From chatbots to credit underwriting to stock market predictions, there is no shortage of use cases of machine learning in banking.

Despite the fact that risk management has always been at the top of banks’ agenda, many processes are still plagued with inefficiencies that are continuously draining bank resources. In this article, Andrey Koptelov discusses how banks can apply machine learning to streamline regulatory risk management and advance their fraud detection methods.

Streamlining regulatory change management

In the banking context, risk management and regulatory compliance are closely aligned. Banking employees have to manually monitor updates of thousands of regulatory documents, which involves visiting the websites of regulatory authorities and sifting through countless policy documents. This process is not only extremely resource-intensive but also error-prone and overall ineffective.

Machine learning can be used to automate a major part of the regulatory change management process. For example, Compliance.ai, a Silicon Valley startup founded in 2016, provides an ML-driven platform that helps banks keep up with regulatory changes. Using NLP and machine learning, the Compliance.ai platform automatically sources all relevant regulatory content from financial authorities, whitepapers, and news media. Importantly, when significant regulatory changes have taken place, the tool immediately alerts compliance officers.

Bank of Marin, a commercial bank that primarily operates in the Bay Area and has over $2 billion in assets, turned to compliance.ai to streamline its regulatory change management processes. Now Bank of Marin employees has access to all relevant regulatory content in one place, which significantly simplifies regulatory change management. As reported by compliance.ai, the Bank of Marin got returns on its investments in a short time by decreasing the number of resources for compliance.

Optimising stress testing

After the 2008 financial market crash, financial authorities substantially strengthened reporting requirements to ensure that banks can withstand significant economic downturns. This is why financial institutions need to routinely define and report their solvency to stay compliant, and banks with $50 billion or more in assets have to have their risk management teams conduct stress tests.

While undoubtedly important, these risk assessment processes often require hundreds of field experts and inordinate amounts of hours to complete. Moreover, finding relationships between various economic variables in relationship to banks’ performance is an increasingly complex and resource-intensive task.

Machine learning can help compliance experts to identify which exact combinations of values can cause risks, increasing reporting accuracy and decreasing the time it takes to complete these tests. This is exactly why Citi, one of the world's largest financial institutions that operate in 98 countries, joined forces with Symphony AyasdiAI to develop an ML-driven risk forecasting model.

Citi’s ML-driven stress testing solution

Prior to machine learning adoption, Citi had a hard time passing the annual Comprehensive Capital Analysis and Review (CCAR) conducted by the US Federal Reserve. CCAR requires a bank to submit its annual capital plans to the Fed to prove the bank's ability to deal with severe economic shock. Given the sheer number of economic variables at hand, Citi’s increasingly manual modelling approach took too long to complete, leaving business leads little time to understand the logic behind the models. As a result, Citi couldn't confidently defend its models in an annual submission to the Fed.

To create an accurate revenue forecast model, Ayasdi started with enriching the macroeconomic variables stipulated by the Federal Reserve. Then, Ayasdi used its proprietary machine-learning software to reveal how exactly these variables impact the revenues of each business unit. This allowed the company to define which unit-specific variables have the most impact on revenues. The detected variables were then used to create a custom ML-powered model that can accurately predict business units’ revenues under stressful economic conditions. As a result, Citi has managed to make this compliance process three times faster and less resource-consuming.

Enhancing fraud detection

Since the beginning of banking, fraud in its various shapes and forms has always been a persistent problem for many financial institutions. While many banks use sophisticated fraud detection systems, the rule-based nature of these solutions leads to a high probability of false positives. Importantly, fraudsters also keep innovating, which makes banks’ fraud detection systems grow obsolete.

Machine learning models, on the other hand, can learn and evolve together with the fraudsters. In very simple terms, a machine learning model can detect unfamiliar deviations from the normal pattern, notify the human employee about it, and, based on human feedback, learn if this kind of deviation is the new acceptable pattern or a case of fraud.

Just a few months ago, IBM launched a new generation mainframe that allows financial institutions to conduct fraud analysis of 100% of their transactions in real-time. To compare, around 10% of transactions could go through an AI-based fraud detection engine. In a nutshell, this means that banks that use the z16 mainframe can significantly reduce the number of false positives and increase customer satisfaction.

