Risk management in finance six sigma and other next generation techniques (wiley finance)

CHAPTER 2 Data Governance in Financial Risk Management 5Conclusion: Next-Generation Techniques to Reduce Data CHAPTER 3 Information Risk and Data Quality Management 15 Data Quality Inspe

Risk Management

in Finance

Six Sigma and Other Next-Generation Techniques

ANTHONY TARANTINO DEBORAH CERNAUSKAS

John Wiley & Sons, Inc.

iii

vi

Risk Management

in Finance

i

Founded in 1807, John Wiley & Sons is the oldest independent publishing pany in the United States With offices in North America, Europe, Australia, andAsia, Wiley is globally committed to developing and marketing print and electronicproducts and services for our customers’ professional and personal knowledge andunderstanding.

com-The Wiley Finance series contains books written specifically for finance andinvestment professionals as well as sophisticated individual investors and their fi-nancial advisors Book topics range from portfolio management to e-commerce, riskmanagement, financial engineering, valuation, and financial instrument analysis, aswell as much more

For a list of available titles, please visit our Web site at www.WileyFinance.com

ii

Risk Management

in Finance

Six Sigma and Other Next-Generation Techniques

ANTHONY TARANTINO DEBORAH CERNAUSKAS

John Wiley & Sons, Inc.

iii

Copyright
C 2009 by John Wiley & Sons, Inc All rights reserved.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey

Published simultaneously in Canada

No part of this publication may be reproduced, stored in a retrieval system, or transmitted inany form or by any means, electronic, mechanical, photocopying, recording, scanning, orotherwise, except as permitted under Section 107 or 108 of the 1976 United States CopyrightAct, without either the prior written permission of the Publisher, or authorization throughpayment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222Rosewood Drive, Danvers, MA 01923, 978-750-8400, fax 978-646-8600, or on the web atwww.copyright.com Requests to the Publisher for permission should be addressed to thePermissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030,201-748-6011, fax 201-748-6008, or online at http://www.wiley.com/go/permissions.Limit of Liability/Disclaimer of Warranty: While the publisher and author have used theirbest efforts in preparing this book, they make no representations or warranties with respect

to the accuracy or completeness of the contents of this book and specifically disclaim anyimplied warranties of merchantability or fitness for a particular purpose No warranty may

be created or extended by sales representatives or written sales materials The advice andstrategies contained herein may not be suitable for your situation You should consult with aprofessional where appropriate Neither the publisher nor author shall be liable for any loss

of profit or any other commercial damages, including but not limited to special, incidental,consequential, or other damages

For general information on our other products and services, or technical support, pleasecontact our Customer Care Department within the United States at 800-762-2974, outsidethe United States at 317-572-3993 or fax 317-572-4002

Wiley also publishes its books in a variety of electronic formats Some content that appears

in print may not be available in electronic books

For more information about Wiley products, visit our Web site at http://www.wiley.com.

Library of Congress Cataloging-in-Publication Data:

2008052035Printed in the United States of America

10 9 8 7 6 5 4 3 2 1

iv

To Winkey, Peapod, and SanSan

—A.T.

To Mom for her continued support

—D.C.

v

vi

CHAPTER 2 Data Governance in Financial Risk Management 5

Conclusion: Next-Generation Techniques to Reduce Data

CHAPTER 3 Information Risk and Data Quality Management 15

Data Quality Inspection, Control, and Oversight: Operational

viii CONTENTS

CHAPTER 4 Total Quality Management Using Lean Six Sigma 27

CHAPTER 6

An Operational Risk Management Framework for All Organizations 53

CHAPTER 7 Financial Risk Management in Asia 61

CHAPTER 8 Doing Business in Latin America: Lessons Learned and Best Practices for the Protection of Foreign Investors 75

CHAPTER 9 Mitigating Risk Exposure in Transitioning to the IFRS 87

Contents ix

CHAPTER 10 Quantitative Operational Risk Management Methods 103

Six Sigma Approach to Quality and Process Control: Failure

CHAPTER 11 Statistical Process Control Integrated with Engineering Process Control 117

A Next-Generation Technique to Improve Financial Risk Management 131

x CONTENTS

CHAPTER 13 Bayesian Networks for Root Cause Analysis 143

CHAPTER 14 Analytics: Secrets to Deriving Business Value and Insights

CHAPTER 15 Embedded Predictive Analytics: Transforming Risk Management from Review Function to Competitive Advantage 171

CHAPTER 16 Reducing the Financial Risks in Litigation and Legal Discovery 183

The Sedona Conference and the New Rules of Civil Procedure 184

U.S Rulings Impacting Businesses Outside the United States 192

Contents xi

CHAPTER 17

CHAPTER 18 Reducing Liability Risk through Best Environmental Practices 203

Environmental Risks: Risks and the Securities and Exchange

Impact of Industrial Environmental Management on Firms

CHAPTER 19 Beyond Segregation of Duties: Next-Generation Techniques in Evaluating User Access Control Risks 219

The Next Generation of Segregation of Duties: User Access Controls 221Current State and Future Direction of Risk Advisory and Audit Firms 227Current State and Future Direction of ERP Software Vendors 230

CHAPTER 20 Transaction-Based Cross-Enterprise Risk Management 233

xii CONTENTS

CHAPTER 21 Throughput Accounting 257

Analyzing Products Based on Throughput per Constraint Unit 266

CHAPTER 22 Environmental Consistency Confidence: Scientific Method in Financial

Predictive Key Risk Indicators for Losses and Incidents

CHAPTER 23 Quality in the Front Office: Reducing Process Variation

Contents xiii

CHAPTER 24 The Root Cause of the Global Financial Crisis and Corporate Board Reforms to Prevent Future Failures in Risk Management 299

