What is Risk Accounting?
Risk Accounting is a new and revolutionary method of identifying, quantifying, aggregating and reporting exposures to non-financial risks including operational, cyber, model, conduct and fraud risks. It introduces a new, additive common metric – the ‘Risk Unit’ or ‘RU’ – that is designed to express all forms of non-financial risk.
An overview of the risk accounting method
Introducing the ‘Risk Unit’ or ‘RU’
The ‘Risk Unit’ or ‘RU’ is the new additive metric, unique to the Risk Accounting method, that is used to quantify and report exposure to operational risk using three core metrics:
- Inherent Risk: The amount of operational risk in RUs before considering the effects of internal risk mitigation activities and processes (represents maximum exposure to operational risk)
- Risk Mitigation Index (RMI): A measure of the effectiveness of internal operational risk mitigating activities and processes on a scale of zero to 100
- Residual Risk: The amount of operational risk in RUs that remains after reducing Inherent Risk by the RMI (represents actual exposure to operational risk)
Calculation of Inherent RUs
RiskBox calculates Inherent RUs based on two factors: (1) Exposure Uncertainty Factor (EUF), and (2) Value Band Weighting (VBW):
Portfolio View of Operational Risks
RiskBox generates algorithms that convert EUF, VBW and RCSA (Enhanced) inputs into a portfolio view of operational risk exposures in RUs encompassing:
- The reporting and analysis of granular and aggregated exposures by multiple categories including group-wide, business line, business organisational component, product, and customer.
- Direct comparisons of exposure to operational risk through benchmarking and ranking within and between enterprises (assuming the above tables and associated risk factors are uniformly applied).
- Identification and prioritization of risk mitigation action plans with a calculation of the projected risk reduction impact of each plan in RUs.
- The setting of operational risk budgets and risk operating limits in RUs across all vertical and horizontal dimensions of the enterprise with the potential for real- or near real-time monitoring of accumulating exposures to risk vs. risk budgets and limits.
Risk Accounting Software
RiskBox is Risk Accounting’s calculation engine.
Once determined and approved, product risk factors (EUFs), new-business scaling factors (value table) and RCSA activity and control effectiveness factors and best practice benchmarks require minimal maintenance. These tables, risk factors and benchmarks are set up in RiskBox.
There are two variables that require periodic input:
- The daily amount of new business booked.
- Changes in the operating status of risk mitigation activities and controls.
RiskBox is designed to have maximum operational flexibility and be readily adaptable to the highly complex requirements of large financial institutions. Its modules can be implemented either as a standalone end-to-end solution incorporating risk and control self-assessment (RCSA) or integrated within an existing information infrastructure. The key component is the RU calculation engine which can be integrated in solutions offered by third party technology providers, configured using existing platforms or through a de novo in-house development.
RiskBox can be easily positioned between the data integration layer and the presentation layer (reporting, analysis, dashboarding and alerting tools). It can be deployed in-house, in a third-party cloud, as a physical hardware device or a virtual device on a variety of operating systems and connectivity options. Implementation options vary depending on the complexity of the existing infrastructure, the results that need to be obtained, and time and budget constraints.
1. Exposure Uncertainty Factor (EUF) Table
EUFs are scaled to a value between zero and 20 reflecting each product’s operational complexity and the consequent process burden it imposes on the enterprise. EUFs relative to the activities below, where applicable, are assigned according to the risk criteria and associated risk factors set out in the EUF tables and summed for each product:
- Processing: number of operational touchpoints along the product’s end-to-end processing cycle.
- Lending: the relative time and effort required to liquidate collateral in the event of a credit default with reference to the value retention properties and price stability of underlying collateral.
- Trading: the relative time and effort required to unwind a trading position with reference to the availability and reliability of market prices and rates, and the manner in which the product is traded, e.g., electronic, floor, OTC etc.
- Treasury: the relative time and effort required to fund a product and manage associated liquidity and interest rate risk with reference to:
- Banking book: interest rate type (fixed or floating) and maturity.
- Derivatives: relative degree of complexity.
- Transactional and trading book: assume marginal Treasury involvement.
- Selling: whether the product is…
- an investment product involving the holding of customer monies;
- directly linked to a sales incentive scheme; and
- bundled with other products (e.g., a loan with an interest rate swap);
- …and the product’s relative degree of complexity from a customer perspective.
- Environment: the product’s relative toxicity, combustibility, and biodiversity.
2. The Value Table
Ascending $ amounts of daily operational throughput, for each product, are assigned a Value Band Weighting (VBW).