Conclusion

Risk management is a natural playground for machine learning. With the amount of data that banks have accumulated in the past decades, it’s only right to use the technology for its analysis. Machine learning models can drastically increase the accuracy of forecasts, decrease operational costs, and make risk management more effective overall.

These shifts have prompted investors in key markets – Europe, the US, UK and Australia, among others – to ask questions of the companies in which they invest and the firms that manage those investment activities. Throw in high levels of liquidity (albeit impacted by recent tightening in monetary policy) and discretion on the part of these investors, and a high-pressure, competitive environment is created for corporates and investment managers to operate in.

Add to this a regulatory domain that is seeking to keep up with rapidly changing requirements – and the potential risks it presents – and the complexity of the operating environment increases even more. This is all before you consider the complications that current geopolitical tensions bring for all these stakeholders.

Participants in this system tend to move at different speeds, and the divergence in these timelines creates great tension as a result. Large, public companies need time to contemplate questions around sustainability and resilience, to allocate the necessary resources to drive those strategic choices, while also remaining profitable. Regulators also need time to consult the industry, draft and deliver policy and then implement.

In parallel, investors act with discretion to promptly reallocate capital to companies and fund managers that match their current investment goals. By extension, fund managers and advisers need to move at pace to compete with their rivals in attracting these funds, often by creating and promoting new products that seemingly match the investment mood of the day.

Short-term fixes, however, do not always align with long-term planning. The regulatory environment and associated reporting requirements are playing catch up with new demands; and while ESG vocabulary remains open to definition, and therefore interpretation, companies and fund managers will remain under pressure to protect their existing investor base or attract new clients. “Greenwashing” is but one early symptom of this gap and, therefore, enforcement agencies must respond.

This is not a new or unique trend. The Foreign Corrupt Practices Act in the late 1990s – a law originally passed in 1977 – was prompted by a period of global economic growth and feelings of an uneven playing field in terms of business practices. The Act, when it was enforced by the SEC and DOJ, sparked an overhaul of the anti-corruption and anti-bribery landscape. Overnight, behaviours that had previously been deemed appropriate were forced to change as the role and size of legal and compliance functions were given more resources.

Learning from history, it is important that we resolve the common pull felt between fear of missing out (FOMO) and risk management.

In a similar vein, the global financial crisis of 2008 exposed practices that had been disguised by economic growth, and several infamous Ponzi schemes became emblematic of that era’s excesses. Those fraud cases, in conjunction with important global security incidents, provoked a seismic change and strengthening of anti-money-laundering and terrorism financing rules and standards, with Know Your Customer (KYC) checks taking on new meaning.

These periods, where favourable economic conditions ebb and/or regulatory agencies catch up with new trends or products, suggest that ESG-related litigation and enforcement risks will rise for companies and fund managers alike, regardless of whether it was a marketing misstep, confusion over new and evolving reporting requirements or deliberate slanting of data and evidence to lead an audience to a false conclusion.

Learning from history, it is important that we resolve the common pull felt between fear of missing out (FOMO) and risk management. Executives that give sales teams an objective to grow, to secure market share, to aggressively pursue profits will always run the risk of people evading or bending the rules – especially if those rules are vague and their enforcers are seen to be catching up. But recent developments from regulators in the US, Europe and the UK surrounding greenwashing, climate-related disclosures, transparency, due diligence, accountability – among many others – all reflect the direction of travel.

Today’s operating environment is complex, to say the least. However, for as long as compliance and risk management are perceived as constraints to innovation and growth, their potential as enablers of sustainability and resilience may not be realised.

The debate over ESG will continue for some time while we determine what it represents, how it is measured and how related activities are enforced. It should not distract, however, from certain fundamentals. Sustainable, resilient, profitable companies consider risk in its entirety – not just the ESG subset – and on a continual basis.

They determine their risk appetite and design structures that align with that threshold. Their policies and procedures provide parameters for their employees to operate within and safeguards for the organisation. And they regularly and routinely review their risk exposure to ensure they adapt to changing market conditions.