The Root Cause of Catastrophic Failure in Financial Risk

xiv

to mitigate his risk and build the ark We can imagine that conventional wisdom

of the time condemned Noah for such a foolish waste of time and money and thatcommunity and media reaction would have been very negative as well

Noah’s risk mitigation proved to be quite timely as conventional wisdom andtraditional risk management failed in a catastrophic manner Noah survived the greatflood and began rebuilding civilization after the waters of the great flood receded.Some time later, Toyota, a Japanese car manufacturer, decided to build a hybridcar to mitigate the risk of rising fuel prices and need to curtail greenhouse gases

As with Noah, there was no valid business case or accepted risk model to justifysuch a foolish waste of time and money Conventional wisdom of the time was thatlarge gas-guzzling vehicles were the safe choice They were all the rage and generatedvery high returns Fuel-efficient cars were much less profitable and lacked the statusand prestige of larger and more muscular vehicles As with Noah, we can imagineindustry leaders making fun of such a wimpy car that would appeal only to a smallnumber of tree-hugging environmentalists on the American West Coast

Again, conventional wisdom and traditional risk management failed in a strophic manner The energy crisis and push for green energy made the little hybridcar a huge success and helped propel Toyota into a leadership position as themost profitable and best-capitalized manufacturer in the industry Conversely, theirAmerican competitors are now on the verge of bankruptcy and capitalized belowtheir World War II levels

cata-A few years ago, Wells Fargo decided that the risk inherent in the subprime gage market was unacceptable, and minimized their exposure Again, the conven-tional wisdom and accepted quantitative and qualitative risk models argued againsttheir conservatism Profit margins for subprime mortgages, mortgage-backed securi-ties, and credit default swaps were much higher than the more traditional vehicles andinstruments offered by banks Government regulators, rating agencies, and businessmedia all promoted the subprime market, either directly or indirectly This createdshareholder pressures to jump into this very lucrative market As with Noah andToyota, media and public reaction was negative to Wells Fargo’s conservative ap-proach to risk mitigation As with Noah and Toyota, we can imagine industry leadersmaking fun of a bank with a stagecoach as a corporate symbol—too sentimental andold fashioned to grasp the huge profit potentials in subprime

mort-xv

xvi PREFACE

Once again, conventional wisdom and traditional risk management failed in acatastrophic manner Wells Fargo not only survived the global crisis, but substantiallyexpanded its market position Those who embraced subprime and its related productshave been forced out of business or critically wounded Their subprime activities havebrought about the greatest financial crisis since the Great Depression of the 1930s.Unlike Toyota, their failures in risk management negatively impacted the globaleconomy

Our three parables demonstrate that risk management is never as easy or icable as conventional wisdom would lead one to believe Each catastrophic failure

pred-in risk management brpred-ings greater focus on the need for more pred-innovative and tive techniques for risk management Unfortunately, memories are short, and newopportunities continue to arise and overwhelm sound risk management

effec-Financial risk management is especially challenging Today’s financial productsand markets are too complex and opaque for the regulatory structures, audit prac-tices, rating agencies, and risk management in place to oversee and control them.Business and accounting schools struggle to keep pace in their curricula with such

a dynamic market Government regulatory structures, designed in the Great pression, were particularly ineffective in grasping the danger that very complex andhighly leveraged financial products presented not just to the banking industry but toall of society Rating agencies never predicted the collapse of firms, even when theevidence became obvious Auditors who focused on tactical internal controls regu-lated under the Sarbanes-Oxley Act failed to grasp the systemic risks that financialservices faced

De-Noah, Toyota, and Wells Fargo share some important characteristics All threedefied conventional wisdom and public pressure to pursue major opportunities—for

an immoral lifestyle during Noah’s time, for big gas-guzzling cars during Toyota’stime, and for subprime mortgages during Wells Fargo’s time All three did the morallyand ethically correct thing: Noah led a righteous life, Toyota helped to fight green-house gases, and Wells Fargo declined to market loans that eventually cost millions

of borrowers their homes Each also utilized risk management in a unique manner

as compared to their peers that provided a strategic competitive advantage Stayingalive in the case of Noah and prospering economically in the case of Toyota andWells Fargo

Financial risk management applies a systematic and logical approach to tainties in operations, reputations, credit, and markets Without risk management,

uncer-an orguncer-anization would simply rely on luck to avoid disasters Finuncer-ancial risk muncer-anage-ment as a discipline has progressed since the pivotal year of 1921, when Frank Knight

manage-published his Risk, Uncertainty and Profit and John Maynard Keynes manage-published his

A Treatise on Probability Knight pioneered the notion that uncertainty, which

can-not be measured, is different from risk, which is measurable Keynes pioneered themathematical and philosophical foundations to risk management Keynes argued for

a greater reliance on perception and judgment when considering probabilities andwarned of an overreliance on numbers.1,2,3

In 1956, Russell Gallagher published his “Risk Management: A New Phase of

Cost Control,” in the Harvard Business Review As an insurance executive, he argued

that a professional insurance manager should also be a risk manager Because of thenature of its business, the insurance industry was the first to embrace professionalrisk management with its concern for avoiding unaffordable potential losses This

In the 1990s, the United Kingdom’s Cadbury and Turnbull committees issuedreports advocating that corporate boards take responsibility for setting risk man-agement policies, for assuring that the organization understands all its risks, and foraccepting oversight for the entire process It was also in the 1990s that the title chiefrisk officer (CRO) is first used by GE Capital to describe a manager who is respon-sible for the totality of risk exposure to an organization Chief risk officers and riskmanagers are now commonplace in the financial services industry and spreading intoother industries.

