Financial Risk Management and Business Continuity Management Christoph Stute Guatemala 28 29 March 2012
Financial Risk Management Christoph Stute Guatemala 28 29 March 2012
Risk Management in Banks Regulatory Framework in Germany Minimum Requirements for Risk Management (MaRisk) Regulation issued by the Federal Financial Supervisory Authority ----------------------------------- MaRisk provides a flexible, hands-on framework for risk management at institutions defined in the German Banking Act (not Bundesbank!) Within the meaning of MaRisk risk management includes the determination of appropriate strategies, as well as the establishment of appropriate internal surveillance procedures. The internal surveillance procedures comprise the internal control system and internal audit. The internal control system covers rules regarding the organizational and operational structure and processes for identifying, assessing, treating, monitoring and communicating risks. MaRisk aims primarily to ensure the establishment of appropriate internal governance structures. financial risk management 3
Bundesbank Risk Control Office established in 1997 Direct reporting to the Executive Board in analogy with banking supervision regulations ( MaRisk ) independent from markets department up to and including the board level (segregation of duties) Our mission: We identify and measure risks, advise impartially in questions of risk management and report on risks and returns. currently 21 staff members divided into 2 sections Risk Framework & Reporting and Analytics & IT Systems financial risk management 4
Functions of the Office for Risk Control reporting (daily, monthly, annually) advisory function for the board, e.g. strategic asset allocation. Risk component/ Limit setting of the investment guidelines proposals for the portfolio benchmarks pricing, performance measurement analysis, measurement and limitation of financial risks counterparty monitoring Eurosystem: attendance at the Risk Management Committee Legal documentation Market reasonability checking financial risk management 5
In addition In its role as fiscal agent, the Bundesbank also performs asset management services on behalf of the Federal and state governments. Asset management services cover: -several pension fund portfolios of the Federal Government -portfolio of the Monetary Stability Foundation -pension fund portfolio of the Federal Employment Agency -pension fund portfolio of the Federal Financial Supervisory Authority -several state (regional) government pension reserves and funds All related risk management functions are performed by the Office for Risk Control. financial risk management 6
Financial Risk Management is part of Enterprise Risk Management Reputational Risks Financial Risks Business Risks Operational Risks Currency Risks Interest Rate Risks Liquidity Risks Counterparty Risks Employee Risks Technical Risks External Risks Human Failures IT Risks Primary Maintenance Risks Incorrect Conduct Critical Infrastructure Dependencies On Third Parties Misallocation Of Staff Negative Press Coverage Inadequate Qualification Of Staff Legal Risks Changes In Law Natural Risks financial risk management General Security Risks 7
Enterprise Risk Management (ERM) Executive Board has the overall responsibility for the management of risks ERM: Responsibility is with the Department Controlling, Accounting and Organisation; ERM Office receives risk reports of the business areas, checks the results of risk assessment and prepares annual risk report to the board Management of operational risks: decentralized approach, individual business areas (heads of departments) are responsible Financial Risks: Office for Risk Control Other dedicated units are responsible for IT-security, general security, crisis management, business continuity financial risk management 8
Assets covered by Office for Risk Control Bundesbank Eurosystem Services (fiscal agent) Gold and currency reserves FX-Operations Euro denominated Portfolios Central bank reserve management services ECB-foreign reserves Eurosystem Refinancing Operations ~590 bn Foundation Geld und Währung Pension fund BaFin Pension fund Federal employment agency Pension and reserve funds for the federal and (most) state governments ~260 bn all serviced portfolios: 15 bn financial risk management 9
Financial Risk Management at Deutsche Bundesbank Risk Control Market Operations - responsible for long-term risk/ return level (Benchmark proposal and maintenance) - defines risk control systems - measures performance - makes reports and about executes risk/ return daily situation investment decision - tries to outperform benchmark - positions portfolio respecting the given risk framework financial risk management 10
Financial Risk Management at Deutsche Bundesbank Decision Making Process consulting and reporting Board approves investment guidelines Risk Control reporting controlling Investment Committee Traders decides on tactical deviations from benchmark financial risk management 11
