Enterprise Risk Management (ERM)

• It is important to compare risk exposures of different business lines to one another. This allows firms to prioritize risk management and understand how risk-type and business line exposures add up to their total exposure.
• Traditionally, companies followed a silo-based risk management approach and used it to manage the risk exposures of each business line separately. This method was helpful to an extent, but risks are not completely independent of one another and, hence, cannot be managed effectively by individual business units.
• Enterprise risk management (ERM) is an improvement on silo-based risk management which gives executives an integrated, enterprise-level view of risk. ERM is responsible for the management of the overall risk of the organization and accounts for them in strategic decisions. It also focuses attention on the largest threats to a firm’s survival and core functionality.
• An important feature of ERM is that it supports a consistent approach to manage risks throughout a firm, from the boardroom to the business line. This consistency can be achieved through a robust risk culture and an adherence to enterprise risk appetites and governance.
• A comparison between Enterprise Risk Management and traditional Risk Management (silo-based risk management) has been shown using this table –

Traditional Risk Management	ERM
Risk is viewed in business line, risk-type, and functional silos	Risk viewed across business lines, functions, and risk types, looking at diversification and concentration
Risk managers work in isolation	Risk team integrated using global risk management committee and chief risk officer
Incorporates many different risk metrics that cannot be compared
Risk is aggregated, if at all, within business lines and risk types. Difficulty seeing the aggregate risk picture	It is possible to measure risks more accurately and track enterprise risk. Potentially, risk is aggregated across multiple risk types.
Each risk type is managed using risk-specific transfer instruments	Possibility of cutting risk transfer costs firm-wide and integrated (e.g., multi-trigger) instruments to manage aggregate risk.
Each risk management approach is often treated separately, without optimizing the strategy.	Each risk management approach is viewed as a component of total cost of risk, measured in a single currency. Component choice is optimized as far as possible in risk/reward and cost/benefit terms expressed in that currency.
Impossible to integrate the management and transfer of risk with balance sheet management and financing strategies	Risk management is increasingly integrated with balance sheet management, capital management, and financing strategies.

Enterprise Risk Management – Advantages

• ERM has evolved to help firms manage risk efficiently, identify overlooked enterprise risks, manage risk concentrations, and understand how different risk types interact. Some important benefits of ERM for companies are –
  1. It helps firms define and adhere to enterprise risk appetites.
  2. It focuses oversight on most threatening risks.
  3. It identifies enterprise-scale risks generated at the business line level.
  4. It manages risk concentrations across the enterprise.
  5. It manages emerging enterprise risks (e.g., cyber risk, reputation risk).
  6. It supports regulatory compliance and stakeholder reassurance.
  7. It helps firms to understand risk-type correlations and cross-over risks.
  8. It optimizes risk transfer expenses in line with risk scale and total cost.
  9. It incorporates stress scenario capital costs into pricing and business decisions.
  10. It incorporates risk into business model selection and strategic decisions.

Reasons for Demand of ERM

• Sometimes, a risk that looks small at the business line level can develop into a threat to the whole enterprise. Conversely, a risk that looks threatening at a business line level might look trivial in the context of the diversified enterprise risk portfolio. Hence, an enterprise-level perspective is the best way to prioritize risks and optimize risk management. Some arguments in favor of ERM are –
  1. Recognizing potential threats
  2. Identifying concentration of risks
  3. Diversification benefits
  4. Risk retention

Reasons for Demand of ERM – Recognizing Potential Threats

• ERM is the process of –
  1. Recognizing the potential threat to the whole enterprise arising from the risky design/production decision, and
  2. Picking up on early signs that things are going wrong to reduce the leveraging effect of time.
  3. Bringing risk decisions in line with the enterprise’s stated risk appetite.
• Large risks often begin their life a long way from the board room. For example, in the case of a car manufacturing company, a poor design or sourcing decision can lead to the installation of a potentially dangerous car part. Once this part is installed in countless cars, it can threaten the enterprise and its suppliers by causing, reputational harm, loss of sales, and heavy compensation costs.
• Above example means that the risk recognition is being driven by poor target setting by senior management and ERM can help in identifying such issues.

