Enterprise risk management

Enterprise risk management (ERM) in business includes the methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives. ERM provides a framework for risk management, which typically involves identifying particular events or circumstances relevant to the organization's objectives (risks and opportunities), assessing them in terms of likelihood and magnitude of impact, determining a response strategy, and monitoring progress. By identifying and proactively addressing risks and opportunities, business enterprises protect and create value for their stakeholders, including owners, employees, customers, regulators, and society overall. (ERM) ERM can also be described as a risk-based approach to managing an enterprise, integrating concepts of internal control, the SarbanesOxley Act, and strategic planning. ERM is evolving to address the needs of various stakeholders, who want to understand the broad spectrum of risks facing complex organizations to ensure they are appropriately managed. Regulators and debt rating agencies have increased their scrutiny on the risk management processes of companies.

Enterprise Risk Management Defined Enterprise risk management deals with risks and opportunities affecting value creation or preservation, defined as follows: Enterprise risk management is a process, effected by an entitys board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may

affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.

The definition reflects certain fundamental concepts. Enterprise risk management is: A process, ongoing and flowing through an entity Effected by people at every level of an organization Applied in strategy setting Applied across the enterprise, at every level and unit, and includes taking an entity level portfolio view of risk Designed to identify potential events that, if they occur, will affect the entity and to manage risk within its risk appetite Able to provide reasonable assurance to an entitys management and board of directors Geared to achievement of objectives in one or more separate but overlapping categories This definition is purposefully broad. It captures key concepts fundamental to how companies and other organizations manage risk, providing a basis for application across organizations, industries, and sectors. It focuses directly on achievement of objectives established by a particular entity and provides a basis for defining enterprise risk management effectiveness. Executive Summary 3 Achievement of Objectives Within the context of an entitys established mission or vision, management establishes strategic objectives, selects strategy, and sets aligned objectives cascading through the enterprise. Strategic high-level goals, aligned with and supporting its mission Operations effective and efficient use of its resources Reporting reliability of reporting Compliance compliance with applicable laws and regulations. This categorization of entity objectives allows a focus on separate aspects of enterprise risk management. These distinct but overlapping categories a particular objective can fall into more than one category address different entity needs and may be the direct responsibility of different executives. This This enterprise risk management framework is geared to achieving an entitys objectives, set forth in four categories:

categorization also allows distinctions between what can be expected from each category of objectives. Another category, safeguarding of resources, used by some entities, also is described. Because objectives relating to reliability of reporting and compliance with laws and regulations are within the entitys control, enterprise risk management can be expected to provide reasonable assurance of

achieving those objectives. Achievement of strategic objectives and operations objectives, however, is

subject to external events not always within the entitys control; accordingly, for these objectives, enterprise risk management can provide reasonable assurance that management, and the board in its oversight role, are made aware, in a timely manner, of the extent to which the entity is moving toward achievement of the objectives.

Components of Enterprise Risk Management

Enterprise risk management consists of eight interrelated components. These are derived from the way management runs an enterprise and are integrated with the management process. These components are: Internal Environment The internal environment encompasses the tone of an organization, and sets the basis for how risk is viewed and addressed by an entitys people, including risk management philosophy and risk appetite, integrity and ethical values, and the environment in which they operate. Objective Setting Objectives must exist before management can identify potential events affecting their achievement. Enterprise risk management ensures that Executive Summary 4 management has in place a process to set objectives and that the chosen objectives support and align with the entitys mission and are consistent with its risk appetite. Event Identification Internal and external events affecting achievement of an entitys objectives must be identified, distinguishing between risks and opportunities. Opportunities are channeled back to managements strategy or objective-setting processes. Risk Assessment Risks are analyzed, considering likelihood and impact, as a basis for determining how they should be managed. Risks are assessed on an inherent and a residual basis. Risk Response Management selects risk responses avoiding, accepting, reducing, or sharing risk developing a set of actions to align risks with the entitys risk tolerances and risk appetite. Control Activities Policies and procedures are established and implemented to help ensure the risk responses are effectively carried out. Information and Communication Relevant information is identified, captured, and communicated in a form and timeframe that enable people to carry out their responsibilities. Effective communication also occurs in a broader sense, flowing down, across, and up the entity. Monitoring The entirety of enterprise risk management is monitored and modifications made as

necessary. Monitoring is accomplished through ongoing management activities, separate evaluations, or both. Enterprise risk management is not strictly a serial process, where one component affects only the next. It is a multidirectional, iterative process in which almost any component can and does influence another.

Relationship of Objectives and Components

There is a direct relationship between objectives, which are what an entity strives to achieve, and enterprise risk management components, which represent what is needed to achieve them. The relationship is depicted in a three-dimensional matrix, in the form of a cube.

Encompasses Internal Control

Internal control is an integral part of enterprise risk management. This enterprise risk management framework encompasses internal control, forming a more robust conceptualization and tool for management. Internal control is defined and described in Internal Control Integrated Framework. Because that

framework has stood the test of time and is the basis for existing rules, regulations, and laws, that document remains in place as the definition of and framework for internal control. While only portions of the text of Internal Control Integrated Framework are reproduced in this framework, the entirety of that framework is incorporated by reference into this one.