Financial Risk Management at Deutsche Bundesbank Use of strategic benchmarks Board Strategic View Risk Appetite Risk Control Front Office Tactical View Additional Risks B E N C H M A R K Leeway Return financial risk management Optimize return 12
Risk management process (Textbook Version) financial risk management 13
Risk management process (Central Bank Version I) financial risk management 14
Risk management process (Central Bank Version II) financial risk management 15
The greatest risk is the risk unseen (the black swan ) financial risk management 16
Business Continuity Management (BCM) Christoph Stute Guatemala 28 29 March 2012
Definitions Operational Risk Management ORM is the overall process for early identification, handling and monitoring of risks ORM includes business risks and OR ORM gives an overview on all risks and helps to decide which risks are acceptable and which not (risk tolerance /risk appetite) ORM has preventive character Focus: risks emerging from conducting the business Business Continuity Management Crisis Management CM is the ability of an organisation to respond to any crisis situation in a predefined way CM includes a tool box with organisational and technical utilities to support management (BCP is one of these tools ) CM has mainly reactive character BCM identifies potential threats to an organisation and the impacts to its most critical functions BCM put an organisation in a position to manage permanent continuity or adequate recovery of critical functions in the event of crisis situations in a predefined way. BCM has mainly reactive character; Focus: risks that endanger the object of a company BCM at Deutsche Bundesbank Seite 18
BCM within the security strategy of the Deutsche Bundesbank Strategic Security Framework: Definition of security Security describes a situation which is free from unacceptable risks of impairment or is regarded as free of risk. For complex systems, it is impossible to completely rule out risks. BCM at Deutsche Bundesbank Seite 19
Security Objectives are to be protected in accordance with the level of risk identified Persons valuables Property information Our Policy: The protection of persons overrides the protection of valuables or property BCM at Deutsche Bundesbank Seite 20
Strategic security framework Strategy for protecting persons Strategy for analysing threats to the Bundesbank Property protection strategy The protection goal is achieved by security sub strategies Security strategy for cash-in-transport vehicles IT security strategy Strategy for protecting confidential information Strategy for emergency and disaster protection, civil defence BCP Crisis Management BCM at Deutsche Bundesbank Seite 21
Definition and objective of BCP In general Business continuity planning (BCP) aims at a temporary or possibly permanent continuation of business operations in emergency and disaster situations The objective of the Bundesbank s BCP is the continuation of key central bank business activities in emergency and disaster situations, in order to avoid the central bank causing a destabilisation of the financial system Consideration given to risk and cost-benefit aspects BCM at Deutsche Bundesbank Seite 22
History of BCM at Bundesbank BCM is not a new issue for the Bundesbank; contingency measures have been in place since its early days But in the past BCM wasn t a major issue, because of relying on manual procedures for performing business, the decentralised organizational structure and decentralised execution of business (most of critical functions were performed on regional level) leading to a broad protection against major incidents, technical redundancies through decentralised data centres. BCM at Deutsche Bundesbank Seite 23
History of BCM at Bundesbank For central functions a two sites concept for the data centre of the central office was put in place (in the mid 1980s) In the mid 1990s: the 10 data centres were replaced by a two sites/two regions concept (Frankfurt and Düsseldorf) Since 2005 the two sites/two regions concept is realized in Frankfurt BCM at Deutsche Bundesbank Seite 24
Reasons for investigation and strengthening BCP External events Year 2000 Terrorism, 9/11 Serious power supply failures in North America and Europe in 2003 Computer viruses: My doom, Sober Contingency obligations (e.g. TARGET security Requirements, KRITIS, Basel II, Act on Corporate Governance and Transparency ) Internal reasons In-house power supply failures Structural reform renders the Bundesbank s former decentralised crisis management organisation obsolete BCM at Deutsche Bundesbank Seite 25
