Frank Bezzina, Ph.D., Pascal Lélé, Ph.D., Ronald Zhao, Ph.D., Simon Grima, Ph.D., Robert W. Klein, Ph.D. and Martin Hellmich, Ph.D.
The International Organization for Standardization’s ISO 31000:2009 standard1 reconceptualised the term ‘risk’ for all operations concerned with risk management. In this standard, risk is no longer defined as chance or probability of loss but as ‘the effect of uncertainty on objectives.’ Consistently, Basel III2 and Capital Requirements Directive (CRD) IV,3 the European Union’s Solvency II Directive 2009/138/EC,4 the International Accounting Standards Board (IASB) and the US Financial Accounting Standards Board (FASB) have all recommended the expected loss (EL) approach (amongst others) for risk capitalisation.
Many decision-making techniques based on statistics and probability or stochastic processes are available to help companies to better serve their customers and, hence, are particularly beneficial to customer relationship management (CRM). However, employers and internal auditors have fewer options of structured decision making based on the EL approach. Implemented using an IT-directed investor relationship management (IRM) system, the EL approach regulates the practices of value creation through interaction. This is to rationalise the structured decision making and to utilise real-time operational risk data that are based on the exploitation of the data of losses stored in data warehouses. The scope is to schedule performance on the basis of the deposit of potentially recoverable losses (a source of cost savings) and to process in real time the indicators of productivity.
IT-directed IRM adds value to risk management by strengthening internal controls and audit processes.
An information system that focuses solely on the nominal layout and structure of the functions available is disconnected from risk management and corporate governance. This is more or less typical of the current situation whereby IT is indiscriminately dedicated to every function. The requirement of Basel III and the recent progress on CRD IV in the European Union (EU) for operational risk highlight the urgency to solve this problem in order to ensure financial stability. The specific objective of Basel III is to take into account the impact of operating risk management on value creation capacity, thereby allowing enterprises to anticipate and cover counterparty risk (i.e., the risk when the counterparty of a transaction fails to meet its obligations or when it might be incapable of meeting the obligations before the fulfilment of a transaction).
To avoid providing false estimations to meet minimum solvency capital and liquidity requirements, financial reporting should be based on the interaction of two poles of data processing. On the one hand, counterparty credit risk (CCR) data should help reduce uncertainty on the value creation objectives of the enterprise’s business model. This is in conformance with ISO 31000:2009 (risk management); International Accounting Standard (IAS) 75; and the US Statement of Financial Accounting Standards (SFAS) 95, 102 and 104 (cash flow statement), thereby enabling the business to acquire or maintain its credit lines. On the other hand, investment companies, banks, insurance companies and financial analysts need to provide justification to prudential regulators of the origin and traceability of their CCR management data and, consequently, the reliability of their calculations for credit value adjustment (CVA) and forward-looking funding ratios (i.e., probability of default, CCR coverage and stress test of capital adequacy).
The IT-directed IRM supplies applications for executing cost savings through organisational dynamics or synergy by articulating different functions in the internal control system, including finance, human resources, operations management and managerial accounting. These functions can contribute to the piloting of an enterprise risk management (ERM) system by setting up periodic value-creation objectives on a three-year plan.
To achieve the objectives of Basel III, it is imperative to understand risk management in relation to both corporate governance and financial reporting.
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) initiated a project in 2001 aimed at developing a framework for management to evaluate and improve organisations’ ERM through internal control systems—Enterprise Risk Management—Integrated Framework. All entities face uncertainty, and the major challenge for management is to determine how much uncertainty to accept as the organisation strives to seek growth in stakeholder value. Management has to set the strategy and should strive to strike an optimal balance between growth and returns goals and related risk. Additionally, resources need to be deployed efficiently and effectively in order to maximise value.
COSO adopted an accounting concept of EL in the 2004-published ERM framework, whereby risk can be solved through avoidance, acceptance, and reduction or sharing. Management is required to elaborate on a set of measures to determine the organisation’s risk-tolerance threshold and risk appetite. This is in contrast to unexpected loss (UL) revealed by the incidents or dysfunctions registered by the internal databases (risk cartographies) installed under Basel II. ELs are known losses because they are revealed in every exercise by the analysis of distances from income statements (profit and loss accounts) published by the entity. Hence, ELs are either accepted or tolerated losses.
