Book 1. Foundations of Risk Management

FRM Part 1

FRM 8. Enterprise Risk Management and Future Trends

Presented by: Sudhanshu

Module 1. Enterprise Risk Management

Module 2. Risk Culture and Scenario Analysis

Module 1. Enterprise Risk Management

Topic 1. Enterprise risk management (ERM)

Topic 2. Silo-Based Risk Management

Topic 3. Silo-Based Risk Management vs Enterprise Risk Management (ERM)

Topic 4. ERM Motivations

Topic 5. ERM Best Practices

Topic 6. ERM  Program  Dimensions

Topic 1. Enterprise Risk Management (ERM)

  • Definition: 

    Enterprise Risk Management (ERM) is a comprehensive and integrated framework for managing a firm's key risks to meet business objectives, minimize unexpected earnings volatility, and maximize firm value.

  • Key Characteristics

    • Centralized and integrated approach to risk management

    • Considers interdependencies between different risk types

    • Provides enterprise-wide view of risks rather than isolated assessments

    • Enables efficient allocation of risk management resources

    • Facilitates consistent risk measurement methodologies across the organization

Practice Questions: Q1

Q1. The basis of enterprise risk management (ERM) is that:

A. risks are managed within each risk unit but centralized at the senior management level.

B. the silo approach to risk management is the optimal risk management strategy.

C. risks should be managed and centralized within each business or risk unit.

D. it is necessary to appoint a chief risk officer to oversee most risks.

Practice Questions: Q1 Answer

Explanation: A is correct.

The basis of enterprise risk management (ERM) is that risks are managed within each risk unit but centralized at the senior management level. The traditional approach to risk management was the silo approach, under which each firm unit was responsible for managing its own risks, setting its own policies and standards, without coordination between the business-line and risk units. ERM is a superior approach because management benefits from an integrated approach to handling all risks (for example, management can see risks within the firm that cancel out and, therefore, do not need to be separately hedged). It is common, but not necessary, to appoint a chief risk officer to oversee all risks under ERM.

Topic 2. Silo-Based Risk Management (ERM)

  • Traditional Approach Characteristics

    • Each risk type evaluated by specific units in isolation
    • Independent risk assessment without coordination
    • Separate policies and standards for each business unit
    • Different methodologies and formats for risk measurement
    • Fragmented information flow to senior management
  • Examples of Silo-Based Management
    • Market Risk: Managed by traders
    • Insurance Risk: Managed by actuaries
    • Business Risk: Analyzed by management
    • Credit Risk: Handled by credit departments
    • Operational Risk: Managed by operations teams
  • Key Limitation: The silo approach ignores the dynamic nature of risks and their interdependencies, potentially resulting in inefficient and costly overhedging at the firm level

Topic 3. Silo-Based Risk Management Vs ERM

Topic 4. ERM Motivations

  • Strategic Benefits

    • Risk Appetite Definition: Helps managers define enterprise-wide risk appetite and adherence constraints
    • Focus on Major Threats: Allows focus on largest threats to firm survival rather than day-to-day unit threats
    • Enterprise-wide Threat Identification: Identifies threats arising from individual business lines that affect entire operation
    • Emerging Risk Management: Better manages cyber threats, reputation risks, and anti-money laundering risks

  • Operational  Benefits

    • Regulatory Compliance: Supports regulatory compliance requirements
    • Stakeholder Confidence: Reassures stockholders and stakeholders
    • Risk Correlation Understanding: Helps understand crossover risks and correlations between risk types
    • Cost Optimization: Optimizes total costs of transferring risks in line with risk scale

    • Risk is incorporated into business model selection and the strategic decisions of the bank.

Practice Questions: Q2

Q2. Jimi Chong is a risk analyst at a mid-sized financial institution. He has recently come across an article that described the enterprise risk management (ERM) process. Chong does not believe this is a well-written article, and he identified four statements that he thinks are incorrect. Which of the following statements identified by Chong is actually correct?