The global financial crisis of 2007–2008 begs the question, with all the progress

in risk management, why were the world’s leading financial services firms, theirregulators, their auditors, and their rating agencies so wrong in their assessment ofthe inherent risks in the subprime mortgage market? These organizations possessedthe most sophisticated risk management processes and technologies in the hands

of the best-educated and trained risk managers We believe that part of the son was that they have not deployed the next-generation techniques we providehere These techniques could have helped to reduce the pain of the current crisis,and provide risk, business, and IT managers with tools and solutions to substan-tially improve their risk mitigation There have always been leaders such as Noah,Toyota, and Wells Fargo, who innovated in their risk management Hopefully, oursuggestions and recommendations will help your organization become innovators aswell As the current global crisis and our three parables demonstrate, this can meanmuch more than providing a strategic advantage It can mean the survival of anorganization

rea-The problem with risk management can be summarized in the teachings of the

legendary Samurai master swordsman Miyamoto Musashi, in his Book of the Five

Rings Musashi won over 30 duels and warned to never take too hard a focus on

the point of your opponent’s sword While this would seem to be the obvious point

of attack and the greatest risk, the attack always comes from some other point.Therefore, a swordsman must maintain a soft focus to look at the entire field ofview Risk is like this The biggest threats never come from the most visible point ofattack This was true for Noah’s neighbors, Toyota’s fellow carmakers, and WellsFargo’s fellow banks

This is my third book for John Wiley & Sons targeting governance, risk, andcompliance The three books are written as a series and designed to complementeach other:

overviews of best practice frameworks, governance, and audit standards

regions, and industries in the world as to their corporate, environmental, and

xviii PREFACE

information technology (IT) governance, regulatory compliance, and tional risk management

focuses exclusively on next-generation techniques to improve operational riskmanagement

Your comments and suggestions are always welcome E-mail me at agtarantino

@hotmail.com, or at my web site, AnthonyTarantino.com

We also wish to acknowledge the support and encouragement of our Wileycolleagues and friends: Tim Burgard, our senior editor; Helen Cho, our editorialcoordinator; and Stacey Rivera, our development editor.

xix

xx

About the Contributors

Brian Barnier is a leader at IBM on IT risk and return performance In this role,

he helps the IBM CIO organization and external clients improve alignment betweenbusiness strategy and model, IT goals and objectives, and business outcomes through

a more risk-aware approach to IT investment priorities He has been an adjunctprofessor in operations management and finance, serves on several industry standardsand practices bodies, teaches continuing professional education sessions, and writes

He coholds the copyright on the Value Added Diamond business performance modeland led teams to seven U.S patents For more information, you can contact him atbbarnier@us.ibm.com

Ying Chen, Ph.D., is a master inventor, research staff member, and manager in

IBM Almaden Services Research Ying received her Ph.D from the Computer ScienceDepartment at the University of Illinois at Urbana-Champaign in 1998 She has over

10 years of industry experience in an established IBM research center and a storagestart-up company Her research interests are primarily in information analytics andservice-oriented architecture She also has extensive backgrounds in storage systems,parallel and distributed computing, databases, performance evaluation, and model-ing Ying is currently leading a global research team to develop and deliver successfulinformation analytics solutions and platforms, such as Business Insights Workbench(BIW), which resulted in multimillion-dollar business impact in IBM

Jill Eicher is a managing director of Adaptive Alpha LLC, a Chicago-based

in-novator in quantitative analytics arming institutional investors with tools to uncoverand profit from dynamic risk opportunities A seasoned chief operating officer, Ms.Eicher’s 25-year career in the investment industry has focused on managing invest-ment businesses competitively by optimizing risk/reward decision making and exe-cution Her patented risk methodology serves as the foundation of the company’sresearch-and-development platform

Pedro Fabiano is currently senior vice president at MDB International in

Alexandria, Virginia He is responsible for fraud investigations and prevention, fraudrisk consulting, compliance, and related training activities, particularly as they per-tain to U.S companies with interests in Latin America Mr Fabiano has more than

15 years of international experience in overseeing governance, compliance, and related matters for U.S entities in Latin America Mr Fabiano is a Regent Emeritusand Fellow of the Association of Certified Fraud Examiners (ACFE) He has authoredthe “International Bribery” course published by the ACFE, which is used to trainprofessionals around the world

risk-Allan D Grody has had hands-on experience in multiple sectors of the financial

industry and has been consulting domestically and internationally on issues related

to financial institutions’ global strategies, restructuring and acquisition needs, capital

xxi

xxii ABOUT THE CONTRIBUTORS

and contract market structures, information systems, communications networking,and risk management methods and systems

As an entrepreneur, he founded his current firm, Financial InterGroup, over twodecades ago Financial InterGroup Advisors is a strategy and acquisition consultancy,advising financial enterprises and their technology suppliers Financial InterGroupHoldings is a financial industry development company that created six start-upsand formed joint ventures with exchanges and clearinghouses and global technologycompanies

He is the author or coauthor of many papers and articles on risk management

He has represented firms in regulatory and trading matters before the Securitiesand Exchange Commission (SEC); has counseled with trade associations, exchanges,and technology companies; and was an expert witness in a number of financialindustry trading patent cases and investment company shareholder suits He was

a member of the board of directors of the technology committee of the FuturesIndustry Association; an executive committee member of the Emerging BusinessCouncil of the Information Industry Association; an executive board member of theVietnamese Capital Markets Committee and, for nearly a decade, an advisory boardmember to the London Stock Exchange’s Computers in the City Conference He is

currently an editorial board member of the Journal of Risk Management in Financial

Institutions.

