Introducing Risk Accounting
Risk Accounting is a new and revolutionary method of identifying, quantifying, aggregating and reporting exposures to non-financial risks including operational, cyber, model, conduct and fraud risks. It introduces a new, additive common metric – the ‘Risk Unit’ or ‘RU’ – that is designed to express all forms of non-financial risk.
Building on Existing Tools & Techniques
Risk & Control Self-Assessment (RCSA)
Banks use risk & control self-assessment (RCSA) as the primary method of managing exposure to non-financial risks.
Risk Accounting starts by calculating each product’s inherent risk in RUs through algorithms generated from product risk factors called ‘EUFs’ and a scaling of the amount of daily new business booked via a ‘Value Table’ (the EUF and Value Tables are described in more detail here). A product’s inherent RUs represent the total amount of risk that must be effectively mitigated if material unexpected losses are to be avoided.
The risk mitigation activities and controls contained in RCSAs are then mapped to the products that benefit from them. Each risk mitigating activity and control is assigned an effectiveness factor.
The degree of deviation from an optimal application of each activity or control (best practice) is assigned by selecting from a set of predetermined best practice benchmarks that replace the red/amber/green assignments currently in use thereby introducing more objectivity and auditability into risk assessment.
Risk Accounting then calculates a risk mitigation index (RMI) for each product through algorithms generated from the RCSA effectiveness and best practice deviation factors. The RMI is applied to each product’s inherent RUs to determine the residual RUs. Residual RUs represent the probability of incurring an unexpected loss.
As the RU is an additive metric, inherent and residual RUs can be aggregated along the vertical and horizontal dimensions of the firm with a recalculation of the RMI at each hierarchical level from granular risk mitigating activities and controls through to the Group level.
The Portfolio View
RiskBox produces risk analytics in RUs that enable a portfolio view of non-financial risks including:
- the reporting and analysis of granular and aggregated exposures to non-financial risk by multiple categories including business line, organization, product, customer and location;
- direct comparisons of exposure to non-financial risk within and between organizations and organizational components (assuming tables and templates and associated factors and weightings are uniformly applied) and their benchmarking and ranking according to risk criteria;
- identification and prioritization of risk mitigation initiatives with a calculation of the risk reduction impact in RUs of each initiative; and
- the setting of risk budgets (appetite) and operating limits in RUs across all vertical and horizontal dimensions of the bank with the potential for real or near real-time monitoring of accumulating exposures to risk vs. approved risk budgets and operating limits.
Operational Risk Loss Databases
Banks are required to record operational risk loss events in accordance with criteria established in Basel II.
The statistical correlation of residual RUs with realised losses recorded in operational risk loss databases will allow, over time, a monetary value of an RU to be derived. Once valued, the RU can be used to risk-adjust financial statements through accounting provisions made for non-financial risk related expected losses and for capital adequacy requirements.
Risk Accounting Software
RiskBox is Risk Accounting’s calculation engine.
Once determined and approved, product risk factors (EUFs), new-business scaling factors (value table) and RCSA activity and control effectiveness factors and best practice benchmarks require minimal maintenance. These tables, risk factors and benchmarks are set up in RiskBox.
There are two variables that require periodic input:
- The daily amount of new business booked.
- Changes in the operating status of risk mitigation activities and controls.
RiskBox is designed to have maximum operational flexibility and be readily adaptable to the highly complex requirements of large financial institutions. Its modules can be implemented either as a standalone end-to-end solution incorporating risk and control self-assessment (RCSA) or integrated within an existing information infrastructure. The key component is the RU calculation engine which can be integrated in solutions offered by third party technology providers, configured using existing platforms or through a de novo in-house development.
RiskBox can be easily positioned between the data integration layer and the presentation layer (reporting, analysis, dashboarding and alerting tools). It can be deployed in-house, in a third-party cloud, as a physical hardware device or a virtual device on a variety of operating systems and connectivity options. Implementation options vary depending on the complexity of the existing infrastructure, the results that need to be obtained, and time and budget constraints.
“…represents a sizeable step forward in the search for a practical global solution to enterprise risk management (ERM)”
“…the London Whale trading loss… Here, the (method) would bloom”
“…a very useful conceptual framework that could serve as a baseline for fulfilling the needs of BCBS 239, with a relatively simple to implement approach”
“…the first mechanism proposed to integrate the major components of risk in a large institution”
“The integration of accounting and risk measures (both economic and regulatory) makes an important contribution to making risk-adjusted returns transparent”
“The framework… harmonizes all quantifiable risks and valuation uncertainties into one consistent framework without getting bogged down with specific risk models, methodologies and calibrations”
“…(the) approach could be a meaningful way of establishing a common metric for operational risk, an area in risk management which, after many years, is still lacking analytical rigour”
“…(the) proposed framework is both novel in addressing the limitations of existing ERM risk measurement frameworks and practical in adapting the control and reporting frameworks that already exist in accounting and general ledger systems”
“…I think it is a good way of thinking about the operational risk associated with different underlying risk classes but, as the authors point out in the paper, it is not intended to be a substitute for capital at risk.”
Risk Accounting: Definitions
Exposure to non-financial risks exists where a financial institution fails to adequately plan, organise, manage and control its internal risk-mitigating activities and processes. In contrast, exposure to financial risks exists where a financial institution intentionally creates external financial exposures with customers, intermediaries and counterparties for a projected return.