A. One of the drawbacks of a fully centralized ERM process is overhedging risks and taking out excessive insurance coverage.

B. ERM benefits include better management of risks at the business level, improved business performance, and better risk reporting.

C. ERM uses sensitivity analysis instead of scenario analysis to analyze potential threats.

D. A strong ERM program allows a firm to focus on the largest risks facing the enterprise.

Practice Questions: Q2 Answer

Explanation: D is correct.

A strong ERM program allows a firm to focus on the largest risks facing the enterprise. Overhedging risks and taking out excessive insurance coverage are issues faced by companies that do not have an integrated ERM strategy. Managing risks at the business level is not an advantage of an ERM program. ERM programs use scenario analysis and stress testing, rather than sensitivity analysis, to assess
potential threats.

Topic 5. ERM Best Practices

  • Corporate Governance Framework

    • Corporate governance is critical for successful ERM implementation, ensuring senior management and board have requisite organizational practices and processes to adequately control risks.

  • Key Governance Requirements
    • Risk Appetite Definition: Senior management and board must adequately define firm's risk appetite and risk tolerance levels
    • Management Commitment: Management should remain committed to risk initiatives
    • Organizational Structure: Ensure firm has required risk management skills and organizational structure
    • Risk Integration: All key risks successfully integrated into ERM program
    • Clear Roles: Clearly defined risk roles and responsibilities, including Chief Risk Officer (CRO) role
    • Oversight Framework: Oversight, audit, and monitoring targets are crucial components

Practice Questions: Q3

Q3. Which of the following targets should be set as part of an ERM program?

A. The maximum value at risk (VaR) under multiple stress test scenarios.

B. The firm’s risk appetite.

C. The firm’s Tier 1 capital to asset ratio.

D. The optimal size of the ERM Committee.

Practice Questions: Q3 Answer

Explanation: B is correct.

The firm’s risk appetite and strategic goals in light of the risk appetite are the targets that must be set as part of an ERM program.

Topic 6. ERM Program Dimensions

  • Five Important Dimensions:

    • Targets

      • Align strategic goals with risk appetite

      • Use mechanisms like compensation plans & global risk limits

    • Structure
      • Clear roles (CRO, risk committees)
      • Strong governance & reporting lines
    • Identification & Metrics
      • Scenario analysis, stress testing, VaR
      • Risk mapping & total cost of risk approach
    • ERM Strategies
      • Firm-wide and business-line risk strategies
      • Risk treatment: avoid, mitigate, or transfer
      • Use appropriate transfer instruments
    • Culture
      • Risk-aware culture led by top management
      • Engage employees at all levels

Module 2. Risk Culture and Scenario Analysis

Topic 1. Risk Culture

Topic 2. Risk Culture Characteristics and Challenges 

Topic 3. Scenario Analysis and Stress Testing

Topic 4. Sensitivity analysis

Topic 5. Scenario Analysis

Topic 6. Advantages of Scenario analysis

Topic 7. Disadvantages of Scenario analysis

Topic 8. Scenario Analysis in Stress Testing Programs

Topic 9. Scenario Analysis in Capital Planning

Topic 1. Risk Culture

  • Risk culture refers to the shared values, beliefs, attitudes, and understanding of risk within an organization.

  • It determines how risk is perceived, discussed, and acted upon at every level—boardroom to front-line.

  • A strong risk culture promotes ethical behavior, improves risk-awareness, and supports long-term stability.

  • Weak risk culture has been cited as a major cause of financial scandals and crises (e.g., LIBOR manipulation, subprime crisis).

Topic 2. Risk Culture Characteristics and Challenges 

  • Characteristics of a Strong Risk Culture

    • Tone from the Top: Leadership consistently demonstrates commitment to prudent risk-taking.

    • Risk-Aware Incentives: Bonuses and promotions are tied to responsible behavior, not just profits.

    • Clear Accountability: Defined responsibilities, with consequences for breaches or negligence.