Reasons for Demand of ERM – Identifying Risk Concentration

• Risk concentration refers to an exposure with the potential to produce losses, large enough to threaten a financial institution’s health or ability to maintain its core operations. Many kinds of risk concentrations can creep across enterprises. Some of these are –
  1. Geographical and industry concentrations – For example, a financial firm might be over-exposed to default risk in a local economy or type of industry.
  2. Product concentrations – For example, a derivative or retail product might be mispriced in multiple divisions.
  3. Supplier concentrations – For example, a firm might have too much dependency on a link in its global supply chain.
  4. Hidden concentrations – For example, an institution may lend to one firm in its corporate loan division and then create a counterparty exposure with the same firm in its derivatives division.

• Firms cannot always avoid concentrations, but ERM can help them in the recognition and management of concentration of risks according to a firm’s risk appetite.

Reasons for Demand of ERM – Diversification Benefits

• There are major diversification benefits that can only be understood at the enterprise level, particularly in terms of risk type. Acknowledging risk-type diversification reduces the aggregate risk capital a firm needs to hold. It also helps to transform “badly behaved” risk portfolios, that include many kinds of risk, into loss distributions closer to a normal bell-shaped curve. This has been illustrated in this figure.
• ERM can help firms to understand how each risk type interacts to worsen threats. For example, enhanced consumer protection in the US since the global financial crisis has created significant crossover risks between credit, legal, and reputational risk. As a result, banks are under growing pressure to make sure they are not deceiving customers or engaging in abusive acts.

Reasons for Demand of ERM – Risk Retention

• Firms retain some portion of property, liability, and other risks by using mechanisms such as self-insurance and captive insurance. Risk retention decisions are best made at the enterprise level, where the aggregate level of risk exposure can be understood.
• Firms that understand enterprise risk can translate this into dollar savings. This figure illustrates the translation. The process is most obvious in the case of insurable risks, but it is true for financial risks as well. As firms understand their true exposures (i.e., considering enterprise netting and diversification effects) they can retain the right level of exposure and target resources towards the real, enterprise-threatening risks.

Governance and Implementation of ERM

• The implementation of ERM depends on corporate governance principles. These principles define the role of the board, senior management, the risk committees, the CRO and internal auditors. These principles have been summarized in this table –

Board’s Overall Responsibilities	The board has overall responsibility for the bank, including approving and overseeing management’s implementation of the bank’s strategic objectives, governance framework and corporate culture.
Board Qualifications and Compensation	Board members should be and remain qualified, individually and collectively, for their positions. They should understand their oversight and corporate governance role and be able to exercise sound, objective judgement about the affairs of the bank.
Board’s Own Structure and Practices	The board should define appropriate governance structures and practices for its own work and put in place the means for such practices to be followed and periodically reviewed for ongoing effectiveness.
Senior Management	Under the direction and oversight of the board, senior management should carry out and manage the bank’s activities in a manner consistent with the business strategy, risk appetite, remuneration, and other policies approved by the board.
Governance of Group Structures	In a group structure, the board of the parent firm has the overall responsibility for the group and for ensuring the establishment and operation of a clear governance framework appropriate to the structure, business, and risks of the group and its entities. The board and senior management should know and understand the bank group’s organizational structure and the risks that it poses.
Risk Management Function	Banks should have an effective independent risk management function, under the direction of a chief risk officer (CRO), with sufficient stature, independence, resources, and access to the board.
Risk Identification, Monitoring, and Controlling	Risks should be identified, monitored, and controlled on an ongoing bank-wide and individual entity basis. The sophistication of the bank’s risk management and internal control infrastructure should keep pace with changes to the bank’s risk profile, the external risk landscape, and to industry practice.
Risk Communication	An effective risk governance framework requires robust communication within the bank about risk, both across the organization and through reporting to the board and senior management.
Compliance	The bank’s board of directors is responsible for overseeing the management of the bank’s compliance risk. The board should establish a compliance function and approve the bank’s policies and processes for identifying, assessing, monitoring, reporting, and advising on compliance risk.
Internal Audit	The internal audit function should provide independent assurance to the board and should support the board and senior management in promoting an effective governance process and the long-term soundness of the bank.
Compensation	The bank’s remuneration structure should support sound corporate governance and risk management.
Disclosure and Transparency	The governance of the bank should be adequately transparent to its shareholders, depositors, other relevant stakeholders, and market participants.
Role of Supervisors	Supervisors should provide guidance for and supervise corporate governance at banks, including through comprehensive evaluations and regular interaction with boards and senior management; should require improvement and remedial action as necessary; and should share information on corporate governance with other supervisors.