Roles and Responsibilities

Everyone in an entity has some responsibility for enterprise risk management. The chief executive officer is ultimately responsible and should assume ownership. Other managers support the entitys risk management philosophy, promote compliance with its risk appetite, and manage risks within their spheres of

responsibility consistent with risk tolerances. A risk officer, financial officer, internal auditor, and others usually have key support responsibilities. Other entity personnel are responsible for executing enterprise risk management in accordance with established directives and protocols. The board of directors provides important oversight to enterprise risk management, and is aware of and concurs with the entitys risk appetite. A number of external parties, such as customers, vendors, business partners, external auditors, regulators, and financial analysts often provide information useful in effecting enterprise risk management, but they are not responsible for the effectiveness of, nor are they a part of, the entitys enterprise risk management.

ERM frameworks defined

There are various important ERM frameworks, each of which describe an approach for identifying, analyzing, responding to, and monitoring risks and opportunities, within the internal and external environment facing the enterprise. Management selects a risk response strategy for specific risks identified and analyzed, which may include: 1. Avoidance: exiting the activities giving rise to risk 2. Reduction: taking action to reduce the likelihood or impact related to the risk 3. Alternative Actions: deciding and considering other feasible steps to minimize risks. 4. Share or Insure: transferring or sharing a portion of the risk, to finance it 5. Accept: no action is taken, due to a cost/benefit decision Monitoring is typically performed by management as part of its internal control activities, such as review of analytical reports or management committee meetings with relevant experts, to understand how the risk response strategy is working and whether the objectives are being achieved.

Casualty Actuarial Society framework

In 2003, the Casualty Actuarial Society (CAS) defined ERM as the discipline by which an organization in any industry assesses, controls, exploits, finances, and monitors risks from all sources for the purpose of increasing the organization's short- and long-term value to its stakeholders."[1] The CAS conceptualized ERM as proceeding across the two dimensions of risk type and risk management processes.[1] The risk types and examples include: Hazard risk Liability torts, Property damage, Natural catastrophe Financial risk Pricing risk, Asset risk, Currency risk, Liquidity risk Operational risk Customer satisfaction, Product failure, Integrity, Reputational risk Strategic risks Competition, Social trend, Capital availability.

The risk management process involves

1. Establishing Context: This includes an understanding of the current conditions in which the organization operates on an internal, external and risk management context. 2. Identifying Risks: This includes the documentation of the material threats to the organizations achievement of its objectives and the representation of areas that the organization may exploit for competitive advantage. 3. Analyzing/Quantifying Risks: This includes the calibration and, if possible, creation of probability distributions of outcomes for each material risk. 4. Integrating Risks: This includes the aggregation of all risk distributions, reflecting correlations and portfolio effects, and the formulation of the results in terms of impact on the organizations key performance metrics. 5. Assessing/Prioritizing Risks: This includes the determination of the contribution of each risk to the aggregate risk profile, and appropriate prioritization.

6. Treating/Exploiting Risks: This includes the development of strategies for controlling and exploiting the various risks. 7. Monitoring and Reviewing: This includes the continual measurement and monitoring of the risk environment and the performance of the risk management strategies. COSO ERM framework The COSO "Enterprise Risk Management-Integrated Framework" published in 2004 defines ERM as a "process, effected by an entity's board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives."[4] The COSO ERM Framework has eight Components and four objectives categories. It is an expansion of the COSO Internal Control-Integrated Framework published in 1992 and amended in 1994. The eight components - additional components highlighted - are:

Internal Environment Objective Setting Event Identification Risk Assessment Risk Response Control Activities Information and Communication Monitoring

The four objectives categories - additional components highlighted - are:

Strategy - high-level goals, aligned with and supporting the organization's mission Operations - effective and efficient use of resources Financial Reporting - reliability of operational and financial reporting Compliance - compliance with applicable laws and regulations

Implementing an ERM program Goals of an ERM program Organizations by nature manage risks and have a variety of existing departments or functions ("risk functions") that identify and manage particular risks. However, each risk function varies in capability and how it coordinates with other risk functions. A central goal and challenge of ERM is improving this

capability and coordination, while integrating the output to provide a unified picture of risk for stakeholders and improving the organization's ability to manage the risks effectively. Typical risk functions The primary risk functions in large corporations that may participate in an ERM program typically include:

Strategic planning - identifies external threats and competitive opportunities, along with strategic initiatives to address them

Marketing - understands the target customer to ensure product/service alignment with customer requirements

Compliance & Ethics - monitors compliance with code of conduct and directs fraud investigations Accounting / Financial compliance - directs the Sarbanes-Oxley Section 302 and 404 assessment, which identifies financial reporting risks

Law Department - manages litigation and analyzes emerging legal trends that may impact the organization

Insurance - ensures the proper insurance coverage for the organization Treasury - ensures cash is sufficient to meet business needs, while managing risk related to commodity pricing or foreign exchange

Operational Quality Assurance - verifies operational output is within tolerances Operations management - ensures the business runs day-to-day and that related barriers are surfaced for resolution

Credit - ensures any credit provided to customers is appropriate to their ability to pay Customer service - ensures customer complaints are handled promptly and root causes are reported to operations for resolution

Internal audit - evaluates the effectiveness of each of the above risk functions and recommends improvements

Common challenges in ERM implementation Various consulting firms offer suggestions for how to implement an ERM program.[5] Common topics and challenges include:

Identifying executive sponsors for ERM. Establishing a common risk language or glossary. Describing the entity's risk appetite (i.e., risks it will and will not take) Identifying and describing the risks in a "risk inventory". Implementing a risk-ranking methodology to prioritize risks within and across functions.

