Temp_store

LO 40.2: Explain how a firm can set expectations for its data quality and describe some key dimensions of data quality used in this process.
A fundamental step in managing risks due to flawed data would be to set user expectations for data quality and then establish criteria to monitor compliance w ith such expectations. In order to define and measure these expectations, they can be categorized into key dimensions of data quality. The important (but not complete) set of dimensions that characterize acceptable data include accuracy, completeness, consistency, reasonableness, currency, and uniqueness.
Accuracy
The concept of accuracy can be described as the degree to which data correctly reflects the real world object. Measurement of accuracy can occur by m anually comparing the data to an authoritative source of correct information for example, the temperature recorded in a thermometer compared to the real temperature.
Page 36
2018 Kaplan, Inc.
Topic 40 Cross Reference to GARP Assigned Reading – Tarantino and Cernauskas, Chapter 3
Completeness
Completeness refers to the extent to which the expected attributes of data are provided. There may be mandatory and optional aspects of completeness. For example, it may be mandatory to have a customers primary phone number, but if the secondary phone number (optional) is not available, then the data requirement for the phone number is still considered complete.
Note that although data may be complete, it may not necessarily be accurate. For example, customers may have moved and their mailing addresses may not have been updated yet.
Consistency
Consistency refers to reasonable comparison of values between multiple data sets. The concept of consistency is broad and could require that data values from each data set do not conflict (e.g., a bank account is closed but the statement still shows account activity) or that they meet certain pre-defined constraints.
Note that consistency does not necessarily imply accuracy.
There are three types of consistency: 1. Record level: consistency between one set of data values and another set within the same
record.
2. Cross-record level: consistency between one set of data values and another set in different
records.
3. Temporal level: consistency between one set of data values and another set within the
same record at different points in time.
Reasonableness
Reasonableness refers to conformity with consistency expectations. For example, the income statement value for interest expense should be consistent or within an acceptable range when compared to the corresponding balance sheet value for long-term debt.
Currency
Currency of data refers to the lifespan of data. In other words, is the data still considered relevant and useful, given that the passage of time will gradually render it less current and less correct? Measurement of currency would consist of determining the frequency in which the data needs to be updated, and determining whether the existing data is still up-to-date.
Uniqueness
Uniqueness of data is tied into the data error involving duplicate records. Uniqueness suggests that there can only be one data item within the data set. For example, within a
2018 Kaplan, Inc.
Page 37
Topic 40 Cross Reference to GARP Assigned Reading – Tarantino and Cernauskas, Chapter 3
client list, there should only be one Mr. Jack Lee with a date of birth of January 1, 1970 living at 1234 Anywhere Street in New York City.
O p e r a t i o n a l D a t a G o v e r n a n c e

LO 40.1: Identify the most common issues that result in data errors.
The most common data issues that increase risk for an organization are as follows: Data entry errors. Missing data. Duplicate records.
Inconsistent data. Nonstandard formats. Complex data transformations. Failed identity management processes. Undocumented, incorrect, or misleading metadata (description of content and context
of data files).
>From a financial perspective, such data errors (accidental or not) may lead to inconsistent reporting, incorrect product pricing, and failures in trade settlement.
Examples of risks arising out of data errors include: Fraudulent payroll overpayments to fictitious employees or those who are no longer
Underbilling for services rendered. Underestimating insurance risk due to missing and inaccurate values (e.g., insured
employed by the firm.
value).
A c c e p t a b l e D a t a

LO 39.6: Explain the challenges and best practices related to data aggregation at an organization.
The existence of several IT systems being operated simultaneously within a firm results in a lack of integrated IT systems. This, in turn, requires a significant amount of manual data entry to allow for proper aggregation of risk data. Best practices related to data aggregation at an organization are explained as follows: To increase efficiency and accuracy, minimize the amount of manual intervention and manual data manipulation (i.e., spreadsheets) by automating the risk data aggregation process.
Aggregated risk data needs to be accurate, timely, and comprehensive in order to have

value. Therefore, there must be standards, cutoff times, and timelines regarding the production of internal risk reports. Single platform centralized databases with single identifiers and/or consistent naming conventions could allow for the timely retrieval of multiple records of risk data across the firm. They also permit data segmentation when required to produce specific data (i.e., risk concentrations).