    • Integrated Risk Understanding: Staff understand the firm's risk appetite and apply it in daily decisions.

  • Challenges to Establishing Strong Risk Culture
    • Diverse Risk Attitudes: Employees bring personal biases shaped by experience, culture, and role.
    • Siloed Business Units: Each division may form its own culture, misaligned with enterprise risk goals.
    • Erosion Over Time: After a crisis, lessons fade, and complacency or overconfidence may return.
    • Information Overload: Excessive data without context can paralyze effective risk decision-making.

Practice Questions: Q4

Q4. Allen Richards sits on the board of directors of a Canadian financial institution. Richards read the following statements in a presentation made to the board of directors by management on the institution’s risk culture:

Statement 1: "As long as managers at business-line levels have the same risk appetite as the overall firm, the risk tolerance of the business-line employees is irrelevant."
Statement 2: "Hiring a chief risk officer will fix the risk culture problems we face at this institution."
Richards believes both of these statements are incorrect. Richards's assessment is accurate with respect to:

A. Statement 1 only.

B. Statement 2 only.

C. both statements.

D. neither statement.

Practice Questions: Q4 Answer

Explanation: C is correct.

Richards is correct with respect to both statements in that both statements are incorrect. Risk culture must infuse the entire organization, not simply business line managers. Hiring a chief risk officer might signal a change in culture but will not “fix” all the risk culture problems. It might be perceived as window dressing or rebranding, with no real changes occurring with respect to the risk appetite and risk tolerances of the firm.

Topic 3. Scenario Analysis and Stress Testing

  • Key components of risk identification and planning within ERM.
  • Stress Testing: Simulates extreme, adverse conditions to test firm resilience (e.g., recession, market crash).
  • Scenario Analysis: Evaluates impact of a combination of variable changes, often built around a story or event.
  • Used to explore vulnerabilities, improve contingency planning, and ensure regulatory compliance.
  • Vital for financial institutions in capital planning and strategic decision-making.

Topic 6. Sensitivity Analysis

  • Involves altering one input variable at a time (e.g., interest rate, default rate) to observe the effect on a specific output.
  • Helps isolate the influence of each risk factor.
  • Simple to use, quick to interpret, but limited in assessing real-world scenarios where multiple risks interact.
  • Often used in early stages of risk modeling or decision-making to identify key drivers.

Practice Questions: Q5

Q5. Luke Drake has been recently appointed as the chief risk officer (CRO) of a bank. Drake is looking to implement a comprehensive enterprise risk management (ERM) program and had several discussions with senior management on this topic. During one of these discussions, Drake made the following statements:

- Statement 1: "Stress test scenarios should focus on the bank's ability to withstand historical shocks such as the Russian financial crisis of 1998 or the subprime debt crisis of 2008."
- Statement 2: "In order for us to develop a successful ERM program, governance is important. This means senior management and the board of directors must engage in defining our risk appetite and risk and loss tolerance levels."
Is Drake correct regarding stress testing and corporate governance?

 

 

 

 

\begin{array}{ll} \text { Stress Testing } & \text { Corporate Governance } \\ \text { A. Correct } & \text { Incorrect } \\ \text { B. Incorrect } & \text { Incorrect } \\ \text { C. Correct } & \text { Correct } \\ \text { D. Incorrect } & \text { Correct } \end{array}

Practice Questions: Q5 Answer

Explanation: D is correct.

The first statement is incorrect in that it is backward looking. The Federal Reserve conducts stress tests and requires banks to consider baseline, adverse, and severely adverse scenarios, which may include historical variables but also include factors that have not necessarily happened before. The second statement is correct. Corporate governance requires managers, executives, and the board to be fully engaged in defining the firm’s risk appetite and tolerable losses.

Topic 5. Scenario Analysis

  • Simultaneous evaluation of multiple changes in assumptions (e.g., GDP drops + interest rate rises + commodity shock).
  • Developed using expert judgment, historical reference, and hypothetical future events.
  • Goes beyond models—uses narratives to describe chain reactions and behavioral shifts under stress.
  • Supports risk aggregation, tail-risk understanding, and firm-wide planning.
  • Often integrates with stress testing frameworks like CCAR, DFAST (for banks).