Praveen Gupta, a management consultant, has authored several books, including

Business Innovation in the 21st Century, Stat Free Six Sigma, The Six Sigma formance Handbook, and Service Scorecard He is the editor-in-chief of the Interna- tional Journal of Innovation Science, and writes a monthly column, “Manufacturing

Per-Excellence,” in Quality Magazine He frequently speaks at conferences

internation-ally Praveen has been recognized as a thought leader in areas of excellence andinnovation and has developed the Six Sigma Scorecard, the 4P model of excellence,Breakthrough innovation, and Stat Free Six Sigma methods that have been trans-lated around the world Praveen, the founding president of Accelper Consulting(www.accelper.com), has worked at Motorola and AT&T Bell Laboratories, andconsulted with about 100 small to large-sized companies including CNA and AbbottLabs Praveen has taught operations management at DePaul University and busi-ness innovation at the Illinois Institute of Technology, Chicago He has conductedseminars worldwide for over 20 years Accelper Consulting provides training andconsulting services in the area of innovation, Six Sigma, and business performancefor achieving sustained profitable growth

Jeffrey T Hare is a respected expert on internal controls and security for ERP

systems His background includes public accounting (including Big 4 experience),industry, and Oracle Applications consulting Jeff has been working in the OracleApplications space since 1998 His focus is solely on the development of internalcontrols and security best practices for companies running Oracle Applications Jeff

is a certified public accountant (CPA), a certified information systems auditor (CISA),and a certified internal auditor (CIA) Jeff has worked in various countries, includingAustralia, Canada, Mexico, Brazil, the United Kingdom, and Germany Jeff is agraduate of Arizona State University and lives in northern Colorado with his wifeand three daughters You can reach him at jhare@erpseminars.com or (602) 769-9049

About the Contributors xxiii

Peter J Hughes is a chartered accountant; a former country/area executive with

JPMorgan Chase; managing director/cofounder of ARC Best Practices Limited, tablished in 2002; and a principal of the Financial InterGroup Companies Mr.Hughes accumulated vast experience and knowledge of banks and banking throughhis 26-year career with JPMorgan Chase, which he has since put to very good use

es-in his career as an es-independent consultant and adviser At JPMorgan Chase he wasthe Central European deputy regional audit manager in their Frankfurt office, SouthAmerican regional audit manager in their Rio de Janeiro office, country operationsexecutive (Brazil), country senior financial officer (Brazil), country chief administra-tive officer (Germany), country head of treasury and trading (Germany), head ofEurope finance shared services and head of risk management–global shared technol-ogy and operations He was a member of the board of Banco Chase Manhattan SA,Brazil; member of the board (Aufsichtsrat) of Chase Leasing & Co KG, Germany;and the Chase Manhattan Bank NA, Frankfurt branch manager

As an independent consultant, Mr Hughes has advised a number of leadingbanks, global IT companies and consulting firms, trade associations, and bankinginstitutes While at JPMorgan Chase, Mr Hughes pioneered the concept of usingbusiness process information and transaction data as a basis for measuring exposure

to cross-enterprise risks and the effectiveness of risk mitigation systems He quently collaborated with Allan D Grody in research and advisory projects involvingsome of the globe’s leading IT and consulting firms, with particular emphasis on riskmeasurement and management systems and Basel II

subse-Mr Hughes is the author/coauthor of a number of academic papers, including

“The Direct Measurement of Exposure and Risk in Bank Operations” published in

the Journal of Risk Management in Financial Institutions and, with Allan D Grody

and Dr Robert M Mark, “Operational Risk, Data Management, and Economic

Capital” published in the Journal of Financial Transformation, Cass-Capco Institute Paper Series on Risk He was also featured in the industry best-selling book Opera-

tional Risk—Practical Approaches to Implementation, published by Incisive Media.

For many years he represented JPMorgan Chase on the British Bankers’ Association’s

Op Risk Advisory Panel He is a regular speaker at conferences and presents trainingcourses and workshops on risk and performance measurement systems and Basel II

Nasrin R Khalili, Ph.D., is an associate professor of Environmental

Manage-ment at Illinois Institute of Technology, Stuart School of Business in Chicago Dr.Khalili’s research interest is in the areas of industrial pollution control, waste min-imization, energy management, and environmental management system (EMS) de-sign She holds two patents and is the author of more than 35 referee articles andconference proceedings

Dr Khalili has extensive experience in working with industry on a wide range

of pollution prevention, pollution control, waste minimization, and energy ment projects Since 1995, she has been collaborating in both research and education

manage-in the areas of environmental management with national and manage-international sities such as RPI; NIU; UIC; School of Mining and Metallurgy in Krakow, Poland;Tecnol ´ogico de Monterrey, in Monterrey, Mexico; and the Foundation for Researchand Technology in Environmental Management (FRTEM) in New Delhi, India

univer-Andrew Kumiega, Ph.D., has spent over 20 years automating processes,

in-cluding CNC machining, chemical manufacturing, confectionary, pharmaceutical

xxiv ABOUT THE CONTRIBUTORS

manufacturing, and financial trading systems in industry as an industrial engineer

He has held various senior-level positions at financial institutions, including director

of research at TD Waterhouse Securities Options; head of financial engineering atTFM Investments, LLC, and director of financial engineering at Market LiquidityNetworks (all major options market makers); and vice president of quantitative re-search at Calamos Asset Management Currently, he is employed at a proprietarytrading firm He is an adjunct professor at the Illinois Institute of Technology He

is a member of the American Society of Quality Control, a certified quality neer, a certified quality auditor, and a certified software quality engineer He is also

engi-a founding member of the mengi-arket technology committee of the Certified Trengi-adingSystem Developer (CTSD) program at i4MT