Create data warehouses that will take information from various subsystems and store
them in a warehouse. The data is then filtered and reorganized so that customized reports can be created using specific data from the warehouse.
Automated reconciliation will reduce the risk of manual errors and incomplete
information. For example, off-balance sheet data should not be omitted.
Periodic reconciliation of risk and financial data will ensure the accuracy and proper
operation of the IT system.
For merger and acquisition transactions, ensuring that legacy IT systems are integrated
into the chosen IT system as soon as possible.
When obtaining approvals for new IT purchases, involve the appropriate technical staff to ensure that the existing systems can process and aggregate data from these new items.
Page 30
2018 Kaplan, Inc.
Topic 39 Cross Reference to GARP Assigned Reading – Senior Supervisors Group
Ke y C o n c e pt s
LO 39.1 A risk appetite framework (RAF) sets in place a clear, future-oriented perspective of the firms target risk profile in a number of different scenarios and maps out a strategy for achieving that risk profile. An RAF should start with a risk appetite statement that is essentially a mission statement from a risk perspective. Benefits of a well-developed RAF include assisting firms in preparing for the unexpected and greatly improving a firms strategic planning and tactical decision-making.
LO 39.2 The chief risk officer (CRO) should be easily available to the board of directors (board) and there should be a strong alliance between the CRO and the chief financial officer (CFO).
The chief executive officer (CEO) should strongly support the RAF and give the CRO the final word on risk decisions.
The board should: be willing to challenge management to operate the firm consistent with the RAF, actively work with senior management to continually revise the RAF, have sufficient technical and business understanding of the risks facing the firm, be proactive in stating the nature and frequency of the information they need, and set up a reputational risk committee.
LO 39.3 The RAF helps to ensure that each business lines strategies are congruent with the firms desired risk profile. It also considers the integrated nature of the business lines within the firm.
Many metrics can be monitored as part of an effective RAF. Risk metrics should be divided into classes, depending on who is receiving the information within the firm.
LO 39.4 A robust data infrastructure results in management being able to make proper decisions regarding a firms strategy, risk appetite, and risk management. Additionally, it allows for the ability to sufficiently document and convey the firms risk reporting requirements.
Key elements of an effective IT risk management policy include: clearly defined standards and internal risk reporting requirements, sufficient funding to develop IT systems, assessing IT infrastructure and capacity prior to approving new products, timely post implementation reviews of IT systems, and sufficient governance for outsourced IT activities.
2018 Kaplan, Inc.
Page 31
Topic 39 Cross Reference to GARP Assigned Reading – Senior Supervisors Group
LO 39.3 Poor or fragmented IT infrastructures result from a lack of common understanding of long term business strategies between business lines and IT management, managers thinking only about short-term profits, significant turnover in IT roles, insufficient data governance, and merger and acquisition activities.
LO 39.6 The lack of integrated IT systems is the major challenge related to data aggregations. Many best practices regarding data aggregations exist including: minimizing the amount of manual data processes, using single platform centralized databases, creating data warehouses, automated and periodic data reconciliations, and timely integration of legacy IT systems.
Page 32
2018 Kaplan, Inc.
Topic 39 Cross Reference to GARP Assigned Reading – Senior Supervisors Group
C o n c e pt C h e c k e r s
1.
2.
3.
4.
3.
Which of the following statements regarding the risk appetite framework (RAF) is correct? A. The RAF represents the firms core risk strategy. B. The RAF should be amended to take advantage of all profitable opportunities. C. The RAF focuses on which risks the firm is willing to take and under what
conditions.
D. The RAF begins with the risk appetite statement that contains many elements,
including examining the composition of the income statement.
As a best practice, which of the following members of senior management should have the final word on significant risk decisions at a firm? A. Chief executive officer. B. Chief financial officer. C. Chief operating officer. D. Chief risk officer.
Which of the following statements regarding the role of a risk appetite framework (RAF) in managing the risk of individual business lines within a firm is correct? A. Individual business lines may collectively cause the firms RAF to drift when
market conditions change.
B. Sensitivity analysis is a robust tool to assist senior management and/or the board
to determine consistency with the RAF.