The value bands plotted against the VBWs produce a logarithmic curve that depicts how the rate of change in risk decelerates as operational throughput accelerates, primarily due to enhanced automation that naturally occurs as production volumes and values increase.
3. Calculation of Risk Mitigation Indexes (RMIs) and Residual RUs
Two variable inputs are periodically input into RiskBox to produce RMIs and Residual RUs by multiple reporting categories including group-wide, business line, business component (cost center), customer, product, legal entity, and location.
- The amount of operational throughput, being daily new business transacted relative to each product, which can be captured either manually or via automated interfaces with accounting systems.
- The status of risk mitigation gathered from across the enterprise via risk & control self-assessments (see below) captured at pre-selected organizational levels, e.g., process, production team, department, division etc.
Risk & Control Self-Assessment - RCSA (Enhanced)
The traffic light ‘RAG’ assessments typically used in RCSAs to report the status of risk mitigation activities and processes are replaced either by a binary ‘yes/no’ input indicating the presence or absence of compliance with an industry consensus best practice or through gauging the degree of compliance by reference to a set of predetermined benchmarks. RCSA enhanced inputs are used by RiskBox’s algorithms to calculate risk mitigation indexes (RMIs) and residual RUs.
An important feature of Risk Accounting is that RiskBox inputs via EUF and VBW tables and enhanced RCSAs are auditable:
- EUFs are set and approved during the product approval and review process. Auditors can independently verify that EUFs have been appropriately documented, approved, and consistently applied.
- Operational throughput and mapping to the Value Table can be independently verified by auditors against accounting records.
- Given that enhanced RCSAs require either a ‘yes/no’ response or the selection of a benchmark from a multiple-choice dropdown box, an auditor can independently verify whether responses are appropriate as there is only one acceptable response.
“…represents a sizeable step forward in the search for a practical global solution to enterprise risk management (ERM)”
“…the London Whale trading loss… Here, the (method) would bloom”
“…a very useful conceptual framework that could serve as a baseline for fulfilling the needs of BCBS 239, with a relatively simple to implement approach”
“…the first mechanism proposed to integrate the major components of risk in a large institution”
“The integration of accounting and risk measures (both economic and regulatory) makes an important contribution to making risk-adjusted returns transparent”
“The framework… harmonizes all quantifiable risks and valuation uncertainties into one consistent framework without getting bogged down with specific risk models, methodologies and calibrations”
“…(the) approach could be a meaningful way of establishing a common metric for operational risk, an area in risk management which, after many years, is still lacking analytical rigour”
“…(the) proposed framework is both novel in addressing the limitations of existing ERM risk measurement frameworks and practical in adapting the control and reporting frameworks that already exist in accounting and general ledger systems”
“…I think it is a good way of thinking about the operational risk associated with different underlying risk classes but, as the authors point out in the paper, it is not intended to be a substitute for capital at risk.”
Risk Accounting: Definitions
Exposure to non-financial risks exists where a financial institution fails to adequately plan, organise, manage and control its internal risk-mitigating activities and processes. In contrast, exposure to financial risks exists where a financial institution intentionally creates external financial exposures with customers, intermediaries and counterparties for a projected return.
Unexpected losses are financial outcomes associated with a financial institution’s failure to accurately identify, quantify, aggregate and report its accumulating exposures to financial and non-financial risks and, consequently, cannot know whether such exposures are within risk appetite limits approved at the Board level. In contrast, expected losses are stochastically determined accounting estimates of projected financial outcomes associated with accepted financial and non-financial risks where the amount of accepted risk has been accurately quantified and is within risk appetite limits approved at the Board level.
In the recent past, most notably during the financial crisis of 2007/8, financial institutions of all sizes around the globe suffered material, sometimes catastrophic unexpected losses. These were invariably due to their inability to effectively identify, quantify, aggregate and report their internal exposures to non-financial risks. In many instances, the result was extreme accumulations of unidentified and unreported exposures to non-financial risks that eventually turned into losses. In contrast, external exposures to financial risks have intrinsic monetary value that can be readily identified and quantified in natural currency, aggregated and reported. In short, a financial institution’s amount of exposure to external financial risks is typically known whereas its amount of exposure to internal non-financial risks is typically unknown.
The global standards-setting organisation for Risk Accounting is RASB. The Board is comprised of leading industry practitioners and academics with a keen interest in risk exposure quantification solutions research.
For details of how to apply for membership to RASB, click here. Members have free access to RASB’s Knowledge Centre comprising approved Risk Accounting standards and implementation guidelines and expert technical support and training.