The Dimensions of ERM

• The dimensions of ERM are concerned with the organization of ERM on the ground and depend a lot on the size and type of firm. Five important dimensions of ERM are –
  1. Targets – These include the enterprise’s risk appetite and how it relates to its strategic goals. One goal of ERM is to set the right targets and make sure they are not in conflict with other strategic goals.
  2. Structure – The organizational structure of an ERM program includes the role of the board, the global risk committee and other risk committees, the CRO, and the corporate governance framework. The goal of ERM is to make each structure sensitive to enterprise-scale risks faced by the firm, including indirect losses.
  3. Identification & Metrics – The goal of ERM is to ensure that the firm has the right set of metrics to capture enterprise risks. ERM is useless if the firm cannot identify enterprise-scale risks and measure their severity, impact, and frequency. Key ERM metrics are enterprise-level scenario analysis and stress testing, VaR, total-cost-of-risk methodologies, risk-specific metrics, and whole-of-firm risk mapping and flagging mechanisms.
  4. ERM strategies – Firms also need to articulate specific strategies for managing enterprise-scale risks at either the enterprise level or through the business lines. This includes the fundamental decisions to avoid, mitigate, or transfer risks, along with the choice of enterprise risk transfer instruments.
  5. Culture – If targets, structure, and metrics are the bones of the ERM strategy, then culture is the flesh and blood. In short, a strong risk culture is built from a pervasive sense of common goals, practices, and behaviors.
• The table on the next page illustrates some examples of five dimensions of ERM.

ERM Dimension	Examples
Targets	Enterprise goals: Enterprise risk appetite, enterprise limit frameworks, risk-sensitive business goals and strategy formulation
Structure	How ERM is organized – Board risk oversight, global risk committee, Risk Officer; ERM subcommittee; reporting lines for ERM; reporting structures
Metrics	How enterprise risk is measured – Enterprise-level risk metrics, enterprise stress testing, aggregate risk measures, “total cost of risk” approaches, enterprise level risk mapping and flagging, choice of enterprise-level risk limit metrics
ERM Strategies	How ERM is managed – Enterprise level risk transfer strategies, enterprise risk transfer instruments, enterprise monitoring of business line management of enterprise scale risks
Culture	How things are done – “tone at the top”, accountability for key enterprise risks, openness and effective challenge, risk-aligned compensation, staff risk literacy, whistle-blowing mechanisms.

• The success of ERM depends on how these five dimensions interact with each other. For example, appointing a CRO might either lead to important improvements in enterprise stress testing or be a cynical re-badging exercise that changes nothing.
• Furthermore, many ERM programs that look well-established may not be comprehensive. For example, surveys suggest that only around half of CROs review the impact of compensation plans on a firm’s risk appetite and culture-arguably a critical ERM function.
• The true test for ERM is whether its growing adoption leads to a decrease in negative surprises and mishaps. So far, empirical research has yielded ambiguous results. Some researchers have identified positive results from adopting ERM (e.g., in terms of bank default swap spreads), while others have so far failed to find evidence of tangible benefits.
• The ambiguity in the research data probably stems from the difficulty in identifying empirical markers of successful ERM adoption and the relatively short time series available to researchers. In addition, ERM is continually evolving. For example, there has been a much greater emphasis placed on risk culture in the years since the crisis compared to earlier years.

Risk Culture

• Risk culture can be thought of as the set of goals, values, beliefs, procedures, customs, and conventions that influence how staff create, identify, manage, and think about risk within an enterprise, including implicit and explicit beliefs.
• Another well-known definition is – “risk culture can be defined as the norms and traditions of behavior of individuals and of groups within an organization that determine the way in which they identify, understand, discuss, and act on the risks the organization confronts and the risks it takes.” Risk culture sounds intangible, but a strong risk culture is a firm’s surest handle on ERM.
• Many supervisory reports after the global financial crisis of 2007 – 2009, showed that risk culture was a driver of risk management failure in large financial institutions. Other culture-driven scandals in the post-crisis years included the mis-selling of consumer financial products (e.g., the UK payment protection insurance scandal), the manipulation of financial markets (e.g., Libor rate manipulation), money laundering, and embargo breaches. Hence, a lot of financial institutions are now actively establishing and embedding risk culture across the organization.
• Risk culture is difficult to address because it is multilayered. This figure illustrates different layers of risk culture.