C. Each individual business lines risk appetite allotment according to the RAF is
independent of the others to ensure objectivity in the process.
D. The business line managers submit long-term business plans to senior
management and/or the board to determine if they are consistent with the RAF.
Which of the following statements is incorrect regarding the key elements of an effective IT risk management policy? A. Having a single person in charge of the project management office. B. Comparable funding for IT projects and revenue-generating projects. C. Post-implementation reviews of IT systems at least 24 months after
D. Outsourced and in-house IT activities being subjected to the same level of
implementation.
monitoring.
Which of the following items is a best practice related to data aggregation at an organization? A. Integrating legacy IT systems into the new IT system immediately. B. The use of one master spreadsheet to accumulate all of the data in one place. C. Periodic manual reconciliations to reduce the risk of errors and incomplete
information.
D. Allowing individual departments as much time as they require to produce
internal reports that are accurate, timely, and comprehensive.
2018 Kaplan, Inc.
Page 33
Topic 39 Cross Reference to GARP Assigned Reading – Senior Supervisors Group
C o n c e pt Ch e c k e r A n s w e r s
1. A The RAF represents the firms core risk strategy. The RAF does not necessarily need to be
amended every time there is a profitable opportunity; doing so would cause the RAF to lose its value. The RAF also focuses on which risks the firm is unwilling to take. The risk appetite statement would not likely include an examination of the composition of the income statement; it would more likely be the balance sheet (i.e., debt, equity).
2. D The willingness of the CEO to give the CRO the final word on many risk decisions is a best
practice, which has strengthened the importance of the risk management function.
3. A
Individual business lines may collectively cause the firms RAF to drift when market conditions change. Sensitivity analysis only examines one change in a variable at a time. More robust tools would be stress tests and scenario analyses, for example. Each business lines risk appetite allotment according to the RAF may be amended if another business line encounters an opportunity that requires more capital. The business line managers submit medium-term business plans to senior management and/or the board.
4. C Post-implementation reviews should be performed 618 months after implementation;
24 months or more would likely be too long. Having one person in charge of the project management office seems to have resulted in stronger coordination and communication between project staff.
5. A For merger and acquisition transactions, it is best that legacy IT systems are integrated into the chosen IT system as soon as possible. Spreadsheets are a form of manual data manipulation and, because they are not automated, they would not be a best practice. Automated reconciliations should be performed, not manual. One of the key points about internal risk reports is that they should be produced on a timely basis, therefore, there must be standards, cutoff times, and timelines regarding their production.
Page 34
2018 Kaplan, Inc.
The following is a review of the Operational and Integrated Risk Management principles designed to address the learning objectives set forth by GARP. This topic is also covered in:
In f o r ma t i o n Ri s k a n d Da t a Q u a l i t y Ma n a g e me n t
E x a m F o c u s
This topic is a qualitative examination of data quality issues. Organizations must understand the risks involved with data issues and be able to identify ways to protect one of their most valuable resources, their data. For the exam, focus on the important features of acceptable data as well as details surrounding data quality scorecards.
Topic 40
P o o r D a t a Q u a l
i t y
The following is a list of negative impacts on a business from poor data quality.
Financial impacts: Businesses may experience lower revenues (e.g., lost sales), higher expenses
(e.g., penalties, re-work costs), and lower cash flows as a result of inaccurate or incomplete data.
Confidence-based impacts: Managers may make incorrect business decisions based on faulty data. Poor forecasting may result due to input errors.
Satisfaction impacts: Customers may become dissatisfied when the business processes faulty data (e.g., billing
Inaccurate internal reporting may occur with unreliable information.
Employees may become dissatisfied when they are unable to properly perform their job
errors).
due to flawed data.
Productivity impacts: Additional (corrective) work may be required, thereby reducing production output. Delays or increases in processing time. Risk impacts: Underestimating credit risks due to inaccurate documentation, thereby exposing a lender
to potential losses (e.g., Basel II Accords for quantifying credit risk).
Underestimating investment risk, thereby exposing an investor to potential losses. Compliance impacts: A business may no longer be in compliance with regulations (e.g., Sarbanes-Oxley) if
financial reports are inaccurate.