Topic 6. Advantages of Scenario Analysis

  • Plausibility > Probability: Focuses on what could happen, not what is likely.

  • Encourages forward-looking thinking—vital in a rapidly changing world.

  • Exposes hidden risks and interdependencies across departments and asset classes.

  • Helps define risk appetite and set realistic risk limits.

  • Encourages cross-functional dialogue—fosters collaboration among risk, finance, and business lines.

  • Scenarios can be based on past crises or hypothetical futures (e.g., cyberattack, pandemic).

Topic 7. Disadvantages of Scenario Analysis

  • Difficult to Quantify: Often lacks numerical precision; more qualitative.

  • Probabilities Unknown: No clear estimate of how likely the scenario is.

  • Scenario Selection Bias: Firms may select “comfortable” scenarios that are too mild or backward-looking.

  • Limited by resources—only a few scenarios can be developed in depth.

  • May provide false confidence if not updated regularly or validated.

  • Requires high expertise and judgment, which may not always be objective or uniform.

Topic 8. Scenario Analysis in Stress Testing Programs

  • Pre-GFC: Banks used historical scenarios based on real events
    • 1997 Asian crisis, 1998 Russian debt moratorium, 2001 September 11 effects
    • Failed to capture risk interactions and behavioral changes during stress
    • Scenarios were milder than actual 2007-2009 crisis conditions
  • Current U.S. Regulatory Framework
    • SCAP (2009): Initial Supervisory Capital Assessment Program
    • DFAST: Dodd-Frank Act stress tests for banks with $10+ billion assets
    • CCAR: Comprehensive Capital Analysis and Reviews for banks with $50+ billion assets
  • Three Required Macroeconomic Scenarios
    • Baseline: Based on consensus economic forecasts
    • Adverse: Assumes moderately declining economy
    • Severely Adverse: Global recession/depression scenario
  • Key Benefits
    • Dynamic Testing: 9-quarter horizon allows scenarios to unfold over time
    • Interlinking Factors: Considers interconnected risks vs. siloed approach
    • Systemic Risk Assessment: Common scenarios enable regulator comparison
    • Reverse Stress Testing: Work backward from worst-case KPIs to identify vulnerabilities

Topic 9. Scenario Analysis in Capital Planning

  • CCAR Capital Planning Requirements: Banks must forecast and submit detailed projections including:

    • Financial Projections: Balance sheets, income statements, revenues

    • Risk Assessments: Loan loss provisions, credit losses, debt security downgrades

    • Operational Plans: New lending rules, business plan changes

    • Capital Management: Sources, uses, adequacy methodologies over 9 quarters

  • Capital Adequacy Standards (2018 Minimum)

    • Common Equity Tier 1 Capital Ratio: 4.5%

    • Tier 1 Risk-Based Capital: 6%

    • Total Risk-Based Capital Ratio: 8%

    • Tier 1 Leverage Ratio: 4%

  • Strategic Capital Tools

    • ​Contingent Convertible Bonds (CoCos): Convert to equity during capital stress

    • Risk Transfer Mechanisms: Act as insurance, encourage stronger risk culture

    • Dynamic Capital Planning: Adjust plans as scenarios unfold over time

Topic 9. Scenario Analysis in Capital Planning

  • Business Integration Profits:

    • Cross-Functional Collaboration: Business-line managers discuss risks together
    • Strategic Decision-Making: Scenario analysis informs day-to-day planning
    • Risk Management: Specify risk appetites, limits, and contingency plans
    • Compliance Evolution: Moving beyond compliance to strategic business tool

  • Complexity Scale

    • 2018 Federal Reserve Scenarios: 28 variables (VIX, interest rates, GDP, real estate)
    • Additional Factors: Hundreds of variables including yield curves, commodities, land values