David Loshin is president of Knowledge Integrity, Inc

(www.knowledge-integrity.com), recognized worldwide as a thought leader in the areas of data ity, master data management, data governance, and business intelligence David has

qual-contributed to many data management industry publications, including Intelligent

Enterprise, DM Review, and The Data Administration Newsletter (www.tdan.com),

and he currently is a channel expert at www.b-eye-network.com

David’s book Business Intelligence: The Savvy Manager’s Guide (June 2003) has

been hailed as a resource allowing readers to “gain an understanding of business ligence, business management disciplines, data warehousing, and how all of the pieces

intel-work together.” David’s most recent book, Master Data Management (MK/OMG

Press), has garnered endorsements from leaders across the data management try, and his valuable MDM insights can be reviewed at www.mdmbook.com

indus-Michael Mainelli, Ph.D., FCCA FSI, originally undertook aerospace and

com-puting research, followed by seven years as a partner in a large international countancy practice, before a spell as corporate development director of Europe’slargest R&D organization, the United Kingdom’s Defence Evaluation and ResearchAgency, and becoming a director of Z/Yen (Michael Mainelli@zyen.com) Z/Yen isthe city of London’s leading think tank, founded in 1994 in order to promote societaladvance through better finance and technology Z/Yen asks, solves, and acts globally

ac-on strategy, finance, systems, marketing and intelligence projects in a wide variety

of fields (www.zyen.com), such as developing an award-winning risk/reward tion engine, helping a global charity win a good governance award, or benchmarkingtransaction costs across global investment banks

predic-Z/Yen’s humorous risk/reward management novel, Clean Business Cuisine: Now

and Z/Yen, was published in 2000; it was a Sunday Times Book of the Week tancy Age described it as “surprisingly funny considering it is written by a couple

Accoun-of accountants.” Michael is Mercers’ School Memorial PrAccoun-ofessor Accoun-of Commerce atGresham College

Richard Marti, CISSP, CISA, QSA, is a principal at Computer Science

Corpo-ration (CSC) where he is building a Center of Excellence for Oracle GRC solutions

He is a subject matter expert for governance, risk, and compliance (GRC) solutionsand has led multiple Sarbanes-Oxley (SOX), audit operations, IT governance, IT se-curity, and compliance automation projects He has been featured as a guest speaker

on business and IT governance issues and has published papers on the Control

About the Contributors xxv

Objectives for Information and related Technology (COBIT)/Committee of soring Organizations of the Treadway Commission (COSO) framework, businesscontinuity planning, and SOX compliance He is contributor to two John Wiley &

Spon-Sons texts by Anthony Tarantino: Manager’s Guide to Compliance (March 2006) and The Governance, Risk, and Compliance Handbook (March 2008).

Bruce Rawlings is currently an independent consultant with trading and banking

clients across the United States, with clients such as Mesirow, Advanced Strategies,and UBS Global Asset Management He is an expert in Bayesian time series analysiswith over 30 years in statistical modeling Mr Rawlings teaches graduate courses ineconometrics, time series, quantitative investment strategies, interest rate modeling,and Bayesian econometrics at the Illinois Institute of Technology

Claudio Schuster, CPA, CFE, and master in finance, has more than 25 years of

experience in corporate finance and the financial markets in general He also holds amanagement degree in energy from the University of Oxford Claudio is a former VP

at Citibank NA, Corporate Audit Division, and a chief financial officer at a majornatural gas utility company in Argentina During the Argentina debt crisis in 2001,Claudio was actively involved in the debt restructuring process Presently, Claudio isthe owner of The Financial People, a financial consultant firm, oriented to corporatefinance and foreign exchange markets

Brett Trusko, Ph.D., is a world-renowned Six Sigma Master Black Belt who

has until recently led the process quality group for a major international consultingfirm His current position is as a quality researcher at the Medical College at MayoClinic He is the author of hundreds of articles on quality and, as a futurist, has

recently published a book, Improving Healthcare Quality and Cost with Six Sigma.

He speaks and lectures globally on Six Sigma and his new approach, Dynamic SixSigma He has degrees in biology, accounting, and new product development, and aPh.D in information technology management

Ben Van Vliet is a lecturer at the Illinois Institute of Technology’s (IIT) Stuart

School of Business, where he also serves as the associate director of the MS cial Markets program At IIT he teaches courses in quantitative finance, C++, and.NET programming, and automated trading system design and development He isvice chairman of the Institute for Market Technology, where he chairs the advisoryboard for the Certified Trading System Developer (CTSD) program He also serves asseries editor of the Financial Markets Technology series for Elsevier/Academic Press

Finan-Mr Van Vliet consults extensively in the financial markets industry, primarily ontopics related to the mathematics, technology, and management of trading systems

He is the author of four books on trading/investment: Quality Money Management with Andrew Kumiega, Modeling Financial Markets with Robert Hendry, Building

pub-lished several articles in the areas of finance and technology, and presented at severalacademic and professional conferences

Chris Zephro is a director of finance for Seagate Technology, the largest

man-ufacturer of hard disc drives His extensive experience in Theory of Constraintsincludes implementation and training on the use of the TOC Thinking Process,

xxvi ABOUT THE CONTRIBUTORS

Constraint Exploitation using the Five Focusing Steps, and profit maximization aging throughput accounting Chris has 15 years of experience in the field of supplychain management, operations, and finance; holds an MBA from the University ofTennessee; and has been practicing Theory of Constraints for over 12 years He can

lever-be contacted at czephro@hotmail.com

Risk Management

in Finance

xxvii

xxviii

CHAPTER 1

Introduction Anthony Tarantino, Ph.D., and Deborah Cernauskas, Ph.D.