2018 Kaplan, Inc.
Page 35
Topic 40 Cross Reference to GARP Assigned Reading – Tarantino and Cernauskas, Chapter 3
D a t a E r r o r s

LO 39.5: Describe factors that can lead to poor or fragmented IT infrastructure at an organization.
There are five major factors to consider with regard to poor or fragmented IT infrastructures. 1. No common understanding o f long-term business strategy between business lines and IT
management. This factor often results due to internal competition for funding, thereby not permitting important IT infrastructure projects to be completed.
2. Management only makes decisions based on short-term profits. As a result of this factor,
many IT infrastructure projects are scaled back, delayed, or eliminated.
3. Significant turnover in important IT roles within the firm. This factor has resulted in
delays in completing IT projects.
4.
Insufficient data governance and insufficient data management plan within the firm. This factor results in inconsistency across business lines in how to upgrade systems; this is costly if the systems end up being incompatible because of the inconsistencies.
5. Merger and acquisition activities. This factor results in multiple systems running
simultaneously within the recently merged firm. Data aggregation across products and business lines becomes a significant challenge.
2018 Kaplan, Inc.
Page 29
Topic 39 Cross Reference to GARP Assigned Reading – Senior Supervisors Group
D a t a A g g r e g a t i o n B e s t P r a c t
i c e s

LO 39.4: Explain the benefits to a firm from having a robust risk data infrastructure, and describe key elements of an effective IT risk management policy at a firm.
A benefit of a robust risk data infrastructure is the ability to aggregate timely and accurate data to report on credit, market, liquidity, and operational risks. This, in turn, allows management to make proper decisions regarding the firms strategy, risk appetite, and risk management during periods of constant and frequent changes. Another benefit is the ability to sufficiently document and convey the firms risk reporting requirements. Such requirements include: specific metrics, data accuracy expectations, element definitions, time frames, supervisory expectations, and regulatory reporting requirements.
Key elements of an effective IT risk management policy at a firm are described as follows: Clearly defined standards and internal risk reporting requirements to ensure a proper IT
infrastructure and internal reporting. Sufficient funding is provided to develop IT systems for the purpose of internal risk reporting; they compete equally with proposals that are revenue generating, for example.

Assessing IT infrastructure and capacity prior to approving new products. Post-implementation reviews of IT systems performed anywhere from 618 months
afterward as a check that the systems meet the risk personnels needs.
Page 28
2018 Kaplan, Inc.
Topic 39 Cross Reference to GARP Assigned Reading – Senior Supervisors Group
The level of governance for outsourced IT activities is the same as if they were done
in-house. There are no impediments to implementation or access to data due to outsourcing.
The existence of effective project management offices (PMOs) to ensure that timelines and deliverables are met. Specifically, one person is in charge of the PMO, which seems to result in stronger coordination and communication between project staff.
There is a data administrator as well as a data owner, and the data owner must ensure a sufficiently high level of data accuracy, integrity, and availability. This helps to ensure that IT projects are meeting the users needs.
The board is able to implement relevant internal audit programs to allow for periodic
reviews of data maintenance processes and functions. The monitoring could be continuous or specific to a product or business line. This would allow for the quick correction of any weaknesses detected by internal audit.
P o o r o r F r a g m e n t e d IT I n f r a s t r u c t u r e

LO 39.3: Explain the role of an RAF in managing the risk of individual business lines within a firm, and describe best practices for monitoring a firms risk profile for adherence to the RAF.
Generally speaking, the RAF helps to ensure that each business lines strategies are congruent with the firms desired risk profile. The various business line managers each submit a medium-term business plan to senior management and/or the board to determine if it is consistent with the RAF. Such determinations are often made with stress tests or scenario analyses. Afterward, the RAF will set the risk limits allocated to each business line based on its desired risk profile.
Additionally, the RAF considers the integrated nature of the business lines within the firm. For example, the RAF can help determine how much a given business lines medium-term business plans has to be amended in order to allow another business lines proposal to be approved. In other words, there may be some borrowing of the risk appetite allotment from a business line in order to take advantage of the current opportunity in another business line. Familiarity with the RAF by business line managers would dramatically decrease the number of plans that fall well outside acceptable bounds. A clear RAF assists the firm in preventing risk appetite drift when economic conditions change.
