OpRisk North America Spring 2012 conference

Operational Risk in Commodity Trading

Robert Serena

March 2012

About the author

Bob has over 25 years of Risk Management experience across the Insurance (P&C, Health, Life and Annuity, Reinsurance, and Consulting),Banking (Commercial and Investment), Energy (Independent Power Producers, Regulated Utilities, Integrated Oil & Gas, and Consulting), andManufacturing industries (Military Contractor).

Additionally, he has broad experience across a range of functional areas, including Quality Assurance, Software Engineering, System Design andImplementation, Claims, Financial and Medical Underwriting, Financial Reporting and Valuation, Pricing and Product Development, Asset LiabilityManagement, Retirement Planning, and Risk Management – Enterprise Risk, Strategic Risk, Market Risk, Credit Risk, Insurable Risk,Regulatory/Compliance Risk, and Operational Risk.

Bob is a native of Connecticut, and holds a BS degree in Electrical Engineering from Rice University and a MS degree in Operations Research fromthe University of New Haven. He also holds several professional designations, including Fellow in the Society of Actuaries (FSA), CharteredFinancial Analyst (CFA), Financial Risk Manager (FRM), and Chartered Property Casualty Underwriter (CPCU).

Bob is a resident of Boerne, Texas with his wife and two children.

2

Robert Serena, FSA, CFA, FRM, CPCU

3

Operational risk in a trading business

Definition

Process

People

Systems

External Events

Arrange & Confirm Deal

Generate or confirm contract

Exposure & Profit and Loss

Schedule Price Deal Process InvoiceProcess

Receipt/paymentManage accts. &

cash flowReport Results

4

How is operational risk defined in a trading business?

The risk of loss resulting from inadequate or failed internalprocesses, people and systems or from external events that havea direct impact on front-to-back transaction administration.

It represents the risk profile of the front to back businessprocesses from origination to execution and delivery.

5

Operational risk - Processes and people

Risks associated with processes

Inadequate procedure

Inadequate standard/control process

Erroneous reporting

Process change/implementation

Risks associated with people

Training/competence/knowledge

Inappropriate or fraudulent behavior

Insufficient resources to manage workflow requirements

5

Operational risk - Systems and external events

Risks associated with systems

System degradation/capability

Interface issues

Inadequate support

System access

Project delivery

Risks associated with external events

Third-party relationships

Regulatory/political

Exchange failure

Malicious damage

Disaster recovery

7

Operational risk failuresExamples from the past 20 years

Year Financial Scandals Loss

2008 Madoff Investment Securities $18B loss to investors due to a Ponzi scheme

2007-8 The Credit Crunch Mispricing of the risk involved with subprime mortgages led to a lack ofcredit supply felt worldwide

2007 Societe Generale $7.2B loss due a trader creating fraudulent trading positions throughunauthorized trades

2002 Allied Irish Banks $750M loss on foreign exchange trading operations

2001 Enron and AA Accounting fraud led to the fall of both companies

1998 Long-Term Capital Management $4B loss after debt default by Russia

1996 Sumitomo Corp $2.6B loss on unauthorized copper trades

1995 Daiwa Bank $1.1B loss from unauthorized trades

1995 Barings Bank $1.4B loss due to a rogue trader caused its collapse

8

Operational risk

Changes

• Technology

• New product offerings

• Industry consolidation

• New/ emerging markets

• Outsourcing

Regulatory expectations

• Basel II

• Local regulatory developments

• Dodd-Frank Act

Industry events

• Accounting frauds

• AIB

• Barings

• Soc Gen

Market expectations

• Rating agencies (e.g., S&P, Moody’s)

• Counterparts/ institutional clients

Why we manage operational risk?

9

Tools used to manage operational risk

Operational incident management

New activity integration

Enterprise risk management framework

Key risk indicators

Process reviews

10

Scenario Analysis

Process Reviews

New Activity Integration

Operational Incident Management

Forward-Looking

• Impact x likelihood• Evaluating ability to

control risks• Trend analysis• Identifying new

business risks

Accept

Mitigate

Identify Respond Control Assess

Backward-Looking

• Financial Exposure• Trend Analysis• Root Cause analysis

Forward-Looking

Backward-Looking

Key Risk Indicators

Enterprise Level Controls

• Policies and procedures• Risk committees• New activity integration/post

implementation reviews• Incident escalation and action item

audits• Mandatory training Requirements• Delegation of authority• Segregation of duties

Process Level Controls

• Desk procedures and process documentation

• Reconciliations• KRI and KPI metrics

How do we manage operational risk? Our toolkit

11

Operational incident management

Operational losses resulting from inadequate or failed internal processes, systems, human error, or from external events:

Direct or indirect losses/gains Potential gains/losses Misstatements of income or cash flow Actual or potential breaches of legal or regulatory requirements Significant redirecting of resources or exposure to reputational issues

Examples Front, middle or back office systems, processes or controls Trading/credit exposures, positions or risk limits Compliance with applicable legal and regulatory requirements

Objectives of reporting incidents Identify and take action to address root causes Share the lessons learned Minimize re-occurrence Sustainable continuous improvement

12

New activity integration (NAI) process

Rigorous due diligence and review process that is applied to all new commercial opportunities to ensure that the best commercial opportunities are selected.

A structured NAI process allows for human and economic resources to be allocated to the opportunities that deliver the highest value.

Examples of new commercial activities that fall under the NAI framework:

Commodities

Instruments

Geography

Exchange

Activity set/process or system requirements

The NAI process determines:

Operational impact

Economics

Risk

Compliance with relevant regulatory, legal and tax requirements

13

NAI process (cont.)

• All functional groups are required to opine and assign a risk rating on the specific incremental risks to their area arising from the new activity.

• Risk rating values:

No material issues or risks incremental to core business

Material issues or risks, which can be mitigated or resolved

Material issues or risks, with no mitigation or resolution identified

Recommendation to not proceed, based on area of functional expertise (e.g., high probability, high impact, no control by project team, risks are unacceptable, alternative approach is necessary)

• This rating system enables the commercial sponsor and the decision maker to focus on highest risk items.

New activity integration processSample risk radar

Accounting

& Reporting

Compliance

Credit Risk

GIAAP

HSSE

Internal Control

IT&S

Legal

Market Risk

Operational

Risk

Operations

Product

Control

Regulatory

Tax &

Indirect Tax

Trade

Completion

Treasury

14

15

Enterprise risk management (ERM)

Includes the methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives. ERM provides a framework for risk management, which typically involves identifying particular events or circumstances relevant to the organization's objectives (risks and opportunities), assessing them in terms of likelihood and magnitude of impact, determining a response strategy, and monitoring progress.

By identifying and proactively addressing risks and opportunities, business enterprises protect and create value for their stakeholders, including owners, employees, customers, regulators, and society overall.

How does it work?

Identification: Strategic, operational and financial risks that can potentially impact profitability and the firm’s reputation.

Assessment: A look at the likelihood that a risk could happen and the impact of that risk, should it happen.

Response: Develop an appropriate risk response which includes: (1) risk acceptance; or (2) risk mitigation.

Monitoring and control: Risk Managers, in partnership with Risk Owners, work to monitor the firm’s enterprise risks on an ongoing basis, and further embed the management/monitoring of these risks into each impacted business unit and the relevant governance meetings and committees.

16

Key Risk Indicators

Reportable metrics (e.g., late/amended/cancelled deal entry data, trends)

Risk indicators, not performance indicators

Forward-looking but not predictive

Thresholds need to be established

Support qualitative risk assessments and align to areas of risk (related to processes, people, systems)

Highlight areas of growing concern to management

One KRI alone may not trigger a concern, but a combination of KRI signals may (e.g., new activity growth coupled with high staff turnover in key areas could be a sign of workload pressure due to resource constraints)

Process Reviews – Strategic and Tactical

17

Periodic, risk-based reviews of critical business activities with the objective of decomposing a given activity into its constituent operational risk elements (people, processes, systems and external events).

Once this activity decomposition is completed, the inventory of controls deployed to manage the operational risk elements is compiled.

The relative effectiveness of each control is assessed, and an overall gap profile is developed.

Alternatives to closing each gap with business impact profiles are reviewed, and the alternative which reduces the residual operational risk exposure below the acceptable threshold is implemented.

18

Enterprise risks confronting the industry

Strategic

Operational

Regulatory

Insurable

Financial (market and credit)

Environmental

Strategic risk

19

The risk associated with future business plans and strategies, including plans for entering new business lines, expanding existing services through mergers and acquisitions, enhancing infrastructure, etc.

Examples1. E&P firms are confronted with increased operating costs and higher operational risk

profiles to extract reserves due to the relative inaccessibility of marginal supply (e.g., Canadian Oil Sands, Deepwater, Arctic).

2. All energy firms are confronted with potential lower margins due to increasing trends in operating costs (e.g., technology, taxes, labor).