The scope of the EL approach is to enable all strategic, managerial and operational tasks of an organisation throughout projects, functions and processes to align with a common set of risk management objectives. However, under the approach, much of the necessary information is not available from financial accounting reports.
Basel III has subscribed to this approach and requires real-time operational data in conformance with IAS/IFRS 39 and IAS/IFRS 7. Basel III provides a global regulatory standard on bank capital adequacy, stress testing and market liquidity risk. Basel III is scheduled to be in place between 2013 and 2018. The following have been issued in order to raise the quality, consistency and transparency of institutions’ capital base and to strengthen the risk coverage of the capital framework for the banking industry:
However, from the point of view of the investor, risk is defined as the value expected from return on investment (ROI) at an indicated threshold, reducing the uncertainty on the objectives of value creation of the CCR business model. There is concern that investors will become hesitant to put money into industries that lack evidence-based IT-directed IRM.
According to COSO, ERM is an on-going and living process in an entity, is applicable across all levels and units of the enterprise, takes an entity-level portfolio view of risk, and can identify potential events that might affect the entity. Risk needs to be managed within the entity’s risk appetite. The entity should be able to provide reasonable assurance to management and the board of directors (corporate governance), and it should be geared towards achieving objectives in one or more separate but overlapping categories.
The value in using IT-directed IRM rests on:
IT-directed IRM applications treat the data stored in the data warehouses in a systematic manner. They calculate the recoverable potential on every reporting date (i.e., the data of operational risk cost saving). This enables a more accurate value to CCR. Every CCR becomes capable of articulating the functions of structured decision making, which occur at three stages of operational management:
The aim of IT-directed IRM is to feed the information system on which the internal controls of a firm rely in order to analyse financial risk with richer financial management data.
The pricing of assets is known to be a major difficulty for investors (banks, insurance firms and financial markets). In the absence of operational risk data, the prudent financial analysis model that prevails is one with weak effectiveness. This concept characterises information emerging from the observation of past income statements or of past stock market prices. An examination of the past asset profits is useful in planning future profitability. The utilisation of EL data and of cost savings, bound with the CCR’s appetite for operational risk, allows the financial analysts to treat the assets in line with the International Financial Reporting Standards (IFRS) and US Generally Accepted Accounting Principles (GAAP)—elements on which firms depend for future economic and competitive advantages.
IT-directed IRM provides three reports that enable investors to reach this objective. In particular, it supplies in mathematical modelling tools (of financial modelling and economic modelling) the data of endogenous interaction of operational risk associated with the CCR for the calculation of the ratios of generalisation or for the macroeconomic projections of long-term provisions. The data provided by the following reports are particularly useful for updating the risk, especially when the financial and social quality of the CCR is deteriorating:
The financial report on realised cost savings dates back to 1772 when Josiah Wedgwood (the famous English pottery manufacturer) devised an accounting system that valued the cost of each product in monetary terms. The most recent guidelines are those of the regulations transposing the Basel III agreement (e.g., US Dodd-Frank Act, EU CRD IV-CCR, Canada’s OSFI Act), aimed at improving the usefulness and relevance of financial reporting for stakeholders. Article 371-3/CRD/2006 of Basel II had already set an objective of 80 percent cost saving on operational risk over a three-year period, with the risk appetite or the threshold of tolerance (i.e., thresholds of wasting, dysfunctions or carelessness) being set at 20 percent. In the US, the requirement of cost savings is integrated into budget management rules.9, 10
The last two reports mentioned concern social accounting as required by social audit regulations, as well as IFRS 7 ISO 31000:2009 and ISO 26000:2010.
The articulation of the financial reporting (economic metrics database) in social reporting (social metrics database 1 and 2) allows all the entities to translate in their practices the fact that the economy is a social science. In the US, this concern has been registered since 1990 in the missions of the Office of Federal Financial Management (OFFM) and of the Office of Performance and Personnel Management (OPPM). OPPM coordinates the administration’s goal-setting and performance-review process for the agencies’ high-priority performance goals and guides agency strategic and annual planning, performance reviews and performance reporting. OPPM works closely with the US Office of Personnel Management (OPM) to implement effective personnel policies and practices across the US federal government.
