Reputational Risk
Reputational
risk is any risk
to an
organization's reputation that is likely to destroy shareholder
value.
Reputational
risk
leads to negative publicity, loss of revenue, litigation, loss of
clients and partners, exit of key employees, share price decline,
difficulty in recruiting talent.
A comprehensive
reputational risk assessment
is necessary as an important part of a risk assessment.
The Basel II definition of operational risk
excludes
1. Strategic
risk
2. Reputational risk
3.
Systemic risk
We have several
stress tests that stress exactly that: Reputational Risk.
From the Basel ii
framework
Basel Committee on Banking Supervision
Reputational risk and implicit support
Reputational risk can be defined as the
risk arising from negative perception on the part of customers,
counterparties, shareholders, investors or regulators that can
adversely affect a bank’s ability to maintain existing, or
establish new, business relationships and continued access to
sources of funding (eg through the interbank or securitisation
markets).
Reputational
risk is multidimensional and reflects the perception of other
market participants.
Furthermore, it
exists throughout the organisation and exposure to reputational
risk is essentially a function of the adequacy of the bank’s
internal risk management processes, as well as the manner and
efficiency with which management responds to external influences
on bank-related transactions.
Reputational
risk, typically through the provision of implicit support,
may give rise to credit, liquidity, market
and legal risk – all of which can have a negative impact on a
bank’s earnings, liquidity and capital position.
A bank should
identify potential sources of reputational risk to which it is
exposed.
These include the
bank’s business lines, liabilities, affiliated operations,
off-balance sheet vehicles and the markets in which it operates.
The risks that arise should be incorporated into the bank’s risk
management processes and appropriately addressed in its ICAAP
and liquidity contingency plans.
Prior to the
2007 upheaval, many banks failed to recognise the reputational
risk associated with their off-balance sheet vehicles. In
stressed conditions some firms went beyond their contractual
obligations to support their sponsored securitisations and
offbalance sheet vehicles.
A bank
should incorporate the exposures that
could give rise to reputational risk into its assessments of
whether the requirements under the securitisation framework have
been met and the potential adverse impact of providing implicit
support.
Reputational risk
may arise, for example, from a bank’s sponsorship of
securitisation structures such as ABCP conduits and SIVs, as
well as from the sale of credit exposures to securitisation
trusts.
It may also arise
from a bank’s involvement in asset or funds management,
particularly when financial instruments are issued by owned or
sponsored entities and are distributed to the customers of the
sponsoring bank.
In the event that
the instruments were not correctly priced or the main risk
drivers not adequately disclosed, a sponsor may feel some
responsibility to its customers, or be economically compelled,
to cover any losses.
Reputational risk
also arises when a bank sponsors
activities such as money market mutual funds, in-house hedge
funds and real estate investment trusts (REITs). In these
cases, a bank may decide to support the value of shares/units
held by
investors even though is not contractually required
to provide the support.
The financial market crisis has provided
several examples of banks providing financial support that
exceeded their contractual obligations. In order to preserve
their reputation, some banks felt compelled to provide liquidity
support to their SIVs, which was beyond their contractual
obligations.
In other cases,
banks purchased ABCP issued by vehicles they sponsored in order
to maintain market liquidity. As a result, these banks assumed
additional liquidity and credit risks, and also put pressure on
capital ratios.
Reputational risk also may affect a bank’s
liabilities, since market confidence and a bank’s ability to
fund its business are closely related to its reputation.
For instance, to
avoid damaging its reputation, a bank may call its liabilities
even though this might negatively affect its liquidity profile.
This is
particularly true for liabilities that are components of
regulatory capital, such as hybrid/subordinated debt. In such
cases, a bank’s capital position is likely to suffer.
Bank management
should have appropriate policies in place to identify sources of
reputational risk when entering new markets, products or lines
of activities.
In addition,
a bank’s stress testing procedures should
take account of reputational risk so management has a firm
understanding of the consequences and second round effects of
reputational risk.
Once a bank
identifies potential exposures arising from reputational
concerns, it should measure the amount of support it might have
to provide (including implicit support of securitisations) or
losses it might experience under adverse market conditions.
In particular, in
order to avoid reputational damages and to maintain market
confidence, a bank should develop methodologies to measure as
precisely as possible the effect of reputational risk in terms
of other risk types (eg credit, liquidity, market or operational
risk) to which it may be exposed.
This could be
accomplished by including reputational risk scenarios in regular
stress tests. For instance, non-contractual off-balance sheet
exposures could be included in the stress tests to determine the
effect on a bank’s credit, market and liquidity risk profiles.
Methodologies
also could include comparing the actual
amount of exposure carried on the balance sheet versus the
maximum exposure amount held off-balance sheet, that is, the
potential amount to which the bank could be exposed.