Establishing a risk committee and or Chief Risk Officer (CRO) to coordinate certain activities of the risk functions.

Establishing ownership for particular risks and responses. Demonstrating the cost-benefit of the risk management effort. Developing action plans to ensure the risks are appropriately managed. Developing consolidated reporting for various stakeholders. Monitoring the results of actions taken to mitigate risk. Ensuring efficient risk coverage by internal auditors, consulting teams, and other evaluating entities. Developing a technical ERM framework that enables secure participation by 3rd parties and remote employees.

Internal audit role In addition to information technology audit, internal auditors play an important role in evaluating the risk management processes of an organization and advocating their continued improvement. However, to preserve its organizational independence and objective judgment, Internal Audit professional standards indicate the function should not take any direct responsibility for making risk management decisions for the enterprise or managing the risk management function. Internal auditors typically perform an annual risk assessment of the enterprise, to develop a plan of audit engagements for the upcoming year. This plan is updated at various frequencies in practice. This typically involves review of the various risk assessments performed by the enterprise (e.g., strategic plans, competitive benchmarking, and SOX top-down risk assessment), consideration of prior audits, and interviews with a variety of senior management. It is designed for identifying audit projects, not to identify, prioritize, and manage risks directly for the enterprise.

Current issues in ERM

The risk management processes of U.S. corporations are under increasing regulatory and private scrutiny. Risk is an essential part of any business. Properly managed, it drives growth and opportunity. Executives struggle with business pressures that may be partly or completely beyond their immediate control, such as distressed financial markets; mergers, acquisitions and restructurings; disruptive technology change; geopolitical instabilities; and the rising price of energy.

1. Sarbanes-Oxley Act requirements Section 404 of the Sarbanes-Oxley Act of 2002 required U.S. publicly traded corporations to utilize a control framework in their internal control assessments. Many opted for the COSO Internal

Control Framework, which includes a risk assessment element. In addition, new guidance issued by the Securities and Exchange Commission (SEC) and PCAOB in 2007 placed increasing scrutiny on topdown risk assessment and included a specific requirement to perform a fraud risk assessment.[8] Fraud risk assessments typically involve identifying scenarios of potential (or experienced) fraud, related exposure to the organization, related controls, and any action taken as a result. 2. NYSE corporate governance rules The New York Stock Exchange requires the Audit Committees of its listed companies to "discuss policies with respect to risk assessment and risk management." The related commentary continues: "While it is the job of the CEO and senior management to assess and manage the companys exposure to risk, the audit committee must discuss guidelines and policies to govern the process by which this is handled. The audit committee should discuss the companys major financial risk exposures and the steps management has taken to monitor and control such exposures. The audit committee is not required to be the sole body responsible for risk assessment and management, but, as stated above, the committee must discuss guidelines and policies to govern the process by which risk assessment and management is undertaken. Many companies, particularly financial companies, manage and assess their risk through mechanisms other than the audit committee. The processes these companies have in place should be reviewed in a general manner by the audit committee, but they need not be replaced by the audit committee."

ERM and corporate debt ratings Standard & Poor's (S&P), the debt rating agency, plans to include a series of questions about risk management in its company evaluation process. This will rollout to financial companies in 2007. The results of this inquiry is one of the many factors considered in debt rating, which has a corresponding impact on the interest rates lenders charge companies for loans or bonds. On May 7, 2008, S&P also announced that it would begin including an ERM assessment in its ratings for non-financial companies starting in 2009, with initial comments in its reports during Q4 2008.

ISO 31000 : the new International Risk Management Standard ISO 31000 is an International Standard for Risk Management which was published on 13 November 2009. An accompanying standard, ISO 31010 - Risk Assessment Techniques, soon followed publication (December 1, 2009) together with the updated Risk Management vocabulary ISO Guide 73.

Companies Increasingly Focusing on ERM

It is clear that companies recognize ERM as a critical management issue. This is demonstrated through the prominence assigned to ERM within organizations and the resources devoted to building ERM capabilities.

In a 2008 survey by Towers Perrin,[22] at most life insurance companies, responsibility for ERM resides within the C-suite. Most often, the chief risk officer (CRO) or the chief financial officer (CFO) is in charge of ERM, and these individuals typically report directly to the chief executive officer. From their vantage point, the CRO and CFO are able to look across the organization and develop a perspective on the risk profile of the firm and how that profile matches its risk appetite. They act as drivers to improve skills, tools and processes for evaluating risks and to weigh various actions to manage those exposures. Companies are also actively enhancing their ERM tools and capabilities. Three quarters of responding companies said they have tools for specifically monitoring and managing enterprise-wide risk. These tools are used primarily for identifying and measuring risk and for management decision making. Respondents also reported that they have made good progress in building their ERM capabilities in certain areas. In this study, more than 80% of respondents reported that they currently have adequate or better controls in place for most major risks. In addition, about 60% currently have a coordinated process for risk governance and include risk management in decision making to optimize risk adjusted returns. In another survey conducted in May and June 2008, against the backdrop of the developing financial crisis, six major findings came to light regarding risk and capital management among insurers worldwide:[23]