• Individuals arrive at an enterprise with their own risk mindsets that are driven by their personalities, demographics, professional standards, personal experiences, and so on. They then absorb many of the risk-related behaviors and practices of their local group (e.g., business line sales targets) and make risk decisions as part of that local social environment. This can lead to a gap between the stated targets of the organization (e.g., risk appetite and values) and behavior on the ground.
• Hence, it is not easy to improve risk culture across the whole enterprise if a firm has no way to assess its progress.
• Financial firms should be able to form a view of risk culture within their institutions and of the degree to which their risk culture helps them stick to their risk appetites. One approach is to identify what are called key risk culture indicators.
• To reduce the risk posed by systemically important financial institutions, the Financial Stability Board (FSB) has specified four key risk culture indicators:
  1. Accountability,
  2. Effective communication and challenge,
  3. Incentives,
  4. Tone from the top.

• The table on the next page builds on these indicators to offer a longer series of indicators for discussion purposes. Some of these are informal and clearly cultural (e.g., encouraging openness in risk dialogue). Others are really part of a firm’s organizational structure, but still signal a healthy environment (e.g., a whistleblower needs a way to blow the whistle).

Indicator	Trend Tracking
Leadership Tone	Does board and executive compensation support the firm’s core values? Do management’s actions support or undermine the risk message? Can the board be shown to monitor and communicate how business strategy fits with risk appetite?
Accountability and Risk Monitoring	Are there clear expectations on monitoring and accountability for key risks? Are escalation processes used?
Openness and Effective Challenge	Is there evidence that opposing views from individuals are valued? Are there regular assessments of “openness to dissent?” Is risk management given stature?
Risk-Aligned Compensation	Are compensation and performance metrics supportive of the firm’s risk appetite and desired culture?
Risk Appetite Knowledge	Do key staff members know the firm’s enterprise risk appetite? Can they answer straightforward questions about its application to business decisions?
Risk Literacy/Common Language	Do staff use a common language to describe risk and its effects? Are training programs available and attended?
Risk Information Flows	Can the firm see information flowing up and across the firm in a way that captures and highlights enterprise-scale risks? And is there a clear link to specific discussions and decisions?
Risk Stature	Do the key ERM staff have the right stature and direct communication with the Board? Who hires and fires them?
Escalation and Whistle Blowing	Do key staff members understand when and how they can escalate a suspected enterprise risk? When were escalation procedures last used? Is there a whistle-blowing mechanism and is it used?
Board Risk Priorities	Can the board name the top ten enterprise risks faced by the firm? Can it name the key industry disasters associated with these risks?
Action Against Risk Offenders	Has the firm disciplined employees who have acted against its risk appetite and ethical stance? Does the staff believe action will be taken even if a risk violation leads to a profit rather than a loss?
Risk Incident and Near Miss Responses	Can the firm show how it has identified culture issues in risk incidents and the measures taken in response?

• While firms focus more on internal culture indicators, the firm’s wider environment is also important. This has been shown in the table on the right.

External Drivers—Examples

Economic cycles (e.g., credit cycle, industry cycle)

Industry practices/guidelines

Professional standards

Regulatory standards

Country risk/corruption indices

Risk Culture – Challenges

• There are several problems standing in the way of a robust risk culture –
  1. Risk indicator or risk lever? – Indicators can sometimes be used as levers to change behavior. This can compromise the indicators which in turn compromises the risk culture. So, it becomes difficult to identify risk indicators that can be used to identify a steadily improving risk culture.
  2. Education for everyone? – Firms can and should create common enterprise languages of risk by defining risk management terms, concepts, and common procedures as well as key ERM roles (e.g., the Board, CRO, and business line leaders). But so-called education for everyone can be effective if the board can list the top ten enterprise risks and explain their relationship with the firm’s risk appetite.
  3. Time and space – Empirical evidence suggests risk culture is mainly formed in the local business lines, rather than at the enterprise level. Sometimes signs emerge from multiple business lines that something is wrong. Hence it is important that firms have mechanisms to pick up these signals or deal with it individually.
  4. Culture cycle – Robustness of an enterprise’s risk culture is tested only during times of stress. Risk cultures that look robust today may not survive real-life crises. While regulators want risk managers to carry real weight within firms to withstand this kind of buffeting, history suggests this weight lessens as memories of the last crisis fade into the past.
  5. Curse of data – In the upcoming years, firms will be able to gather massive amounts of data about risk culture from survey/focus group evidence, risk culture indicator scores, and human resources data (e.g., the number of sick days taken). They can then combine this data with a wider set of risk data to spot patterns. However, managers may need to deploy machine learning technologies to hunt down insights and warning signs in such large data sets.