Levels of Business Continuity Planning and Crisis Management Bundesbank internal arrangements Arrangements concerning the national banking sector: Working Group Crisis Management for Payment and Clearing Systems ( communication infrastructure for serious crisis and contingency scenarios in large-value payment transactions) National level of preparations: Emergency Management (Bundesbank is involved regarding securing supply of cash) Communication networks for managing financial crisis Federal Government initiated a working group to analyse security and stability of IT infrastructures, which are critical to the common good ( e.g. electricity, telecommunication, transport, financial services, ) Arrangements on ESCB level BCM at Deutsche Bundesbank Seite 26
Basic approach of the Bundesbank on BCM Business Impact Analysis (BIA) to identify most critical business functions / processes definition of core business function Analysis of potential threats definition of scenarios to be responded to Decision which function / process has to be secured against which threat on basis of a cost/benefit analysis by the board Identification of organisational and technical measures to reach safeguarding Ongoing investigation; reason: processes and threats change permanently Responsibility: business areas and IT Co-ordination and reporting to Executive Board via ACO (= Steering Committee) Regular review by Internal Audit and during Organizational Analysis BCM at Deutsche Bundesbank Seite 27
Roles and responsibilities BCP strategy Ex. Board (= definition of scenarios to respond to; definition of critical functions) BCP (developing and implementation) business units on basis of predefined scenarios BCP (methodology and reporting) and Division Organisation, Security Crisis Management Section BCM at Deutsche Bundesbank Seite 28
Core business areas of the Deutsche Bundesbank Cash and cashless payments Operational monetary policy including collateral management Account management and accounting Foreign exchange and reserve management for the Bundesbank and on behalf of the ECB not statistics or research BCM at Deutsche Bundesbank Seite 29
Scenario technique Scenario 1 Scenario 2 Scenario 3a Scenario 3b Scenario 4 Production system or communication links temporarily unavailable; backup-system available, staff available contingency measures; hot secondary site Essential site(s) partially unavailable but the production system and all communication links are available and functioning, staff available Use of remote access/teleworking; use of office space at other locations Essential site(s) inaccessible; production system and all communication links down; backup system functioning, staff available Hot secondary site Use of remote access/teleworking; use of office space at other locations Essential site(s) inaccessible; production system and all communication links down; backup system functioning, staff unavailable Hot secondary site Perform critical business by split teams at different locations (so that one part of the team is not affected by the incident) Essential site(s) inaccessible; production system and all communication links down; backup system not functioning; loss of competent staff, entire Rhein/Main area similarly affected, Bundesbank customers/partners also affected BCM at Deutsche Bundesbank Seite 30
Implementation of Business Continuity Planning (Part I) Securing availability of information technology applications and data Data backup Installation of a second data processing center (2nd site, hot-standby) Redundancy of hardware, power supply, network, Securing ability to communicate for crisis management team and BCP Teams Redundancy of telecommunication infrastructure Fall back solutions Implementation of fall back procedures, if IT applications are not available BCM at Deutsche Bundesbank Seite 31
Implementation of Business Continuity Planning (Part II) Service Level Agreements between business units and supporting units (so that everybody exactly knows, what is expected and what can be delivered) Installation of backup operations sites depending on organisational issues (fully equipped sites or sites normally used for other purposes which can be used by BCP-team if necessary) Splitting of operations staff into teams at different sites in normal times, so that one team can take over in a crisis Training of staff Regular testing BCM at Deutsche Bundesbank Seite 32
BCP for the core central bank business areas some practical experiences from the beginning A central bank is different to companies with profit maximisation; no consideration of business areas that have the most financial impact in case of an interruption but what has the biggest impact on public life At the beginning, most business units do not see the necessity for BCP increasing of costs, unneeded activities, disturbs normal business; Later on, nearly every business unit liked to have a BCP, as every unit sees itself as important new large discussion: which business unit / process is critical BCM at Deutsche Bundesbank Seite 33