Embedding ERM is proving to be a significant challenge Company size matters European insurers are better positioned ERM is influencing important strategic decisions Economic capital standards are gaining ground Operational risk remains a weak spot

BASEL:
Basel I is the round of deliberations by central bankers from around the world, and in 1988, the Basel Committee on Banking Supervision (BCBS) in Basel, Switzerland, published a set of minimum capital requirements for banks. This is also known as the 1988 Basel Accord, and was enforced by law in the Group of Ten (G-10) countries in 1992 . Basel I is now widely viewed as outmoded. Indeed, the world has changed as financial conglomerates, financial innovation and risk management have developed. Therefore, a more comprehensive set of guidelines, known asBasel II are in the process of implementation by several countries. New updates, Basel III, were developed in response to the financial crisis.
Basel I, that is, the 1988 Basel Accord, primarily focused on credit risk. Assets of banks were classified and grouped in five categories according to credit risk, carrying risk weights of zero (for example home country sovereign debt), ten, twenty, fifty, and up to one hundred percent (this category has, as an example, most corporate debt). Banks with international presence are required to hold capital equal to 8% of the riskweighted assets. The creation of the credit default swap after the Exxon Valdez incident helped large banks hedge lending risk and allowed banks to lower their own risk to lessen the burden of these onerous restrictions. Since 1988, this framework has been progressively introduced in member countries of G-10, currently comprising 13 countries, namely, Belgium, Canada, France, Germany, Italy, Japan,Luxembourg, Netherlands, Spain, Sweden, Switz erland, United Kingdom and the United States of America.

Basel II is the second of the Basel Accords, (now extended and effectively superseded by Basel III), which are recommendations on banking laws and regulations issued by the Basel Committee on Banking Supervision. Basel II, initially published in June 2004, was intended to create an international standard for banking regulators to control how much capital banks need to put aside to guard against the types of financial and operational risks banks (and the whole economy) face. One focus was to maintain sufficient consistency of regulations so that this does not become a source of competitive inequality amongst internationally active banks. Advocates of Basel II believed that such an international standard could help protect the international financial system from the types of problems that might arise should a major bank or a series of banks collapse. In theory, Basel II attempted to accomplish this by setting up risk and capital management requirements designed to ensure that a bank has adequate capital for the risk the bank exposes itself to through its lending and investment practices. Generally speaking, these rules mean that the greater risk to which the bank is exposed, the greater the amount of capital the bank needs to hold to safeguard its solvency and overall economic stability. Politically, it was difficult to implement Basel II in the regulatory environment prior to 2008, and progress was generally slow until that year's major banking crisis caused mostly by credit default swaps, mortgagebacked security markets and similar derivatives. As Basel III was negotiated, this was top of mind, and

accordingly much more stringent standards were contemplated, and quickly adopted in some key countries including the USA

Objective
The final version aims at: 1. Ensuring that capital allocation is more risk sensitive; 2. Enhance disclosure requirements which will allow market participants to assess the capital adequacy of an institution; 3. Ensuring that credit risk, operational risk and market risk are quantified based on data and formal techniques; 4. Attempting to align economic and regulatory capital more closely to reduce the scope for regulatory arbitrage.

The accord in operation

Basel II uses a "three pillars" concept (1) Minimum capital requirements (addressing risk), (2) Supervisory review and (3) Market discipline. The Basel I accord dealt with only parts of each of these pillars. For example: with respect to the first Basel II pillar, only one risk, credit risk, was dealt with in a simple manner while market risk was an afterthought; operational risk was not dealt with at all.

The first pillar

The first pillar deals with maintenance of regulatory capital calculated for three major components of risk that a bank faces: credit risk, operational risk, and market risk. Other risks are not considered fully quantifiable at this stage. The credit risk component can be calculated in three different ways of varying degree of sophistication, namely standardized approach, Foundation IRB, Advanced IRB and General IB2 Restriction. IRB stands for "Internal Rating-Based Approach". For operational risk, there are three different approaches basic indicator approach or BIA, standardized approach or STA, and the internal measurement approach (an advanced form of which is the advanced measurement approach or AMA). For market risk the preferred approach is VaR (value at risk). As the Basel II recommendations are phased in by the banking industry it will move from standardised requirements to more refined and specific requirements that have been developed for each risk category by each individual bank. The upside for banks that do develop their own bespoke risk measurement systems is that they will be rewarded with potentially lower risk capital requirements. In future there will be closer links between the concepts of economic and regulatory capital.

The second pillar

The second pillar deals with the regulatory response to the first pillar, giving regulators much improved 'tools' over those available to them under Basel I. It also provides a framework for dealing with all the other risks a bank may face, such as systemic risk, pension risk, concentration risk, strategic risk, reputational risk, liquidity risk and legal risk, which the accord combines under the title of residual risk. It gives banks a power to review their risk management system. It is the Internal Capital Adequacy Assessment Process (ICAAP) that is the result of Pillar II of Basel II accords.