Scenario Analysis

• When markets begin to behave abnormally, risk factor relationships break down to produce market movements and loss levels that seem inconceivable based on VaR calculations. This is where scenario analysis comes in. It helps firms think through the enterprise impact of abnormal events and events for which there is no historical data.
• Scenario analysis involves imagining a whole scenario, developing a coherent narrative that explains why the variables change, and assessing the effects of this on the firm’s risk portfolios. While scenario analysis may be entirely qualitative, the financial industries increasingly build sophisticated quantitative models to assess the impact of each scenario on their portfolios and businesses. Scenario analysis, along with stress and sensitivity testing, have risen to become the eminent risk identification tools for many ERM programs.
• Sensitivity testing involves changing one parameter or variable in a risk model to see how sensitive the model result is to the alteration (and thereby identifying key variables). On the other hand, stress testing includes changing one or more key variables to explore risk model results under stressful conditions.

Scenario Analysis – Advantages and Disadvantages

Advantages	Disadvantages
No need to consider risk frequency beyond “plausibility”	Difficult to gauge the probability of events; does not lead to the quantification of risk
Scenarios can take the form of transparent and intuitive narratives.	Unfolding scenarios can become complex with many choices.
Challenges firms to imagine the worst and gauge the effects	Firms may not stretch their imaginations (e.g., scenarios might underestimate the impact of an extreme loss event or omit important risk exposures).
Can allow firms to focus on their key exposures, key risk types, and the ways in which risk develops over time	Only a limited number of scenarios can be fully developed—are they the right ones?
Allows firms to identify warning signals and build contingency plans	Are they the right warnings and plans, given the scenario selection challenge?
Does not depend on historical data; can be based around either historical events or forward-looking hypothetical events	The scenarios chosen are often prompted by the last major crisis; imaginative future scenarios may be dismissed as improbable.
Firms can make scenario analysis as sophisticated or straightforward as they like, outside regulator-defined programs.	Scenario analyses vary in terms of quality and sophistication. Their credibility and assumptions can be difficult to assess.
Stress test results can influence risk appetite, risk limits, and capital adequacy.	Usefulness depends on accuracy, comprehensiveness, and the forward-looking qualities of the firm’s stress test program.

Scenario Analysis – Pre-Crisis Trends

• Scenario analysis was a significant risk management tool in banking even before the global financial crisis. Before the crisis, banks tended to pick their own short selection of historical and hypothetical scenarios from a list of events to run against their portfolios. This figure shows some examples of historical credit scenarios.

Historical Credit Scenarios—Examples

1997 – Asian crisis

1998 – Russian debt moratorium

2001 – 9/11 market effects

2007 – US subprime debt crisis

2008 – Lehman Brothers counterparty crisis

2010 – European sovereign debt crisis

• For each historical scenario, the bank used to consider two questions –
  1. Which key variables to apply to its own current portfolios?
  2. How far to pursue the narrative?

• After the crisis, it became apparent that banks often failed to consider factors such as the cumulative exposures across multiple business lines, how different risks interacted with one another, and how the behavior of market participants might change under stress. Regulators also pointed to the mildness of many of the hypothetical scenarios.

Scenario Analysis – Post-Crisis Trends

• Since the global financial crisis, regulators around the world have begun to insist that larger and systemically important banks should demonstrate their ability to withstand more severe, dynamic, and realistic scenarios. For example, regulators in the US require larger banks to apply regulator-defined macroeconomic stress scenarios, which are specified in terms of variables such as drops in GDP and employment, across their enterprise exposures.
• In the US, the Supervisory Capital Assessment Program (SCAP) was conducted in May 2009 as part of the healing process toward the end of the global financial crisis. Its results helped to reassure markets about the stability of the banking system.
• From 2011, as part of the Dodd-Frank Act, the Federal Reserve began conducting two separate annual stress test exercises –
  1. Dodd-Frank Act stress tests (DFAST) – It is conducted in the middle of the year for all banks with assets above USD 10 billion.
  2. Comprehensive Capital Analysis and Reviews (CCAR) – It is conducted at the end of the year for banks with assets above USD 50 billion.

Scenario Analysis – Post-Crisis Trends

• The Federal Reserve generates three supervisor-devised macroeconomic scenarios –
  1. Baseline – It corresponds to the consensus forecast among major bank economists,
  2. Adverse – It corresponds to a moderately declining economy, and
  3. Severely Adverse – It corresponds to severe, broad global recession/depression and an associated decline in demand for long-term fixed-income investment.