Financial market turmoil is not a new phenomenon From the tulip mania ofthe 1630s to the housing price bubble of the 2000s, the financial markets havebeen regularly subjected to periods of irrational behavior by investors and companymanagement The turmoil has not been confined to one country or geography andhas been driven by various factors, including greed Each period of turmoil createsmany economic casualties, including lost jobs, corporate bankruptcies, and destroyedeconomic wealth

Notwithstanding government regulations and oversight, financial turmoil andasset bubbles will continue to develop The onus rightly lies with corporate execu-tives and their boards of directors to act in the best interest of shareholders Internalcorporate oversight includes actively managing the risk-reward trade-off offered toshareholders Corporate risk can take on many forms, including market, credit,and operational The successful management and control of internal processes willincrease the value of the firm by reducing operational losses and providing a com-petitive advantage The focus of this book is on corporate management of internalprocesses generally classified as operational risk

Operational risk is typically viewed as a risk arising from the execution of anorganization’s business functions It has become a very broad concept, includingrisks from fraud, legal, physical, and environmental areas Operational risk became

a catch-all concept in financial institutions for any risk not credit or market related.Basel II is the capital accord developed for the banking industry by the Bank forInternational Settlements (BIS) Basel II defines operational risk as the risk of lossresulting from inadequate or failed internal processes, people, and systems, or fromexternal events Basel II has also created a classification for operational risk that isapplicable to all industries Basel II describes seven categories of operational risk:

1 Internal Fraud—misappropriation of assets, tax evasion, intentional mismarking

of positions, bribery

2 External Fraud—theft of information, hacking damage, third-party theft, and

forgery

3 Employment Practices and Workplace Safety—discrimination, workers’

com-pensation, employee health and safety

4 Clients, Products, and Business Practice—market manipulation, antitrust,

im-proper trade, product defects, fiduciary breaches, account churning

1

2 RISK MANAGEMENT IN FINANCE

5 Damage to Physical Assets—natural disasters, terrorism, vandalism

6 Business Disruption and Systems Failures—utility disruptions, software failures,

hardware failures

7 Execution, Delivery, and Process Management—data entry errors, accounting

errors, failed mandatory reporting, negligent loss of client assets

In the past, high profit margins have characterized the financial services andbanking industries With the advent of commoditized Internet trading and bankingservices, the high profit margins are disappearing The control of costs and risks are

a high priority in a low-profit-margin environment

Manufacturing firms have successfully dealt with quality control issues for manydecades Although the beginning of statistical process control is often accredited toWalter Shewhart who developed the control chart in 1924, the acceptance and use

of process control did not occur until World War II, when wartime needs attached ahigh premium to product quality After World War II, Japanese manufacturing wentthrough a quality revolution The quality focus shifted from product inspection tototal process improvement All organizational processes were subjected to qualityimprovements The total quality initiative transformed Japanese manufacturing from

a low-cost–low-quality producer to a low-cost–high-quality producer By the end ofthe 1970s, Japan was the leading manufacturer of autos and electronics The ToyotaProduction System, developed by Taiichi Ohno, became the basis of all subsequentjust-in-time process improvements, which strive for the elimination of all waste.The United States responded to the Japanese total quality initiative with programssuch as ISO 9000, Total Quality Management (TQM), Lean Manufacturing, andSix Sigma

Over the past 40 years, statistical process control has been commonly mented in the manufacturing, health care, and automotive industries through pro-grams such as Six Sigma, and Lean Six Sigma Six Sigma helps companies improveproduct quality and reduce waste by producing products and services better, cheaper,and faster

imple-The global financial crisis of 2007–2009 is only the latest example of economicturmoil caused by failures in financial risk management The full extent of the eco-nomic, political, and human damage from the current crisis will not be knownfor some time, but it will dwarf the losses from Enron in the 1990s, the U.S.savings-and-loan crisis in the 1980s, and the Japanese banking crisis that occurredtwo decades ago.1The irony of the current crisis is that it occurred in an industrywith the most sophisticated risk management systems and technologies and undervery close government oversight The current crisis is especially troubling in that riskmanagement failed on multiple levels At the most sophisticated level, quantitativeand qualitative modeling gave few warnings of the huge risks inherent in leveragingcapital at 30 to 1 and in assuming that real estate values would never decline Atthe most simple level, common sense failed among investors, corporate executivesand boards, rating agencies, and government regulators Common sense should havewarned that real estate values were growing at unsustainable rates, that middle-classfolks were assuming far too much debt, and that making zero-down loans withoutverifying creditworthiness violated the most basic of banking practices

Because of the depth and global reach of the current crisis, risk management isnow an area of intense scrutiny far beyond corporate executives and governmentregulators The demands for greater oversight and more robust risk management are

Introduction 3

nearly universal The pendulum has swung away from a laissez faire mentality withminimal market oversight to one in which regulators and stakeholders (investors,customers, suppliers, and community) will demand much tighter regulation Unfor-tunately, greater regulation will fail unless coupled with much enhanced financial riskmanagement Regulators and corporate executives typically have a financial back-ground but often lack financial risk management expertise One could argue thatthe current crisis was the result of risk transparency failures, and not financial trans-parency failures Increased risk transparency would help expose the dysfunctionalnature of many operational risk management regimes