The third pillar

This pillar aims to complement the minimum capital requirements and supervisory review process by developing a set of disclosure requirements which will allow the market participants to gauge the capital adequacy of an institution. Market discipline supplements regulation as sharing of information facilitates assessment of the bank by others, including investors, analysts, customers, other banks, and rating agencies, which leads to good corporate governance. The aim of Pillar 3 is to allow market discipline to operate by requiring institutions to disclose details on the scope of application, capital, risk exposures, risk assessment processes, and the capital adequacy of the institution. It must be consistent with how the senior management, including the board, assess and manage the risks of the institution. When market participants have a sufficient understanding of a bank's activities and the controls it has in place to manage its exposures, they are better able to distinguish between banking organisations so that they can reward those that manage their risks prudently and penalise those that do not. These disclosures are required to be made at least twice a year, except qualitative disclosures providing a summary of the general risk management objectives and policies which can be made annually. Institutions are also required to create a formal policy on what will be disclosed and controls around them along with the validation and frequency of these disclosures. In general, the disclosures under Pillar 3 apply to the top consolidated level of the banking group to which the Basel II framework applies. Basel III (or the Third Basel Accord) is a global regulatory standard on bank capital adequacy, stress testing and market liquidity risk agreed upon by the members of the Basel Committee on Banking Supervision in 201011, and scheduled to be introduced from 2013 until 2018.[1][2] The third installment of the Basel Accords (see Basel I, Basel II) was developed in response to the deficiencies in financial regulation revealed by the late-2000s financial crisis. Basel III strengthens bank capital requirements and introduces new regulatory requirements on bank liquidity and bank leverage. The OECD estimates that the implementation of Basel III will decrease annual GDP growth by 0.050.15%.[3][4] Critics suggest that greater regulation is responsible for the slow recovery from the late-2000s financial crisis,[5][6] and that the tighter Basel III requirements may further negatively affect the stability of the financial system by increasing the incentives of banks to game the regulatory framework.[7]

Basel III will require banks to hold 4.5% of common equity (up from 2% in Basel II) and 6% of Tier I capital (up from 4% in Basel II) of risk-weighted assets (RWA). Basel III also introduces additional capital buffers, (i) a mandatory capital conservation buffer of 2.5% and (ii) a discretionary countercyclical buffer, which allows national regulators to require up to another 2.5% of capital during periods of high credit growth. In addition, Basel III introduces a minimum leverage ratio and two required liquidity ratios.[8] The leverage ratio is calculated by dividing Tier 1 capital by the bank's average total consolidated assets;[9] the banks are expected to maintain the leverage ratio in excess of 3%. The Liquidity Coverage Ratio requires a bank to hold sufficient high-quality liquid assets to cover its total net cash outflows over 30 days; the Net Stable Funding Ratio requires the available amount of stable funding to exceed the required amount of stable funding over a one-year period of extended stress.[10]

Summary of proposed changes

First, the quality, consistency, and transparency of the capital base will be raised.

Tier 1 capital: the predominant form of Tier 1 capital must be common shares and retained earnings Tier 2 capital instruments will be harmonized Tier 3 capital will be eliminated.[11] Promote more integrated management of market and counterparty credit risk Add the CVA (credit valuation adjustment)-risk due to deterioration in counterparty's credit rating Strengthen the capital requirements for counterparty credit exposures arising from banks' derivatives, repo and securities financing transactions Raise the capital buffers backing these exposures Reduce procyclicality and Provide additional incentives to move OTC derivative contracts to central counterparties (probably clearing houses) Provide incentives to strengthen the risk management of counterparty credit exposures Raise counterparty credit risk management standards by including wrong-way risk

Second, the risk coverage of the capital framework will be strengthened.

Third, the Committee will introduce a leverage ratio as a supplementary measure to the Basel II risk-based framework.

The Committee therefore is introducing a leverage ratio requirement that is intended to achieve the following objectives:

Put a floor under the build-up of leverage in the banking sector Introduce exposures. additional safeguards against model risk and measurement error by supplementing the risk based measure with a simpler measure that is based on gross

Fourth, the Committee is introducing a series of measures to promote the build up of capital buffers in good times that can be drawn upon in periods of stress ("Reducing procyclicality and promoting countercyclical buffers").

The Committee is introducing a series of measures to address procyclicality:

Dampen any excess cyclicality of the minimum capital requirement; Promote more forward looking provisions; Conserve capital to build buffers at individual banks and the banking sector that can be used in stress; and

Achieve the broader macro prudential goal of protecting the banking sector from periods of excess credit growth.

Requirement to use long term data horizons to estimate probabilities of default, downturn loss-given-default estimates, recommended in Basel II, to become mandatory Improved calibration of the risk functions, which convert loss estimates into regulatory capital requirements. Banks must conduct stress tests that include widening credit spreads in recessionary scenarios.