A bank should
pay particular attention to the effects of reputational risk on
its overall liquidity position, taking into account both
possible increases in the asset side of the balance sheet and
possible restrictions on funding, should the loss of reputation
result in various counterparties’ loss of confidence. (See
section III(E) on the management of liquidity risk.)
In contrast to
contractual credit exposures, such as guarantees, implicit
support is a more subtle form of exposure. Implicit support
arises when a bank provides post-sale support to a
securitisation transaction in excess of any contractual
obligation.
Such
non-contractual support exposes a bank to the risk of loss, such
as loss arising from deterioration in the
credit quality of
the securitisation’s underlying assets.
By providing
implicit support, a bank signals to the
market that all of the risks inherent in the securitised
assets are still held by the organisation and, in effect, had
not been transferred. Since the risk arising from the potential
provision of implicit support is not Proposed enhancements to
the Basel II framework captured ex ante under Pillar 1, it must
be considered as part of the Pillar 2 process.
In addition, the
processes for approving new products or strategic initiatives
should consider the potential provision of implicit support
and should be incorporated in a bank’s ICAAP.
Sound risk management processes are
necessary to support supervisory and market participants’
confidence in banks’ assessments of their risk profiles and
internal capital adequacy assessments.
These processes take on
particular importance in light of the identification,
measurement and aggregation challenges arising from increasingly
complex on- and off-balance sheet exposures.
The areas addressed include:
• Firm-wide risk oversight;
• Specific risk management
topics:
− Risk concentrations;
− Off-balance sheet
exposures with a focus on securitisation;
−
Reputational risk and implicit support;
− Valuation and liquidity risks; and
− Sound stress testing
practices.
The financial market crisis has underscored
the critical importance of effective credit risk management to
the long-term success of any banking organisation and as a key
component to financial stability. It has provided a stark
reminder of the need for banks to effectively identify, measure,
monitor and control credit risk, as well as to understand how
credit risk interacts with other types of risk (including
market, liquidity and reputational risk).
The essential elements of a
comprehensive credit risk management programme include
(i)establishing an appropriate credit risk environment;
(ii) operating under a sound credit
granting process;
(iii) maintaining an appropriate credit
administration, measurement and monitoring process; and
(iv) ensuring adequate controls
over credit risk.
The crisis has also
emphasised the importance of effective capital planning and
longer-term capital maintenance. A bank’s ability to withstand
uncertain market conditions is bolstered by maintaining a strong
capital position that accounts for potential changes in the
bank’s strategy and volatility in market conditions over time.
Banks should focus on effective
and efficient capital planning, as well as long-term capital
maintenance.
An effective capital planning
process requires a bank to assess both the risks to which it is
exposed and the risk management processes in place to manage and
mitigate those risks; evaluate its capital adequacy relative to
its risks; and consider the potential impact on earnings and
capital from economic downturns.
Board
and senior management oversight
It is the responsibility of
the board of directors and senior management to define the
institution’s risk appetite and to ensure that the bank’s risk
management framework includes detailed policies that set
specific firm-wide prudential limits on the bank’s activities,
which are consistent with its risk taking appetite and capacity.
In order to determine the overall
risk appetite, the board and senior management must first have
an understanding of risk
exposures on a firm-wide basis.
To achieve this understanding,
the appropriate members of senior management must bring together
the perspectives of the key business and control functions.
In order to develop an integrated
firm-wide perspective on risk, senior management must overcome
organisational silos between business lines and share
information on market developments, risks and risk mitigation
techniques.
As the banking industry has moved
increasingly towards market-based intermediation, there is a
greater probability that many areas of a bank may be exposed to
a common set of products, risk factors or counterparties. Senior
management should establish a risk management process that is
not limited to credit, market, liquidity and operational risks,
but incorporates all material risks.
This includes reputational, legal
and strategic risks, as well as risks that do not appear to be
significant in isolation, but when combined with other risks
could lead to material losses.
A
bank’s policies, procedures and limits should:
• Provide for adequate and
timely identification, measurement, monitoring, control and
mitigation of the risks posed by its lending, investing,
trading, securitisation, offbalance sheet, fiduciary and other
significant activities at the business line and firmwide levels;
• Ensure that the economic
substance of a bank’s risk exposures,
including reputational risk and valuation uncertainty,
are fully recognised and incorporated into the bank’s risk
management systems;
• Be consistent with the
bank’s stated goals and objectives, as well as its overall
financial strength;
• Clearly delineate
accountability and lines of authority across the bank’s various
business activities, and ensure there is a clear separation
between business lines and the risk function;
• Escalate and address
breaches of internal position limits;
• Provide for the review of
new businesses and products by bringing together all relevant
risk management, control and business lines to ensure that the
bank is able to manage and control the activity prior to it
being initiated; and
• Include a schedule and
process for reviewing the policies, procedures and limits and
for updating them as appropriate.