2018 Kaplan, Inc.
Page 27
Topic 39 Cross Reference to GARP Assigned Reading – Senior Supervisors Group
RAF M e t r i c s f o r M o n i t o r i n g R i s k P r o f i l e
Examples of metrics that can be monitored as part of an effective RAF are as follows:

Capital targets (economic capital, tangible common equity, total leverage) or capital-at- risk amounts. Liquidity ratios, terms, and survival horizons.
Risk sensitivity limits. Risk concentrations by internal and/or external credit ratings.
Net interest income volatility or earnings-at-risk calculations. Value at risk (VaR) limits.
Expected loss ratios.
Asset growth ceilings by business line or exposure type.
Economic value added.
Post-stress-test targets for capital, liquidity, and earnings.
Performance of internal audit ratings.
The firms own credit spreads.
It is important to ensure that the metrics used to monitor risk are appropriate to the users of the information. Therefore, the risk metrics should be divided into classes, depending on who is receiving the information w ithin the firm. For example:
Directors should receive high-level metrics (less detail) that reflect the firms key risks.
CEO, CFO, CRO should receive more detailed metrics than directors. CEO, CFO, CRO should receive more detailed metrics than directors. Business line leaders should receive very detailed metrics, especially in relation to their respective business lines.
R i s k D a t a I n f r a s t r u c t u r e

LO 39.2: Describe best practices for a firms Chief Risk Officer (CRO), Chief Executive Officer (CEO), and its board of directors in the development and implementation of an effective RAE
Chief Risk Officer (CRO) Best Practices
Board members involved with risk issues should be able to directly contact the CRO and engage in frequent communication about on-going key risk issues. A best practice could be to create a board risk committee that is directly involved in performance review and compensation decisions regarding the CRO. A strong alliance between the CRO (risk management function) and the CFO (budgetary considerations) is key to spreading the use of the RAF throughout the organization. Specifically, a best practice would be for the CRO and CFO to report to the board at every meeting by commenting on the firms risk profile in comparison to the RAF. The CRO discussion could be broad and strategic in nature, and the CFO discussion could discuss financial impacts.
Chief Executive Officer (CEO) Best Practices
The CEO should strongly support the RAF and refer/use it to support challenging risk and strategic decisions. The willingness of the CEO to give the CRO the final word on many risk decisions is a best practice since it strengthens the importance of the risk management function. Where any instances of non-compliance with the RAF exist, a best practice would be for the CRO and/or the CEO to advise the board of directors on the corrective measures that will be undertaken.
Board of Directors (Board) Best Practices
The board needs to spend a considerable amount of time conveying the firms risk appetite statement throughout the firm to ensure it is properly implemented. In challenging management to operate the firm in a way that is congruent with the RAF, the board must focus on strategic and forward-looking issues rather than dwelling on past actions. A best practice would be for the board to state its expectations to management in advance so that management can establish appropriate strategic plans.
When a board challenges management and requires a thorough vetting of the RAF, the end product is more complete and relevant. A best practice is to have the active involvement of the board with senior management in continually revising the RAF until everyone
Page 26
2018 Kaplan, Inc.
Topic 39 Cross Reference to GARP Assigned Reading – Senior Supervisors Group
is satisfied. Additionally, another best practice is the development of a concrete way of assessing when the RAF needs to be amended to reflect a changing environment.
With regard to technical knowledge of members, there should be a sufficient balance in board composition to ensure all members have a reasonable and congruent understanding of the firms risks and to avoid situations where there are marked divisions between experts and non-experts. A best practice is to provide detailed technical training to board members on relevant concepts. Additionally, requiring cross-membership amongst the major committees helps ensure that those functions have members with a strong technical base. The training and cross-membership practices should serve as supplements to existing expertise.
Boards must be proactive in stating the nature and frequency of the information they need. As a best practice, reporting to the board should be thorough and broad in scope and not overly simplified. Additionally, communication from management should include a business aspect and not be focused on just technical aspects. Finally, as another best practice, the board should be willing to push back to management if they feel the information provided is not sufficient for their needs.