Promoting stronger provisioning practices (forward looking provisioning):

Advocating a change in the accounting standards towards an expected loss (EL) approach (usually, EL amount := LGD*PD*EAD).[12]

Fifth, the Committee is introducing a global minimum liquidity standard for internationally active banks that includes a 30-day liquidity coverage ratio requirement underpinned by a longer-term structural liquidity ratio called the Net Stable Funding Ratio. (In January 2012, the oversight panel of the Basel Committee on Banking Supervision issued a statement saying that regulators will allow banks to dip below their required liquidity levels, the liquidity coverage ratio, during periods of stress.) The Committee also is reviewing the need for additional capital, liquidity or other supervisory measures to reduce the externalities created by systemically important institutions

THE LIMITS OF BASEL II ACCORD

In general the banks dont have to engage in transactions, in which the risks can not be identified and controlled in an efficient manner. Each risk an institution of credit deals with must be identified, supervised and limited its effects. In the 1980s, because of the critical changes of interest rates, produced by the inflationary process and by the energetic crises, because of the significant changes of the exchange rates after the abolishment of the Bretton Woods system and because of the intensification of competition on the financial

services market, the instability becomes a characteristic of the environment in which the banks are operating. In this new situation, the banks vulnerability and the number of bankruptcy increases. The Basel I Accord in 1988, emerged because of the banks insolvency in the 1980s, has lead to the banking systems recovery on the account of the minimum capital adequacy. The Accord has also concurred to the international banking systems stability due to the harmonization of international banks practices and because of the elimination of disloyal bank competition. The stipulations of Basel I Settlement didnt have an imperative character, they were just merely given as a guide, but they were adopted by the majority of banks. The risks on the international market are evolving and they are affecting the banks activity, in 1996 the Basel I Settlement was amended by the incorporation of market risk next to the credit risk in estimating the adequacy capital. The Basel II Accord adopted in 2004 has a more flexible character, offering to the credit institutions the freedom to choose their own methods of risk evaluation, but conserves the key elements of Basel I Settlement, respectively the minimum of 8% capital adequacy.

The Basel II Settlement has many advantages like: - the credit institutions take into consideration the operational risk next to the credit risk and market risk; - the global risk approach; - the internal rating systems; - a market discipline based on the transparency principle and a detailed reporting offering relevant, credible, opportune, comparable and comprehensible information;724 - an increased competence for supervision authorities; - the creation of a solid bank industry; - contributes to the harmonization of bank practices between East and West Europe; - an equitable bank competition; - the three pillars represent a whole unit; - the internal methods of risk evaluation determine, that the weighting coefficients with which every risk asset is being evaluated, are not the same for the whole banking sector, but the are being established individual, by each institution, so that the risk is evaluated much more accurately, and the situations in which capital requirements are overestimated are being eliminated. So the banks will have more money for giving credits, and they will have to make up fewer reserves.

The Basel II Convention introduces in the standard approach of credit risk an accessory forfeit for credits given to the institution with an inferior rating. So, if the Basel I Accord the minimum requirement was 100% from the exposure, in the Basel II for B ratings the weightin coefficient is 150%. The exposure classes

and the weighting coefficients for credit risk increase from 4 to 8 categories: 0%, 10%, 20%, 35%, 50%, 75%, 100%, 150%, which allows to detect more accurately the credit risk based on the nature of investment for each bank. The weighting coefficients for each risk do not depend only on the class in which is being placed the exposure, but also on the credit quality, determined by the ratings given by the external

evaluation of credit/clients institutions.

The banks, which will make the most of the New Settlement, will be the ones that seriously invest

in the

risk management and the ones that know to choose the right risk management method based on the result of analyses made. In other words, the promotion of the internal risk management models will represent the banks success key in developing the credit activity and managing the risks.

The implementation of Basel II Agreement has revealed itslimits, like

- the implementation implies high costs regarding the training of staff, IT, especially for countries in Central and East Europe; - the discrimination between bank (small and large banks); - fewer loans for countries in the transitional period, especially for banks and companies with low rating; - the increase of the bank concentration degree through fusions and acquisitions between banks in the system; - the variation of interest based on the quality of the credit applicant. Due to its complexity, the IRB method becomes very difficult to implement for banks, which dont have a superior level of culture in credit risk management, so the standard approach appears to be the only credible option for banks in Central and East Europe. In Romania this process is easier because the whole banking system is owned by West Europe Banks, which passed this test, so they will be able to facilitate the transition of the subsidiary to the new capital requirements. In some cases the mother banks will provide their own internal risk evaluation models. The main shortcoming of Basel Committee Settlements, known as Basel II Accord is to suggest solution for bank capital adequacy, based on the risk profile of banks assets starting from a given situation of credits, which a banks has in its portfolio. Another approach which can help banks to protect themselves against credit risks is based on a thoroughness companys analysis and not on adequacy of capital to the risk profile of bank assets considering the necessary cash-flow, the necessary of liquidity established by mutual agreement for the repayment of credit and interest, taking into account two components: depreciation and

net profit. The relation between self financing and the necessary cash-flow constitute a necessary premise for the protection consolidation against credit risk, for the bank and also for the company, their main concern being the repayment of credit and interest and the owners to achieve the expected gain.