The value in use rests on data processing spread over the following two levels:
IT-directed IRM does not contain specific risk. Figure 1 illustrates the architecture of the decision-making IT-directed IRM, which is based on the transparency and traceability of data processing. It works on the classic online transactional-processing bound information in the states generator of decision-making processes. A states generator serves to present the result of the analysis to the end users or the decision makers in the form of business states. To guarantee the traceability of the analysis, the IT-directed IRM states generator uses Microsoft Excel spreadsheets.
The ‘CCR decision makers’ aspect in the architecture illustrated in figure 1 is the point at which the suggested IT-directed IRM innovation lies. The difference with the existing processes or procedures is that decision making was limited to the application of stochastic methods within the finance function. To calculate cash flows expected from an asset, all the hypotheses of the realisation of cash flow are envisaged and each hypothesis is associated with a probability of realisation; the expected value is a mathematical probability of flows updated based on historical data.
The plan in figure 2 details the intranet interactive processes of articulation of the functions of internal control—these are necessary to guarantee the execution of the CCR business model of value creation and to reduce uncertainty. The ERM device recommended by COSO’s Enterprise Risk Management—Integrated Framework and specified by ISO 31000:2009 to strengthen the usefulness of financial reporting is binding from 2013 onwards for stakeholder compliance with the new prudent regulations (i.e., Basel III/CRD IV [EU], OSFI Act [Canada], Dodd-Frank Act [USA], Omnibus II Directive [EU-US], IASB, FASB).
Without modifying the existing IT systems/structure, IT-directed IRM introduces modules that allow every function of internal control to execute the tasks of interaction, to measure the performance adjusted for risk, to generate the data for corporate risk management and investor risk management. IT-directed IRM automatically measures the value created in real time based on indicators (factors or causes at the origin of the operational losses) in all work posts through gap analysis. The process is based on the following principles of cost accounting:
IT-directed IRM has significant value for risk management as it strengthens internal control and the audit processes of productivity, competitiveness and growth. In line with the objectives of Basel III, IT-directed IRM emerges as a useful tool for businesses and investors in mitigating financial risk.
1 International Organization for Standardization, ISO 31000:2009, www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=431702 Bank for International Settlements, www.bis.org/3 European Commission, ‘Regulatory Capital’, http://ec.europa.eu/internal_market/bank/regcapital/index_en.htm4 Directive 2009/138/EC of the European Parliament and of the Council, http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32009L0138:en:NOT5 International Accounting Standards Board (IASB), International Financial Reporting Standards, www.ifrs.org/Pages/default.aspx6 Federal Reserve Bank of St. Louis, ‘Dodd-Frank Regulatory Reform Rules’, www.stlouisfed.org/regreformrules/7 Canadian OSFI Act, http://www.osfi-bsif.gc.ca/8 France Ministry of Labour, Employment and Health, ‘Mesurer les facteurs psychosociaux de risque au travail pour les maîtriser: Rapport du Collège d’expertise sur le suivi des risques psychosociaux au travail’ (‘Measuring and Controlling Psychosocial Risks at Work: Report of the Board of Experts on Monitoring Psychosocial Risks at Work’), France, April 20119 The Report of Realized Cost Savings of the State of Oklahoma for the period of 1 July 2010 through 30 June 2011, http://omnibus-ii-directive.com/10 Cost saving of US President Barack Obama budget proposal for the 2014 fiscal year, www.whitehouse.gov/omb/overview
Frank Bezzina, Ph.D., is the deputy dean of the Faculty of Economics, Management and Accountancy at the University of Malta. He can be reached at email@example.com.
Pascal Lélé, Ph.D., is the research and development director at Riskosoft Corporation. He can be reached at pascallele@ riskosoftcorp.com.
Ronald Zhao, Ph.D., is associate professor at Leon Hess Business School, Monmouth University (New Jersey, USA). He can be reached at firstname.lastname@example.org.
Simon Grima, Ph.D., is a lecturer of banking and finance at the University of Malta and the president of the Malta Association of Risk Management (MARM). He can be reached at email@example.com.
Robert W. Klein, Ph.D., is associate professor and director of the Center for Risk Management and Insurance Research in the J. Mack Robinson College of Business at Georgia State University (USA). He can be reached at firstname.lastname@example.org.
Martin Hellmich, Ph.D., is professor of financial risk management at the Frankfurt School of Finance & Management (Frankfurt, Germany). He can be reached at email@example.com.
Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2013 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.