We begin with a survey of some of the foundations to financial risk management:

Data Governance in Financial Risk Management

Information Risk and Data Quality Control

Total Quality Management

Information Technology Risk

Operational Risk Fundamentals

Risk Management in Asia

Risk Management in Latin America

Risks in Migrating to the International Financial Reporting Standards (IFRS)

Quantitative Operational Risk Methods

We follow with next-generation best practices to improve financial risk ment:

manage-
Statistical Process Control Integrated with Engineering Process Control

Business Process Management Integrated with Lean Six Sigma

Bayesian Networks for Root Cause Analysis

Information Analytics

Embedded Predictive Analytics

Reducing Risk in Litigation and Legal Discovery

The Circle of Trust

Reducing Risk with Environmental Best Practices

Next-Generation Techniques in Segregation of Duties

Transaction Based Cross-Enterprise Risk Management

Throughput Accounting

Environmental Consistency Confidence

Quality in the Front Office—Reducing Process Variation in Trading Firms

Root Cause of the Global Financial Crisis and Corporate Governance Reforms

to Prevent the Next Failure in Risk Management

4 RISK MANAGEMENT IN FINANCE

W H Y R E A D T H I S B O O K ?

The goal of this book is to aid financial professionals in implementing quality surance systems for financial processes that will in turn enable data-driven decisionmaking The catastrophic failures of risk management behind the global financialcrisis demonstrate the criticality of improving the quality and risk management pro-cesses in financial services

as-The stakes are extremely high—the laggards are doomed to continue to sufferthrough enterprise-threatening risk failures The leaders will never be free of riskfailures, but will substantially increase their ability to successfully balance risk andreward opportunities

N O T E

1 Carrick Mollenkamp and Mark Whitehouse, “Banks Fear a Deepening of Turmoil,” Wall

Street Journal, March 17, 2008, pp 1, 12.

Let’s start with a definition of governance and data governance Governance is the

act of governing or exercising authority over those who are governed by persons andorganizations who are part of a body that has the responsibility for administering

something Data governance is simply the governance of the people, process, and

technology applied to data used by an organization to ensure its definition, ity, consistency, quality, timeliness, and availability to the appropriate owners andusers of the data For our purposes, “data is any information captured within acomputerized system, which can be represented in graphical, text or speech form.”1

valid-Complicating data governance is the issue of paper documents In today’s nizations, it is rare for paper documents not to originate in some sort of electronic

orga-or digital forga-ormat This is becoming a majorga-or issue in litigation and regulatorga-ory audits.Litigants, regulators, and auditors are less and less willing to accept paper documentswithout electronic metadata references as to ownership, access and change controls,time stamps, and so on The reason is simple: it is very easy to fake a paper document

So, by extension, data governance is not just over digital data, but all data—paperand electronic

Data governance is not the same as data management Data management is

a subcomponent of data governance and includes the management of data andmetadata access points Documents and records management, often referred to asenterprise content management (ECM), can be seen as a subset of data governance

as well and includes the technologies used to capture, manage, store, preserve, anddeliver content and documents related to organizational processes.2ECM is typically

a process to control unstructured data, while data governance controls all types ofdata—structured, semistructured, unstructured, metadata, registries, ontologies, andtaxonomies.3

Unstructured data creates headaches for most all organizations in achievingdata governance Even its definition is debatable Unstructured data is typicallysaid to be data that is not readily readable by computers, such as e-mails, instantmessages, word processer documents, audio, and video It typically represents thegreat majority of all data in any organization, and the trend is accelerating with the

5

6 RISK MANAGEMENT IN FINANCE

growth of instant messages and e-mails Data with some type of structure may also

be classified as unstructured if its structure does not support the needed processingtask For instance, while an HTML (hypertext markup language) web page is tagged,the tag is to support its format and not its meaning.4

And why is data governance so critical in financial risk management? Simply put,data and its management are key in all organizations Without very robust controlsover data, an organization is exposed to high levels of financial risk Today’s financialinstitutions, including banks, excel when they move the right data at the right time

to the right users of data Nonfinancial institutions also rely on robust data nance to prosper Health care enterprises worry about patient data and maintainingits privacy Pharmaceutical enterprises worry about documenting their compliancewith complex regulations Manufacturing and distribution companies worry aboutinventory and bills-of-material accuracy, retailers worry about capturing point ofsales in real time All firms worry about consolidating financial information to theirgeneral ledgers and to support period-end closes and audits

gover-The importance of data governance is not a new concept Dating back to

1500 B.C., the Phoenicians built an empire based on trade and commerce Thisrequired a system of mass communication for accurate record keeping and stream-lined communication It began as a cuneiform system of characters developed inMesopotamia and evolved into the world’s first alphabet, needed for more accu-rate and mobile record keeping Registry filing systems date back to ancient Rome,survive today in many parts of the world, and represent a best practice in early

record-keeping systems Officials maintained commentarii, or private notes, which they consolidated daily into court journals, or commentarii diarni These journal

entries were maintained for all inbound and outbound types of documents, ing court rulings, litigations, and contract transactions.5The Phoenicians, Romans,and other ancients well understood the criticality of data governance and the majorrisks when data governance failed The proof can be found in the amazingly detailedrecords that have survived for the most minor of commercial, government, and mil-itary activities and transactions The main difference is the huge amounts and manytypes of data that must be maintained in real time today

includ-D A T A G O V E R N A N C E C E N T E R O F E X C E L L E N C E

An essential first step in achieving data governance (DG) is to create a center of cellence (CoE) around it Some have called for a data governance council as a centralfocal point of DG activity, but a DG CoE takes this beyond a bureaucratic organiza-tion that merely coordinates activities to a group that owns and communicates theorganization’s vision of DG Without a CoE, an organization may have a differentvision for each of its lines of business, regions, and/or information technology (IT)environments A DG CoE should be involved with the following activities:

ex-
It fully understands the organization’s current state of DG This includes periodicsurveys of all lines of business, locations, and IT environments