The second Pillar of Basel II Agreement called supervisory review increases very much the responsibility for the financial supervisor. The supervisors must examine the methods used by bank to record, process and monitor the relevant information. As the banks have the freedom to choose their own strategies, also the supervisors have the power to refuse them, based on their own judgment. This may lead to a conflict between supervisors and banks. Beside that, the second Pillar implies a huge qualification for supervisors, in the condition in which the capital markets are full of innovations. In fact, given the present ability of banks to generate and introduce financial innovations constantly, supervisors will have to be permanently updating and upgrading their skills 393 . Implementing Basel II in developing countries will encounter many obstacles, maybe the most important will be granting the supervisors enough freedom, resources and competence. The rating agencies were born in The Unites States of America at the end of 19th century and the beginning of 20th century, and the most famous are Standard and Poors, Moodys and Fitch IBCA. Another deficiency of Basel II is the placement of rating agencies in the center of the new regulation of risk management, which doesnt represent the optimal solution, even though it seems the most viable at this moment. I say this because the presence of rating agencies in Europe has developed in the 1990s, recently compared to USA. In countries in Central and East Europe the presence of rating agencies was felt after the fall of the communist regime, but they are few compared with countries in West Europe. Mugur Isarescu the governor of National Bank of Romania in the presentation Nine Lessons from the Nowadays Financial Crisis presented on 14th of April 2009 asserts the following: The global crisis has its origins in The United States of America on the mortgage market, being triggered by the sub-prime loans crisis. The exuberant liquidity together with the financial

disintermediary, excessive deregulation have led to the present financial crisis. The consequences of thi excessive liquidity have been the low interest rates and their low volatility, so the appetite for assets with high benefits has increased. Therewith appears a weaker lookout of the market investors. The degree each economy is affected by this crisis depends on its vulnerability. The nine lessons to be learned are:

1. The low level of inflation does not represent an enough condition for the assurance of financial stability on long term. Usually the crisis is triggered by a high inflation, the main source of financial instability. The exception consists in that the present crisis appeared after two decades of low and stabile inflation, which coexisted with excessive liquidity. So the financial intermediary model has changed from originate and hold

to originate and distribute. The monetary policy, regulation and financial supervision must pull together efficiently, which hasnt happened in the last years.

2. At certain periods regulation and supervision fall behind the markets. The markets always find a way to innovate because the economic agents are always competing with each other for satisfying a real need. The innovation process is so dynamic and sophisticated, that the ones who regulate and supervise the markets can fall behind.

3. In the European Union are missing some institutions. The EU should create a new institution The European Risk Systemic Council, which purpose should be to collect information regarding risks and macro prudential vulnerabilities from each financial sector of EU. The Council will issue warnings about risks and will adopt recommendations of economic policy. Another institution is The European System of Financial Supervision with three authorities: The European Bank Authority, The European Securities Authority and The European Insurance Authority.

4. The financial incentives in private companies are not correlated with risk management. The financial incentives should be better correlated with shareholders interest and the whole companys profitability on the long term.

5. People forget about crisis in the heyday and neglect the creation of crisis management mechanisms.

6. International Monetary Fund has given a huge role, after being criticized for not foresee the Asian Crisis. The nowadays financial crisis reveals that in difficult moments we need an institution, which has an imagine of each economy on the globe. The IMF has an experience for at least five decades in investigating the members economies, today 185 countries, and this experience is not easy to accomplish.

7. The expansion measures must be accompanied from the beginning by exit strategies. The launching of anti crisis measures must be accompanied by the creation of credible exit strategies, which are necessary now for assisting the financial sector and launching again the global demand.

8. It is important avoiding macroeconomic disequilibrium and following a sustainable economic growth based on a substantial degree of structural reforms.

9. The Euro Adoption can not be substituted by adjusting policies. The last two lessons are for emerging economies. The present financial crisis demonstrated that the banking system has not been well capitalized, there has not been enough banks to absorb the capital losses of bankruptcy institutions. The response of USA and Great Britain Government demonstrated the existence of capital deficit.

The effects of international crisis have expanded over the Romanian economy. However, considering the direct impact, the banking system was less affected because is has not been exposed to toxic assets, also due to the administrative and prudential measures implemented by The National Bank of Romania. Indirectly the international financial crisis, and especially its consequence the recession in developed countries has expanded over the economy in Romania through many channels. Through the commercial channel, the export slows down. Through the financial channel, the access to external financing is limited, so the credit load is restricted and appear difficulties in external private debt service. Through the exchange rate channel, the cutting down of external finance is being reflected in devaluation of national currency. Through the trust channel one can see the withdrawal of investors from East Europe countries. The effect was the panic moments and the speculative attacks on the monetary currency market, like the ones in October 2008 in Romania, which needed the NBRs intervention. The Basel II Agreement in the context of the global financial crisis is better than Basel I Agreement, being more sensitive to risk, but not enough. The Basel II Accord takes into consideration a

new risk, the operational risk. Basel II defines operational risk as the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events, including legislation risk. The

shortcoming is that reputation risk, systemic risk and strategic risk are not operational risk, so they are not taken into consideration, even though they are striking on the capital markets. Another critique regarding the Basel II Accord refers to the large banks and financial aggregations, which adopt advanced capital adequacy approach will have greater benefits than small banks, constrained to apply the standard approach for capital adequacy. The foreign banks in developing countries by applying Basel II Agreement will give loans to the most solvent debtors, and the other debtors with a less attractive situation can borrow money from local banks. This aspect can create problems for SME in accessing loans.