Reputation risk needs to have a significant amount of the boards attention. As a best practice, the board should set up a reputational risk committee to analyze marketplace changes and approve transactions on the basis of geography or product line. Attempting qualitative measures of reputation risk should also be done via monitoring industry headlines and reporting trends to the board as well as hiring external parties to conduct relevant surveys.
U s i n g RAF t o M a n a g e B u s i n e s s L i n e s

LO 39.1: Describe the concept of a risk appetite framework (RAF), identify the elements of an RAF, and explain the benefits to a firm of having a well-developed RAF.
A risk appetite framework (RAF) is a strategic decision-making tool that represents the firms core risk strategy. It sets in place a clear, future-oriented perspective of the firms target risk profile in a number of different scenarios and maps out a strategy for achieving that risk profile. It also specifies which types of risk the firm is willing to take and under what conditions as well as which types of risk the firm is unwilling to take.
An RAF should start with a risk appetite statement that is essentially a mission statement from a risk perspective. This statement should cover some or all of the following elements: Desired business mix and balance sheet composition (i.e., capital structuretrade-off
between debt and equity).
Risk preferences (i.e., how much credit or market risk to take on or hedge) Acceptable trade-off between risk and reward. Acceptable limits for volatility (based on standard deviation). Capital thresholds (i.e., regulatory and economic capital). Tolerances for post-stress losses. Target credit ratings. Optimum liquidity ratios. The benefits of a well-developed RAF are as follows:
The inherent flexibility allows firms to adapt to market changes, especially if appropriate
It improves a firms strategic planning and tactical decision-making.
opportunities arise that require adjustments to the RAF.
2018 Kaplan, Inc.
Page 25
Topic 39 Cross Reference to GARP Assigned Reading – Senior Supervisors Group

It assists firms in preparing for the unexpected; requires business line strategy reviews and maintains an open dialogue regarding the management of unexpected economic or market events in particular geographies or products. It focuses on the future and sets expectations regarding the firms consolidated risk profile after performing relevant stress tests and scenario analyses. Thus, it helps the firm set up a plan for risk taking, loss mitigation, and use of contingency measures.
D e v e l o p i n g a n d I m p l e m e n t
i n g a n E f f e c t i v e RAF

LO 38.5: Distinguish between regulatory and economic capital, and explain the use of economic capital in the corporate decision making process.
Regulatory capital requirements may differ significantly from the capital required to achieve or maintain a given credit rating (economic capital). If regulatory requirements are less than economic capital requirements, then the firm will meet the regulatory requirements as part of its ERM objectives, and there will be no effect on the firms activities. However, if regulatory capital requirements are greater than economic capital requirements, then the firm will have excess capital on hand. If competitors are subject to the same requirements, this excess capital will amount to a regulatory tax. If competing firms are not subject to the excess capital requirement, they will have a competitive advantage. Because regulatory capital requirements are typically based on accounting capital, rather than economic capital, a firm with economic values in excess of accounting values may be penalized, and may have to maintain higher amounts in liquid assets to cover the shortfall.
The economic capital of the firm must be put to productive use. If a firm accumulates excess economic capital that is not employed productively, investors will reduce the value of the firm. This reduction will be consistent with the failure of existing management to earn the cost of capital on the excess amount.
As a firm takes on new projects, the probability of financial distress increases. One way to offset this increased risk is to raise enough additional capital to bring the risk of financial distress back to the level that existed prior to the new project.
For example, assume that a firm has a value at risk (VaR) measure of $ 1 billion. As a result of a new expansion project, assume the VaR figure increases to $1.1 billion. In order to offset the risk of the new project, the firm would need to do the following: 1. Raise additional capital of $ 100 million.
Invest this additional capital without increasing the overall risk of the firm. 2. If the cost of the additional capital is 6%, and the new project is expected to last one year, then the new project would need to generate an additional $6 million to maintain the economic capital of the firm. Looked at another way, the expected benefit of the new project should be reduced by $6 million to compensate for the incremental risk to the firm.
These decisions regarding how the risk of new projects will affect the total risk of the firm are further complicated by the correlations of the expected returns of the projects. If two new projects are less than perfectly correlated, the incremental increase in total risk will be less. One way to account for any possible diversification benefits is to reduce the cost of capital of projects that are expected to have lower correlations with existing operations.
