Enterprise risk management

08/04/2023 Group Members: Manu Prakaash, Rashi Saxena, Saurabh Saha, Urvi Gulati TERI University, New Delhi

1

Enterprise Risk Management: Operational Risk and COSO

Prepared and Presented by:Group 1

Link to Glossary


2

ERM INTEGRATED FRAMEWORKCOSO Framework for Operational Risk Management


3

COSO

• Acronym for Committee for Sponsoring Organizations

• Enterprise Risk Management- Integrated Framework by COSO: Aims to provide for the need for an enterprise risk management framework, providing key principles and concepts, a common language, and clear direction and guidance


4

Operational Risk-COSO re-examined

• Written by Peyman Mestchian, Mikhail Makarov and Bahram Mirzai

• An analytical build-up as an answer to the criticisms given by Ali Samad-Khan (President, OpRisk Adisory) against the application of COSO framework to operational risk

http://www.opriskadvisory.com/


5

Criticisms offered by Ali Samad-Khan

• The definition of risk used by COSO is flawed• Likelihood-Impact Risk Assessment is flawed• Methods prescribed by COSO are highly

subjective, and only risk assessment based on historic losses is valid

• Risk assessment using COSO approach is too complex and resource intense

http://www.isda.org/c_and_a/ppt/Assessing-MeasuringOpRiskSama-Khan011805.ppt


6

Justifications or Counter-Criticisms!

• The criticism about Operational Risk’s definition (criticisms 1 and 2) is based on:

Risk=Likelihood x Impact• There is no reference in COSO for using this

formula to measure risk• COSO uses Value at Risk or Capital at Risk

concepts as measures of risk:Cost of Risk=Expected Loss + Cost of Capital


7

Importance of Evaluated CoR

• Crucial to perform cost-benefit analysis within an integrated operational risk management framework


8

Likelihood-Impact Based Risk Assessment• Introduced in MIL-STD-882A Military safety standard, by US Department of Defense

• According to this approach, for each risk the frequency of occurrence (likelihood) & the worst credible outcome(impact) are assessed & captured into a likelihood- impact matrix. Allows an entity to understand the extent to which potential events might impact objectives

• Integrating qualitative and quantitative approaches.

• E.g.- CRISIL Ratings provides the most reliable opinions on risk by combining its understanding of risk and the science of building risk frameworks, with a contextual understanding of business. It follows the Basel II guidelines to guard against the types of financial and operational risks banks face.

http://www.crisil.com/index.jsp


9

• Control It

• Share or• Transfer It

• Diversify or• Avoid It

• Risk• Management

• Process• Level

• Activity• Level

• Entity Level

• Risk• Monitoring

• Identification

• Measurement

• Prioritization

• Risk• Assessment

Risk Analysis


10


11


12

Example: Call Center Risk Assessment


13

Causes of Operational Risk


14

Operational Risk Failures

• On February 6, 2002, Allied Irish Banks (read more) reported a fraud in its Baltimore-based subsidiary Allfirst. According to the report, around 1997 John Rusnak, one of their internal traders, lost a large amount of money. For five years, Mr. Rusnak covered his tracks by writing non-existent options and booking their equally non-existent profits as income. Compound interest being what it is, Mr. Rusnak’s problems and, hence, the bank’s, eventually grew to $700 million dollars. One Monday morning, Mr. Rusnak failed to show up for work and the entire fraud collapsed.

• Barings Bank (read more) had collapsed ten years previously and Allied Irish Bank was, at that time, Ireland’s second largest. The story of the Barings is one of a rogue trader that alone caused the bankruptcy of a supposed solid bank.

http://socyberty.com/crime/the-allied-irish-bank-scandal/

http://projects.exeter.ac.uk/RDavies/arian/scandals/classic.html#barings


15

ERM AT ALLSTATE

Enterprise Risk Management: Managing Risk to better exploit risk opportunities

Case-Study

http://www.allstate.com/about.aspx


16

Brief Company Profile

• Allstate was founded in 1931 as part of Sears, Roebuck & Co., and became a publicly traded company in 1993

• It is the nation’s largest publicly held personal lines insurer

• A Fortune 100 company, with $130 billion in total assets, Allstate sells 13 major lines of insurance, including auto, property, life and commercial



17

A Novel Approach in the Industry

• Allstate combined its scholastic modeling and operational governance to produce an ERM for the organization

• Over time, Allstate worked to align its analytics with corporate governance and decision making activities



18

Allstate’s ERM Framework: Culture/Code of Ethics



19

Allstate’s ERM Approach: Advantages

1. It allows the company to set a quantitatively based risk/reward threshold across its businesses

2. Management can evaluate how lines of business compare to each other vis-à-vis capital consumption

3. Provides solid new measurements to inform business decision making



20

Allstate’s Successful ERM: Benefits• Helps managers take risk- and capital- related

decisions, such as reinsurance purchasing, asset/liability management, risk limit setting and monitoring, and capital allocation and pricing

• Starts small, focuses on key issues first and consistently build value



21

ERM Process

1. Identify top risks2. Build a consensus between risk “owners” and

management on the risk limit for the quantifiable risks

• Allstate uses its own metrics, rather than relying solely on rating agencies to determine overall capital needs as well as capital allocations and levels within the various businesses



22

Growing with ERM

• Initially, ERM was used only for Allstate Protection, its property/casualty business

• Now implemented in Allstate Investment and others

• Allstate now operates a Risk Opportunity Forum-members analyze suggestions for greatest potential

• Repeats risk assessment every 2 years



23

References

• COSO Executive Summary: http://www.coso.org/Publications/ERM/COSO_ERM_ExecutiveSummary.pdf

• Basel Standards: http://www.bis.org/publ/bcbsca.htm

• Case Study: http://www.towersperrin.com/tp/getwebcachedoc?webc=TILL/USA/2006/200608/Allstate.pdf

• Allstate website: http://www.allstatenewsroom.com• CRISIL Rating: www.crisil.com• Other references: www.wikipedia.org

http://www.coso.org/Publications/ERM/COSO_ERM_ExecutiveSummary.pdf

http://www.coso.org/Publications/ERM/COSO_ERM_ExecutiveSummary.pdf

http://www.bis.org/publ/bcbsca.htm

http://www.towersperrin.com/tp/getwebcachedoc?webc=TILL/USA/2006/200608/Allstate.pdf

http://www.towersperrin.com/tp/getwebcachedoc?webc=TILL/USA/2006/200608/Allstate.pdf

http://www.allstatenewsroom.com/

http://www.crisil.com/

http://www.wikipedia.org/


24

Thank You!Questions?


25

Glossary

1. Operational Risk: The risk of loss resulting from inadequate or failed business, people and systems or from external events (As defined by the

Basel Committee)

2. Risk Tolerance: A measure of the degree of uncertainty that an investor is willing to accept in respect of the negative changes to its business or assets

Enterprise risk management

Business

risk coso

rashi saxena

operational riskcoso

cost of risk

urvi gulati teri university

understanding of risk

measures of risk

risk bycombining