• CCAR obliges banks to project the impact of these scenarios on their income statements and balance sheets over a nine-quarter horizon, along with detailed capital plans that include –
  1. Assessments of expected sourcing and use of capital over the planning horizon,
  2. Descriptions of the firm’s process and methodology to gauge capital adequacy,
  3. Capital policy,
  4. Discussions of any expected business plan changes that are likely to materially impact capital adequacy/liquidity.
• For each scenario, banks must show that they maintain minimum capital ratios, their ability to raise capital if necessary, and their intentions in terms of dividend distribution, share buybacks, etc.
• If a bank fails to satisfy minimum capital ratios under stressed conditions, it must review the business plans of its various units and lower its risk appetite.
• It has not been easy for banks in the US to build scenario analysis programs that meet supervisor objectives. However, the exercises have driven five key ERM improvements –
  1. CCAR macroeconomic scenarios unfold over several quarters.
  2. The scenarios drive a series of interlinked factors covering a variety of risks.
  3. The risk variables are not held static. Therefore, all sorts of underlying risk factors (e.g., probability of default) and market impacts (e.g., credit spreads) need to be adjusted as the scenario unfolds.
  4. Banks can allow for their capital planning as the scenario unfolds.
  5. Imposing a standard set of scenarios on the largest banks allows regulators to see systemic effects and compare bank risk exposures.

• From a regulatory point of view, reactions to each scenario can now be assessed at an industry level to improve the stability of the financial system.

Stress Testing in Europe

• Regulators around the world, such as the European Banking Authority (EBA), have also developed their own stress testing programs. Compared to the CCAR, the EBA’s testing program is more static, less sophisticated, and allows for less latitude in terms of altering risk and business strategies as scenarios unfold. This is because the EBA applies stress tests to a wider range of banks than that of CCAR.
• However, the big improvements in European stress testing may have driven new approaches to bank supervision under the Supervisory Review and Evaluation Process (SREP). These new approaches examine the ability of banks to explore the sustainability of their business models under stress, including capital and liquidity adequacy, using industry best practices as a guide. Stress testing and scenario analysis will be key tools in this process.

Stress Testing in Europe – Future Directions

• In the years ahead, banks are likely to move away from a limited number of rather deterministic scenario tests toward a much more dynamic-stochastic approach. This approach will apply simulation techniques to explore many different scenarios playing out over time.
• Generating thousands of scenarios will allow banks to produce a full distribution of outcomes for key performance indicators (KPIs), such as credit losses, regulatory capital, etc. These simulation results could then help banks to conduct reverse stress testing and identify the full range of worst outcomes in terms of bank KPIs. Then they can find scenarios that gave rise to these worst-case tail risks and how the shocks turned into losses.
• Many banks around the world continue to regard stress testing as a regulatory compliance function. However, a new generation of stress testing technologies offers advantages beyond compliance. Specifically, banks can use the results to –
  1. Specify their risk appetites and limit frameworks,
  2. Perform a “reasonableness check” on business and capital planning,
  3. Develop early warning signals,
  4. Put in place contingencies to manage credit, funding, and liquidity shocks.

ERM and Strategic Decisions

• Enterprise risk managers need to be involved in strategy formulation. The banking industry is full of examples where business strategies (e.g., increased lending volume through lowered standards) did not take ERM into account. But the latest industry thinking is encouraging firms to apply ERM to forge a stronger link between risk and reward in corporate planning and strategy.
• The latest stochastic stress testing techniques offer a practical tool to identify ERM implications due to certain strategies. For example, a bank can explore the risk effects of growing a portfolio of lending to a given industry sector. The bank could then learn if the plan helps to diversify its risk and absorb shocks or adds to risk concentrations and/or increases dependence on a key macroeconomic driver.
• Scenario simulation technology offers a potentially easier way to explore positive scenarios. For example, in a simulation, a bank may find that it would benefit from a decline in oil prices because it had previously reduced lending to oil producers in favor of manufacturers who benefit from lower oil costs.
• Banks, and all kinds of firms, need to assess strategic risks arising from changes in factors such as technology, social behavior, and new kinds of competition. These kinds of strategic risks are very challenging because, by definition, they do not have historical parallels.
• However, new approaches to scenario building could help. For example, they can offer firms a way to model the impact of strategic shocks across the corporate balance sheet and offer better ways to turn expert judgments into a rigorous scenario selection process.