2018 Kaplan, Inc.
Page 19
Topic 38 Cross Reference to GARP Assigned Reading – Nocco & Stulz
R i s k s t o R e t a i n a n d R i s k s t o L a y o f f
Many risks can be hedged inexpensively with derivatives contracts. Examples include exposures to changes in exchange rates, interest rates, and commodities prices. Rather than face the risk that unexpected cash shortfalls due to these exposures might negatively affect the ability of the firm to carry out its strategic plan, the firm should hedge these exposures.
Other risks cannot be inexpensively hedged. These are risks where the firms management either has an informational advantage over outsiders or the ability to manage the outcome of the risk-taking activity. A counterparty to a transaction that hedges such risks would require very high compensation to be willing to take on the transferred risks. The firms business risks fall into this category.
The guiding principle in deciding whether to retain or layoff risks is the comparative advantage in risk bearing. A company has a comparative advantage in bearing its strategic and business risks, because it knows more about these risks than outsiders do. Because of this informational advantage, the firm cannot transfer these risks cost effectively. Moreover, the firm is in the business of managing these core risks. On the other hand, the firm has no comparative advantage in forecasting market variables such as exchange rates, interest rates, or commodities prices. These noncore risks can be laid off. By reducing noncore exposures, the firm reduces the likelihood of disruptions to its ability to fund strategic investments and increases its ability to take on business risks.
Page 20
2018 Kaplan, Inc.
Topic 38 Cross Reference to GARP Assigned Reading – Nocco & Stulz
Ke y C o n c e pt s
LO 38.1 Enterprise risk management (ERM) is the process of managing all a corporations risks within an integrated framework.
The macro benefit of ERM is that hedging corporate diversifiable risk improves managements ability to invest in value-creating projects in a timely manner and improves the firms ability to carry out the strategic plan.
The micro benefit of ERM requires decentralizing risk management to ensure that each projects total risk is adequately assessed by project planners during the initial evaluation of the project. The two main components of decentralizing the risk-return tradeoff are consideration of the marginal impact of each project on the firms total risk and a performance evaluation system that considers unit contributions to total risk.
LO 38.2 The goal of risk management is to optimize (not eliminate) total risk by trading off the expected returns from taking risks with the expected costs of financial distress. Financial distress in this case is defined as circumstances where the firm is forced to forego positive NPV projects.
LO 38.3 The conceptual framework of ERM is a four-step process: Determine the firms risk appetite. Estimate the amount of capital needed to support the desired level of risk. Determine the optimal combination of capital and risk that achieves the target credit
rating.
Decentralize the management of risk.
LO 38.4 Due to diversification effects of aggregating market, credit, and operational risk, firm-wide VaR will be less than the sum of the VaRs from each risk category. This suggests that the correlation among risks is some value less than one.
2018 Kaplan, Inc.
Page 21
Topic 38 Cross Reference to GARP Assigned Reading – Nocco & Stulz
LO 38.3 Regulatory capital requirements may differ significantly from the capital required to achieve or maintain a given credit rating (economic capital). Because regulatory capital requirements are typically based on accounting capital, rather than economic capital, a firm with economic values in excess of accounting values may be penalized, and may have to maintain higher amounts in liquid assets to cover the shortfall. The economic capital of the firm must be put to productive use. If a firm accumulates excess economic capital that is not employed productively, investors will reduce the value of the firm.
Page 22
2018 Kaplan, Inc.
Topic 38 Cross Reference to GARP Assigned Reading – Nocco & Stulz
C o n c e pt C h e c k e r s
1.
2.
3.
4.
3.
Reducing diversifiable risk creates value: A. only when markets are perfect. B. because it is costly for shareholders to eliminate diversifiable risk through their
own actions.
C. because reducing diversifiable risk mitigates the underinvestment problem that can occur when investors have imperfect information about the firms projects.
D. only when it results in a permanent reduction in cash flow.
Effective enterprise risk management includes all of the following except: A. centralized evaluation of every projects risk. B. a project is only accepted if its return is adequate after considering the cost of
the projects contribution to total firm risk.
C. the projects planners perform the initial evaluation of project risk. D. periodic evaluations of the performance of business units consider each units
contribution to total risk.