3. Any firm that is an end-user of commodity products is confronted with increased feedstock costs when supply shocks occur due to political and civil unrest in resource-rich countries (e.g., Middle East), or disruptions caused by terrorist attacks on transportation infrastructure, etc.

4. Electric utilities are confronted with the potential loss of revenue from industrial and retail customers due to technological advancements allowing the deployment of more cost effective distributed generation (e.g., small industrial firm installs an onsite natural gas generator).

Operational risk

20

The risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events.

Examples

1. Energy firms are confronted with:

A decreased range of investment opportunities and ability to compete in the market for profitable projects due to declines in the number of students majoring in engineering, mathematics, and the hard sciences. Also, the imminent retirement of experienced engineers and other professionals over the next 5-10 years without suitably trained replacements.

Potential legal fines and data management/data remediation costs resulting from increased frequency of security breaches and cyber threats.

Potentially increased disability and workers compensation claims due to improperly designed workstations and inadequate control-of-work procedures.

2. Pipelines companies, electric utilities, and nuclear plant owners are confronted with increased maintenance costs and increased likelihood of catastrophic failure due to the aging of the energy infrastructure in the U.S.

Regulatory risk

21

The risk that a change in laws and regulations will materially impact a security, business, sector or market. A change in laws or regulations made by the government or a regulatory body can increase the costs of operating a business, reduce the attractiveness of investment and/or change the competitive landscape.

Examples

1. All firms in the energy supply chain are confronted with a reduced commercial opportunity set due to uncertainty in the direction of U.S. energy policy.

2. Exploration and Production firms are confronted with increased operating costs and potential legal fines due to more stringent regulation imposed on natural gas fracturing activities.

3. Trading firms are confronted with increased technology and labor costs to assure compliance with Dodd-Frank and related regulation that impact trading firms.

Insurable risk

22

A risk that meets the ideal criteria for efficient insurance. The concept underlies nearly all insurance decisions. To be insurable, several things must be true:

The insurer must be able to charge a premium high enough to cover not only claims expenses, but also to cover the insurer's expenses. In other words, the risk cannot be catastrophic, or so large that no insurer could hope to pay for the loss.

The nature of the loss must be definite and financially measurable. That is, there should not be room for argument as to whether or not payment is due, nor as to what amount the payment should be.

The loss should be random in nature, else the insured may engage in adverse selection (anti-selection).

Examples

1. An electric utility suffers a loss of revenue due to a flood knocking out several generators at a power plant (business interruption).

2. A manufacturer of electric turbines has to pay product liability claims when several of its turbines fail to operate within specified parameters due to metal fatigue.

3. A refiner suffers property damage and loss of revenue when a hurricane knocks one of its plant out of commission for several weeks.

Financial risk: Market

23

The risk that the value of a portfolio, either an investment portfolio or a trading portfolio,will decrease due to the change in value of the market risk factors. The four standard market riskfactors are stock prices, interest rates, foreign exchange rates, and commodity prices.

Examples

1. Refiners are confronted with increased feedstock costs and less cash flow certainty due to increased price levels and volatility in crude oil supplies.

2. Retailers are confronted with increased delivered prices of consumer goods due to the increased price of gasoline and other refined products that are used as transportation fuels.

3. Any energy firm that makes use of floating-rate debt financing is confronted with increased interest service costs and less cash flow certainty in an increasing interest environment.

Financial risk: Credit

24

The risk of loss when a counterparty fails to meet a payment obligation, or the risk associated with any single exposure or group of exposures with the potential to produce large enough losses to threaten the firm’s operations, or the risk of loss arising when a sovereign state freezes foreign currency payments (transfer/conversion risk), or when it defaults on its obligations (sovereign risk).

Examples

1. A trading firm suffers the loss of outstanding A/R amounts and unrealized forward MTM when a counterparty defaults.

2. A pension plan suffers a loss on capital invested in bonds issued by a solar panel manufacturer when that firm becomes insolvent.

3. An airline suffers a loss of unrealized forward MTM when an OTC counterparty with whom it had financial hedges against increasing jet fuel prices defaults.

Environmental risk

25

A variety of risks resulting from an organization’s activities, including release of toxic materials and other waste products into the environment, resource depletion, and adverse impact on the climate.

Examples

1. Electric utilities are confronted with lower expected returns and higher CAPEX costs due to caps on Greenhouse Gas emissions (GHG).

2. Refiners and nuclear plant owners are confronted with remediation and clean-up costs when closing or selling technologically obsolete assets.

3. Nuclear plant owners are confronted with catastrophic failure of spent fuel rod containment facilities and subsequent release of radioactivity into the atmosphere due to natural disasters.