BUSINESS OPTIONS

August 04, 2011

RISK AWARENESS FOR EVERYONE

By Flor G. Tarriela

When clients entrust their money with the bank, this means the money IS safe no matter what happens.  We cannot make the excuse that there was a storm which flooded our vaults on the 3rd floor hence we lost all the records of your money.  Or that there was a fire which burned the computers which started from a lightning which struck the coconut tree half a kilometer away. 

Risk management is what your bank does to protect the assets you have entrusted to us from events that have not yet occurred but may occur. 

Risk management is about:  (a) listing down the risks that can occur, (b) prioritizing which risks to be protected against given our limited means, and (c) doing the measures that will minimize the adverse effects if the risk occurs. 

RISK IDENTIFICATION

Pause for a moment to list down what are the possible bad things that can occur.  Write it down; be as paranoid as you can.  The airplane’s engine will fall and hit the building where the data center is housed.  A tornado will pull away the roof of the branch and the contents of the vault will fly away (do we have tornadoes in the Philippines?).  A risk is an event that has not yet occurred but can occur; we cannot prevent a risk, we can only mitigate its adverse effects.  If the problem already exists, it is not a risk, it is a weakness.

The bank buys Treasury Bills and other similar instruments for reselling to its clients.  The risk is that the market prices for these instruments will go down and the bank will lose money because it cannot recover its cost.  This has not yet occurred; this is Market Risk.  Market Risk is defined as the negative effect on the value of the asset due to changes in market / economic conditions - interest rates, foreign exchange rates.

Another example is that of a husband borrowing money from the bank to purchase a house.  He has a good record, he always pays his credit cards on time, is respected in his neighborhood; has been in his job for several years.  He has good “character”—the first C in the 5 Cs of credit. The other “C”s are:  Collateral, Capacity to pay, Capital, and Conditions.  We expect that he will pay the loan amortization on time.  But what if he loses his job, he gets sick and is disabled, dies of a heart attack (heaven forbid), or starts to play around and has a mistress, overspends, drinks all night, goes to casinos and loses money.  This has not occurred but can occur; it is Credit Risk.  Credit Risk is defined as the negative effect on the value of the credit asset due to unforeseen events in the paying capacity of the borrower.

Other risks that a financial institution may be exposed to are as follow (among others):

Liquidity Risk – the negative effect on the value of the asset because of the bank’s inability to liquefy its holdings

Funding Risk – the risk that the bank is unable to meet its obligations when they are due

Operational Risk - the negative effect on the bank’s earnings due to business disruptions, internal and/or external fraud, and / or the overall inability of the bank to deliver products & services

Reputation Risk – the negative impact on the bank’s overall earnings and / or destruction of shareholder value due to a negative public opinion, hence affecting the bank’s overall trustworthiness

Compliance Risk – the current and prospective risk to earnings or capital arising from violations of, or nonconformance with, laws, rules, regulations, prescribed practices, internal policies, and procedures, or ethical standards

RISK PRIORITIZATION

List the risks and order them from possible to nearly unlikely.  Then order them again by magnitude of adverse effect.  Those of us who did not fall asleep during Statistics class will have an “aha” moment remembering that probability x magnitude of effect = expected value. 

But how do we give a probability to an event that has not yet occurred?   If the risk is possible, give it, say 75% (more or less); if it is unlikely, give it a range of 1%-49%; if it can move either way, give it 50 - 50% likelihood. 

How do we measure the magnitude of effect?  Use money.  How much will we lose if the risk occurs?  How much do we have to spend to get back to normal if the risk occurs? How much should a financial institution spend to mitigate its risks?  An exercise in cost-benefit analysis needs to be done continuously.

For example:  A client who owns a digital shop (the one that sells laptops, computers, Macs) takes out a loan (P4,000,000) to expand his business. Client has good track record with the bank.  Pays on time, from previous loans; keeps the bank updated on the progress of his business.  But Client’s shop is located in a flood prone area.  The likelihood of the shop getting flooded is rare, so we give it a probability of say, 25%.  If the client’s digital shop is completely flooded, the client may lose say a quarter of his inventory and may have to replace all the furniture—say P1 million.  What then is the expected value of the risk?  25% x P1 million = P250 thousand.  The risk of being robbed is always present for a store.  Let us make the risk higher, say 50%.  But if the shop is robbed, chances are the robbers can only bring away half of the inventory and not destroy the furniture.  If half the inventory costs P1.5 million, the expected value of the risk is 50% x P1.5 million = P750 thousand. Lastly, a fire will be devastating.  It will destroy the entire shop.  The shop is in standalone building, well made, concrete.  The risk is low, say 25%.  The expected value of the risk is 25% x P4 million = P1 million.

Now that you have listed the risks and prioritized them by expected value, focus on those with highest expected value first.  We do not have an unlimited amount of money nor time.  There will be risks that we can address.  The rest we leave to prayer.

RISK MITIGATION

With the selected top 10 or top xx risks by expected value, plan what can be done to minimize the adverse effect.  Imagine that the risk has occurred, what could have been done earlier to minimize the “adverse effect” (I repeatedly use this term because it is the precise phrase).

Imagine the fire in the bank’s data center.  What are the risk mitigation measures that can minimize adverse effect?  We install a fire-suppressant gas system that would keep the effect of the fire to only a few devices, good.  Or we can choose to install a water sprinkler system which could be cheaper   and spend the money instead on a back-up data center and real-time copies of all their data.  This is Business Continuity Planning.  These life-changing risks have such a high expected value (probability x entire capital of the bank) that significant spend to mitigate risk is justified. 

Why is the “expected value” important as a concept?  If the bank is worth P10 billion and the probability of a fire in the data center is 5%, then spending P50 million for a back-up data center with all the software and equipment to do real-time recovery may be a fair exchange. 

How much money should we spend on RISK MITIGATION?

Companies should take time to identify all possible physical and morale risks that can occur.  We spend hundreds of hours at various levels of the organization – from head office staff to branch managers, officers, and staff – to identify, evaluate, and practice risk mitigation measures. Disaster recovery exercises where one branch is shut down and operates from another location is one of those mitigations to allow our customers to still work with the branch even if the building itself may be damaged. We invest equipment to minimize the adverse effect of a service interruption or data loss arising from the occurrence of a risk.

Carlette Pama,   PNB’s Risk Executive says,   “We spend a lot of money on training because facility and equipment alone will not work without practiced/experienced people who can provide the service even when the risk events occur.  They are not wasted effort or money just because the branch never gets flooded.   Risk mitigation training is good for the soul. “

Ms. Tarriela is Chairman of Philippine National Bank.  She is a trustee of FINEX Foundation, former Undersecretary of Finance & Vice President of Citibank N.A.