The goal of enterprise risk management (ERM) can best be described as maximizing firm value by: A. eliminating the total risk of the firm. B. minimizing the total risk of the firm. C. optimizing the total risk of the firm. D. eliminating the probability of financial distress.
In determining the relative importance of economic value compared to accounting performance in its enterprise risk management program, a firm should: A. rely on accounting performance because it will be more accurate. B. rely on economic value because it will be more accurate. C. base its decision on the input of project-level managers. D. base its decision on the objective of the ERM program.
Which risk is least likely to be beneficial for a company to layoff? A. Currency exchange rate risk. B. Business risk. C. Commodities price risk. D. Interest rate risk.
2018 Kaplan, Inc.
Page 23
Topic 38 Cross Reference to GARP Assigned Reading – Nocco & Stulz
C o n c e pt Ch e c k e r A n s w e r s
1. C When markets are not perfect (i.e., investors information about project values is
incomplete), the firm may not be able to raise funds on fair terms. For a firm faced with an unexpected drop in operating cash flow, this can lead to the underinvestment problem, where the company passes up valuable strategic investments rather than raise equity on onerous terms. The inability to fund strategic investments can result in a permanent reduction in shareholder value even if the cash shortfall is temporary. Hedging diversifiable risk mitigates the underinvestment problem and creates value, even though shareholders can eliminate diversifiable risk at low cost by diversifying their portfolios.
2. A Central to ERM is the idea that a decentralized approach to the evaluation of project risks focuses managers throughout the firm on the importance of properly considering the risk and return implications of projects.
3. C The goal of ERM is to optimize the total risk of the firm. Eliminating total risk is not
possible. Minimizing total risk would preclude accepting risky projects that would allow the firm to expand and maximize value. These risky projects will increase the probability of financial distress. The goal of ERM is to optimize the risk of distress relative to the potential returns from the risky projects.
4. D There are certain situations where either accounting values or economic values will more
accurately reflect the firms situation. The determining factor in choosing between economic values and accounting values is the objective of the program. For example, if the objective is maintaining a rating, based in large part on accounting numbers, then accounting numbers will assume more relative importance.
5. B A company has a comparative advantage in bearing its strategic and business risks because it knows more about these risks than outsiders do. The firm is in the business of managing these core risks. The firm has no comparative advantage in forecasting market variables such as exchange rates, interest rates, or commodities prices. These noncore risks can be laid off.
Page 24
2018 Kaplan, Inc.
The following is a review of the Operational and Integrated Risk Management principles designed to address the learning objectives set forth by GARP. This topic is also covered in:
O b se r v a t i o n s o n D e v e l o pme n t s in Ri s k A ppe t i t e Fr a m e w o r k s a n d IT In f r a st r u c t u r e
Topic 39
E x a m F o c u s
This topic discusses the concept of a risk appetite framework (RAF). For the exam, understand the elements and benefits of an RAF, and be familiar with best practices for an effective RAF. Also, be able to identify metrics that can be monitored as part of an effective RAF. Finally, understand the elements and benefits of a robust risk data infrastructure as well as best practices relating to data aggregation.
R i s k A p p e t
i t e F r a m e w o r k

LO 38.4: Describe the role of and issues with correlation in risk aggregation, and describe typical properties of a firms market risk, credit risk, and operational risk distributions.
Firms that use value at risk (VaR) to assess potential loss amounts will ultimately have three different VaR measures to manage. Market risk, credit risk, and operational risk will each produce their own VaR measures. The trick to accurately measuring and managing firm wide risk, and in turn firm-wide VaR, is to understand how these VaR measures interact. Market risks will typically follow a normal distribution; however, the distributions for credit risks and operational risks are usually asymmetric in shape, due to the fat-tail nature of these risks.
Due to diversification effects of aggregating market, credit, and operational risk, firm-wide VaR will be less than the sum of the VaRs from each risk category. This suggests that the correlation among risks is some value less than one. It can be difficult to determine this correlation amount, so firms typically use average correlation values within their respective industry. However, firms should recognize that correlations can be influenced by firm- specific actions as well as external events such as a financial crisis.
Page 18
2018 Kaplan, Inc.
Topic 38 Cross Reference to GARP Assigned Reading – Nocco & Stulz
C a p i t a l A l
l o c a t i o n