010-2011 RiskBusiness Americas LLC

Any Lessons Learned?

If youre looking for the Top10 Best Firm-Wide KRIs, Save Your Energy !

Strive for Consistency Across Organization (e.g., Scalability, etc.) over

Quantity It takes time to think about the comparability of the KRIs

Risk / exposures change continually What may be best are risk scores (Customer
Satisfaction/Technology Service/Employee Satisfaction)

Calculating Correlation of KRIs with Actual Losses to Validate is a good

exercise but dont expect results will justify doing KRIs - Time better spent

may be correlation to other KRIs. Once implemented, KRIs work immediately so loss history
collected may not be robust enough to Think about joining KRI Exchange or other
Consortium.

Ensuring KRIs tie directly to Risk Event / Loss Categories Focus on the pivot
table concept that all roads lead back to measuring / monitoring against defined loss
categories

Dont make it too difficult/costly to obtain the information or to validate the

information gathered It will soon be dropped.

2010-2011 RiskBusiness Americas LLC

Thank You!
Contact:
Tom Diminich
Director, IT Risk Advisory Services

Experis Finance
Direct: (212) 823-8559
Tom.diminich@experis.com

Kristen L. Gantt CPA

Managing Director

RiskBusiness Americas
(a Madison-Davis & RiskBusiness International Company)

Direct: (212) 363-3696

kgantt@mdps.com

2010-2011 RiskBusiness Americas LLC