Off-balance sheet exposures and securitisation risk
Banks’ use of securitisation
has grown dramatically over the last several years.
It has been used as an
alternative source of funding and as a mechanism to transfer
risk to investors.
While the risks associated with
securitisation are not new to banks, the recent financial
turmoil highlighted unexpected aspects of
credit risk, concentration risk, market risk, liquidity risk,
legal risk and reputational risk, which banks failed to
adequately address.
For instance, a number of banks
that were not contractually obligated to support sponsored
securitisation structures were unwilling to allow those
structures to fail due to concerns about reputational risk and
future access to capital markets.
The support of these structures
exposed the banks to additional and unexpected credit, market
and liquidity risk as they
brought assets onto their balance
sheets, which put significant pressure on their financial
profile and capital ratios.
Weaknesses in banks’ risk
management of securitisation and off-balance sheet exposures
resulted in large unexpected losses during the financial crisis.
To help mitigate these risks, a
bank’s on- and off-balance sheet securitisation activities
should be included in its risk management disciplines, such as
product approval, risk concentration limits, and estimates of
market, credit and operational risk.
In light of the wide range of
risks arising from securitisation activities, which can be
compounded by rapid innovation in securitisation techniques and
instruments, minimum capital requirements calculated under
Pillar 1 are often insufficient. All risks arising from
securitisation, particularly those that are not fully captured
under Pillar 1, should be addressed in a bank’s ICAAP. These
risks include:
• Credit, market,
liquidity and reputational risk of
each exposure;
• Potential delinquencies and
losses on the underlying securitised exposures;
• Exposures from credit lines
or liquidity facilities to special purpose entities; and
• Exposures from guarantees
provided by monolines and other third parties.
Securitisation exposures
should be included in the bank’s MIS to help ensure that senior
management understands the implications of such exposures for
liquidity, earnings, risk concentration and capital.
More specifically, a bank should
have the necessary processes in place to capture in a timely
manner updated information on securitisation transactions
including market data, if available, and updated performance
data from the
securitisation trustee or servicer.
Managing reputational risk
The most important principles are:
1. Educate
shareholders, employees, customers and suppliers. We must explain
the importance of reputational risk, and what they have to do (and
to avoid).
2. Tone at the top. Board and senior management oversight.
Policies and Procedures. Strong and consistent enforcement of
controls.
3. Continuous monitoring of threats to reputation.
4. Establishment of a crisis management plan and team.
5. Reporting
6. Stress testing.
Communication of the results.
From the Bank of International Settlements:
Basel
Committee on Banking Supervision, Risk Management Principles for
Electronic Banking, July 2003
C. Legal and Reputational Risk Management (Principles 11 to 14):
11. Appropriate disclosures for e-banking services.
12. Privacy of customer information.
13. Capacity, business continuity and contingency planning to
ensure availability of ebanking systems and services.
14. Incident response planning.
Legal and Reputational Risk Management
To protect banks against business, legal and reputation risk,
e-banking services must be delivered on a consistent and timely
basis in accordance with high customer expectations for constant
and rapid availability and potentially high transaction demand.
The bank must have the ability to deliver e-banking services to
all end-users and be able to maintain such availability in all
circumstances.
Effective incident response mechanisms are also critical to
minimise operational, legal and reputational risks arising from
unexpected events, including internal and external attacks, that
may affect the provision of e-banking systems and services.
To meet customers expectations, banks should therefore have
effective capacity, business continuity and contingency planning.
Banks should also develop appropriate incident response plans,
including communication strategies, that ensure business
continuity, control reputation risk and limit liability associated
with disruptions in their e-banking services.
Free
E-book: 100 Job Descriptions in Risk and Compliance Management
Join the International
Association of Risk and Compliance Professionals (IARCP).
Membership is Free
www.risk-compliance-association.com/How_to_become_member.htm
Benefits for Members:
www.risk-compliance-association.com/Member_Benefits.htm
Reading Room
www.risk-compliance-association.com/Reading_Room.htm
Certified Risk and
Compliance Management Professional (CRCMP)
www.risk-compliance-association.com/Distance_Learning_and_Certification.htm
Certified Information
Systems Risk and Compliance Professional (CISRCP)
www.risk-compliance-association.com/CISRCP_Distance_Learning_and_Certification.htm
Privacy and Compliance with
the Federal Trade Commission Fair, the California Online Privacy
Protection Act, the Children Online Privacy Protection Act, the
Privacy Alliance, the Controlling the Assault of Non-Solicited
Pornography and Marketing Act
www.risk-compliance-association.com/Privacy.htm
Become a member of the
International Association of Risk and Compliance Professionals
(IARCP). Membership is Free. You will receive a monthly
newsletter with risk and compliance management news, alerts and
opportunities. You can register below:
|