It develops a desired DG end state based on the desires and business requirements

of all the organization’s DG stakeholders The desired end state is approved

by the organization’s executive management, external auditors, and applicable

Data Governance in Financial Risk Management 7

DG CoE Director

DG CoE Training &

Documentation Coordinator

DG CoE Solution Architect

DG CoE Black Belt Consultant

DG CoE Program Manager

E X H I B I T 2 1 Data Governance Center of Excellence Organization Chart

regulatory agencies Once approved, the desired end state is communicated tothe entire organization and its stakeholders

It coordinates periodic DG assessments, which include a current state, desiredend state, gap analysis, and cost-benefit analysis This is more fully described inthe next section

It reviews, coordinates, and approves all enterprise-wide DG guidelines, policies,procedures, audit procedures, risk-control matrices, and workflows This is not

to say that they usurp local controls, only that they provide oversight thatcaptures the organization’s DG vision

It strives to eliminate disparate DG practices and move the organization toenterprise-wide practices based on industry-accepted best practice frameworks

The DG CoE should include representatives of each line of business, IT, legal,and internal audit It need not be a large organization and can include only a smalldedicated staff that could look something like Exhibit 2.1 in its initial phases

and coordinating all significant DG initiatives across the organization This cludes the communication of critical activities and issues to the executive man-agement, auditors, and legal counsel; facilitating required DG structures; andcoordinating enterprise-wide DG architecture development plans and supportrequirements

architec-tures and standards are communicated and adhered to across the organization.This includes providing program and project oversight and coordination, anddeveloping and communicating new processes and best practices

problem-solving techniques to attack the most significant DG problems the ganization faces Black belts strive to respond to the voice of the customer—bothinternal and external customers—and to reduce variability in a given process.The result is higher-quality processes and lower financial risk They act as aninternal consultant to support all the lines of business, with their priorities set

or-by the DG CoE Director Many black belts are also trained in Lean processespioneered by Toyota back in the 1960s and 1970s Lean Six Sigma combinesthe strengths of both philosophies

8 RISK MANAGEMENT IN FINANCE

training in DG procedures and guidelines This includes maintaining and municating the relevant training materials; tracking acceptance and acceptanceissues to DG procedures and guidelines; and assuring the quality, consistency,and availability of the training process

(multiple projects with interrelated objectives and dependent tasks) This cludes tracking and communicating their status, resource staffing, critical issues,actual costs to budgeted costs, and dependencies

in-D A T A G O V E R N A N C E A S S E S S M E N T

For an organization to understand its DG current state, and gaps to achieve itsdesired end state, it is helpful to conduct an assessment This is a traditional process

in problem solving widely used by consultants and process improvement teams

It begins by capturing the current state of DG across the enterprise This istypically no minor task in decentralized organizations with heterogeneous IT envi-ronments and multiple silos of data in which many practices are not documented orare poorly understood outside of the business units and geographic locations It isimportant to capture both the strengths and weaknesses, as islands of strengths can

be used as role models for the rest of the organization

Next, it is necessary to survey the business owners as to how they would define

DG success Of course, it is unlikely that there will be a great deal of consistency

in their definition of success and the desired end state It makes sense to first ter a DG CoE to take ownership of defining the desired end state The alternativewill be to present a variety of disparate and confusing ideas to an organization’sexecutive management The desired end state should not be made in isolation butleverage best practice frameworks such as Control Objectives for Information and re-lated Technology (COBIT), Information Technology Infrastructure Library (ITIL),National Institute of Standards and Technology (NIST) 800, and related Interna-tional Organization for Standardization (ISO) standards There is no need to startwith a blank sheet

char-Once the desired end state is agreed upon, the next step is to perform a gapanalysis The gap analysis should incorporate the risks of doing nothing and therisks, costs, and benefits of closing the gaps

The final phase is to prepare a proposed action plan to achieve the end stateincluding a prioritization of each objective Achieving best practices and next-generation techniques in DG is a daunting task Some goals will take years to achieve,while others are fairly short term Overwhelming an organization with unattainable

or excessive stretch goals will backfire and create more problems than will doingnothing

D A T A G O V E R N A N C E M A T U R I T Y M O D E L

The assessment process can be enhanced by rating the organization against adata governance maturity model (see Exhibit 2.2) In this model, the least mature

Data Governance in Financial Risk Management 9

Quantitatively and Qualitatively Managed

Measure and improve using quantitative and qualitative

metrics and tools.

Issues are addressed on a project basis only.

Inadequately Understood and Managed

Issues are addressed in a reactive and firefighting manner.

E X H I B I T 2 2 Data Governance Maturity Model

organizations are in a reactive and firefighting mode As organizations improve,they begin to move from a project to an enterprise-wide approach Ultimately, theyuse qualitative and quantitative metrics to continuously monitor and improve theirpeople, processes, and technologies

The unfortunate reality is that many organizations are at the lowest levels of thematurity model These are some of the characteristics to look for in an organizationthat is challenged by its DG:

defined, understood, or adhered to Enterprise-wide policies, procedures, lines, and standards are lacking Data governance is viewed by business ownersand stakeholders as an IT issue IT addresses DG in application and businesssilos

application and database owner has their own definition of data and applicablestandards There is typically little sharing of data or efforts to find a commonframework