Unexpected losses are financial outcomes associated with a financial institution’s failure to accurately identify, quantify, aggregate and report its accumulating exposures to financial and non-financial risks and, consequently, cannot know whether such exposures are within risk appetite limits approved at the Board level. In contrast, expected losses are stochastically determined accounting estimates of projected financial outcomes associated with accepted financial and non-financial risks where the amount of accepted risk has been accurately quantified and is within risk appetite limits approved at the Board level.
In the recent past, most notably during the financial crisis of 2007/8, financial institutions of all sizes around the globe suffered material, sometimes catastrophic unexpected losses. These were invariably due to their inability to effectively identify, quantify, aggregate and report their internal exposures to non-financial risks. In many instances, the result was extreme accumulations of unidentified and unreported exposures to non-financial risks that eventually turned into losses. In contrast, external exposures to financial risks have intrinsic monetary value that can be readily identified and quantified in natural currency, aggregated and reported. In short, a financial institution’s amount of exposure to external financial risks is typically known whereas its amount of exposure to internal non-financial risks is typically unknown.
Risk Accounting - An Overview
RiskBox calculates exposure to non-financial risks using the three core risk metrics shown below. These risk values are permanently assigned to transactions to complement the financial accounting values (historic cost, fair value, amortised cost etc.) already assigned.
The three core risk metrics are:
- Inherent Risk…
- The amount of non-financial risk in RUs before considering the effects of internal risk mitigation activities and controls (represents maximum exposure to risk)
- Risk Mitigation Index (RMI)…
- A measure of the effectiveness of internal risk mitigating activities and controls on a scale of zero to 100
- Residual Risk…
- The amount of non-financial risk in RUs that remains after reducing Inherent Risk by the RMI (represents actual exposure to risk)
The first step in risk accounting is to identify the primary risk types to which each industry is exposed. For example, in banking these are deemed to be processing, lending, trading, funding, interest rate and selling.
The risk types and the objective of the
related risk-mitigating activities and processes are shown below:
related risk-mitigating activities and processes are shown below:
|Risk Type||Risk Mitigation Objective|
|Processing||…transactions accepted for processing are properly approved and processing is complete, accurate and timely|
|Lending||…in the event of an assumed default, a liquidation price for underlying collateral can be realized in a reasonable time-frame and without incurring exceptional losses|
|Trading||…in the event of an assumed unwinding of a trading risk position, a liquidation price can be realized in a reasonable time-frame and without incurring exceptional losses|
|Funding||…stable sources of funding are available to fund immediate and foreseeable operating needs|
|Interest Rate||…in the event of unusual interest rate movements, interest rate sensitive assets and liabilities can be extinguished, replaced, extended or renewed in a reasonable time-frame and without incurring exceptional losses|
|Selling||…positive customer outcomes are achieved, and customers are treated fairly|
1. Exposure Uncertainty Factor (EUF) Tables
Contain details of banking products as defined in accounting systems. Risk factors are assigned to each product according to the risk-types it triggers and the respective product’s risk characteristics. Such factors are termed Exposure Uncertainty Factors (EUFs) and relate to the relative difficulty of determining the amount of exposure that arises upon the assumed default of a credit product (credit risk) or the assumed unwinding of a trading position (market risk). For example, an unsecured loan has a low EUF as the amount of exposure at default is immediately known. A mortgage loan has a high EUF as the time and effort required to foreclose on a residential property and the value that will be ultimately realised upon its disposal are uncertain.
2. The Value Table
Comprises ascending bands of the amounts of new business booked with a Value Band Weighting (VBW) assigned to each band. The value bands plotted against the VBWs produce a logarithmic curve that depicts how the rate of change in risk decelerates as operational throughput increases, primarily due to enhanced automation that naturally occurs as production volumes and values grow.
3. Risk & Control Self-Assessments (RCSAs)
Include details of risk mitigating activities and controls grouped by categories such as People, Execution, Internal Control, Business Continuity, Risk Control, Product Approval & Review, Credit Assessment & Approval, IT Security, Physical Access etc.
An effectiveness factor is assigned to each activity and control category. The operating status of risk mitigating activities and controls is assessed by reference to industry consensus best practice benchmarks and the degree of deviation therefrom provided in dropdown boxes.
The effectiveness and operating status factors are used to calculate a risk mitigation index (RMI). The RMI applied against inherent RUs produces the residual RUs.
Two variable inputs are then periodically input to RiskBox’s calculation engine representing operating status to produce risk analytics mirroring financial reports already available in management reporting systems, for example, by legal entity, organisation, product, customer, location etc., and aggregated at all organisational hierarchical levels from operational process to the group level:
The amount of operational throughput...
…being new business booked relative to each product, which can be captured either manually or via automated interfaces with accounting systems in accordance with a predetermined timetable, usually daily; and
the operating status of risk mitigating activities and controls
…gathered through simple-to-follow RCSAs captured at preselected organizational levels, e.g. process, production team, department, division etc. and in accordance with a predetermined timetable.
The global standards setting organisation for Risk Accounting is SERRAQ. SERRAQ hosts the Risk Accounting Standards Board comprised of leading industry practitioners and academics.
For details of how to apply for membership to SERRAQ, click here. Members have free access to SERRAQ’s Knowledge Centre comprising approved Risk Accounting standards and implementation guidelines and expert technical support and training.