On the short term the main challenge is finding the solutions to reestablish the trust of investors and consumers. On the long term, the main challenge is to adjust the principles which guide the international financial system reform, regarding transparency, improving the regulations for security accountancy, the assurance of adequate market, companies and financial products settlements, the assurance of financial

markets integration (regarding market handling and fraud) and intensification of worlds financial institution (the modernization of management structures of

cooperation between

IMF and World Bank).In Romania, the answer to the contrary effects of crisis can not be similar to the one on the other European countries or to USA. There are a few differences between the Romanian economy and these economies, which not allow the copy of measures implemented there. The Romanian economy has a deficit of current account, which indicates the dependence on external finance. To pass well over the international financial crisis, a leverage ratio should be added to Basel II Accord. This leverage ratio should be applied as a complement to the risk-weighted capital requirements. It ensures a minimum capital buffer that protects banks against unexpected losses and underestimation of risk. As we have learned from the current crisis, the failure of risk models may quickly turn banks that seem comfortably capitalised into poorly capitalised banks. Adding a leverage ratio to Basel II will reinforce banks capital and strengthen capital regulation. The current global crisis has proved the limits of Basel II Accord. In my opinion in the nearest future the talks will be about a new agreement, maybe a Basel III, which has to take into consideration more risks that affect the banking system. Other risks can be: liquidity risk, as we know this risk can easily cause insolvency and the interest rate risk. Why these two risks, can we ask ourselves? The answer is simple: thanks to the international financial crisis we face a lack of liquidity. The banks have problems in the repayment of loans, they are being forced to make many echelons and modifications for the date of payment for loans. The initial plans for banks, when the credits were given have changed. As a precaution measure in October 2008 the credit rhythm in Romania was significantly reduced. Many banks were forced to increase their operation commissions or to introduce new ones in order to compensate the lack of liquidity The financial crisis has contributed to the creation of a vicious circus: the banks havent given credits so easily, and the companies confronted themselves with problems in collection of receivables. The firms couldnt borrow loans in a short time, they couldnt pay their providers on time, and also the liabilities to the budget, many seizures were introduced, and may providers faced insolvency. In Bihor county can one notice the slow rhythm of development for real estate projects, and the bankruptcy of societies. Nowadays we face unemployment. One can also notice the efforts of National Bank of Romania, which tries to maintain the financial stability, the inflation, the exchange rate. In the spring of

2009 the loans were launched, but the credit conditions are pretty tough (high commissions and interest rates, a closer client monitoring, a very good financial situation). Another risk which Basel III has to take into consideration is the interest rate risk. In general in the credit contract the interest rate in variable. Nowadays there are few banks, which accept a fix interest rate in the credit contract. Why I say this? The situation on the global market determined an increase in the cost of resources, so the interest rate risk has increased. The

interest is formed form the cost of resource and the risk margin. No bank will accept an interest lower or equal with the cost of resource. The fame of o bank once gained is does not represent a risk, but loosing that fame can turn into a risk any time.

The Role of Credit Rating Agencies in the Governance of Financial Markets

Throughout the industrialized world governments play an important role in the regulation of financial market risk. By protecting investors from fraud and by introducing preventive regulation to reduce the likelihood of financial crisis, they have contributed to the markets efficiency and growth. However, the states role in financial markets has become more difficult over the last two to three decades. The increasing global integration of nationally contained financial markets means that a financial crisis can spread more easily from one national system to another. Furthermore, the high mobility of capital makes the enforcement of rules more difficult. These problems raise the question as to whether and how the management of risk in financial markets takes place today. In recent years credit rating agencies (CRA) have become increasingly important in the management of financial market risk. CRA are commercial firms that receive payment for publishing an evaluation of the creditworthiness of their clients. This information is especially useful when borrowing takes place through the issue of securities, rather than by bank loans, since buyers of securities do not know the issuers as well as banks usually know their customers. CRA originated in the USA at the turn of the century and concentrated on rating corporate bonds. Their activities subsequently increased in scope and scale. At present no major type of security, issuer or geographic area is excluded. CRA now define a truly global benchmark for credit risk. Published ratings are not only closely observed in the market place. They are significant for regulation as well. Since the Great Depression the CRAs benchmark has also been used in the regulation of financial markets. Banks or certain types of other investors, for example, are only allowed to hold lower risk securities rated investment grade. By referring to the market benchmark for credit risk, regulation remains in touch with the changing credit risks in the market. As with the use of ratings in the market, their use as a regulatory benchmark is also spreading globally. Since CRA judgments define a globally uniform benchmark, they are attractive as a reference for international regulatory standards as well. A good case in point is the recent proposition by the Bank for International Settlements to use ratings to calculate capital adequacy ratios for banks. The increasing prominence of the CRA in risk management in the market place and in regulation makes them an important element in coping with the risk of globally interconnected financial markets. The question arising from this observation is: how effective are present rating-based risk management strategies? Given the rapidly changing nature of financial market risk, how well do rating agencies adapt to them? To answer this question, the dominant mode of action co-ordination between the actors involved is to be analysed. The

question guiding the analysis will be whether rating-based risk management results in greater adaptability associated with networks or whether it will be limited to the trial and error learning of markets and hierarchies