Robust risk management may not be the most exhilarating of topics, but it should make for a compelling story to investors, an endorsement of a company’s values – key to employee retention – and, ultimately, a good night’s sleep for company leadership.

Kelly-Ann has 13 years of experience in the compliance & risk management industry including both as a practitioner and as a solution provider.

MyComplianceOffice is the leading provider of Conduct Risk Solutions to the financial services sector, with a focus on Conflicts of Interest challenges, the ability to identify, detect, and prevent misconduct and ensure adequate controls in mitigating these risks.

Why is creating a strong culture of compliance mandatory for financial services firms?

Creating a culture where regulatory obligations and ethics are embraced should be the foundation of any firm, regulatory or otherwise. But over the years, we have seen banks may pay more than $200 billion in fines since the financial crisis (and that number is growing!), which shows there is still more work to be done. These years of continuous failures in large and small firms to follow regulatory best practices, but worse, put the self-interest of themselves above the interests of their own clients and the public leads to a lack of trust in the market. Thus, embedding an appropriate culture of compliance from the top-down, bottom and across the middle is more than just a mandatory requirement, but it is an expected behaviour across firms.

What are your key tips for successful compliance and conduct risk management for financial services companies?

As I’ve mentioned, creating a culture of compliance is everyone’s responsibility within a firm, and that must start with some basics, as well as enforcing behaviour along the way. There are three key areas I see as assisting to embed the culture of compliance:

• Policies and Procedures – Ensure your firm has easy to understand, digest, and communicate policies. As soon as policies, procedures and handbooks become complicated and hard to understand, they are ignored or forgotten.
• Training – Both face to face and eLearning can be used to optimise the learning process. Face to face (or in the COVID times, remote live training) should be used to share important elements of how you do business. This training should be supplemented by eLearning. eLearning doesn’t have to be long and boring either, it can be utilised in short sessions (up to 10 minutes) to reinforce a topic. Perhaps there had been a recurrence of certain compliance breaches in your firm or a firm similar to yours. These micro-trainings are a great way to reinforce your policy and learn from real-life case studies.
• Embedded Controls – Now take your policies and the training and bring them to life, make it easy for staff to raise issues, raise potential conflicts, and submit information to risk and compliance teams. Without this, where regular forms, attestations and certifications (e.g. declaring personal trading, outside interests, gifts, or other firm conflicts) are completed manually or via pdf forms, you may find there is a general disinterest and lack of uptake in actually carrying out the policies and procedures in your firm.

What are the benefits of having a centralised compliance management platform?

Disparate solutions for managing employee compliance, in particular, mean there isn’t a consistent way for your employees to interact with compliance, yet for compliance officers, it means a ‘swivel-chair’ compliance function, reducing the time to act on potential areas of concern. By using a solution like MyComplianceOffice you are enabling conflicts of interest to be detected when they occur, rather than days or weeks after the potential conflict arose. For example, if your firm is looking to conduct research on a particular business entity, which is listed in Europe, you have employees who hold stock in a subsidiary of this firm, and your company has also provided a lot of gifts to this firm, if you didn’t have a consolidated system, you would have to check at least four systems to determine if there are any potential conflicts, where as with an integrated solution, the clearance conflict check on this business entity should identify the conflict immediately. That is the type of benefit a centralised solution can provide to front office and compliance teams. 

What role does technology play in creating a culture of compliance?

Technology can be implemented in many areas of the compliance value chain, and all of these areas are important to instilling a culture of compliance:

• Awareness – By implementing technology to assist in the research and monitoring of regulatory changes, firms can stay ahead of future changes, and ensure their internal policies are kept up to date. Regulatory change systems allow firms to monitor such changes, and map regulatory change directly to policies, procedures, risks and controls, allowing for swifter changes in internal processes.
• Education – Technology can assist firms as already mentioned, in embedding compliance training and in particular micro or short training where cases of good and bad behaviour can be shared to reinforce your policies and values as a firm.
• Communication – Compliance Software Technology can assist in the sharing of information across a disparate workforce. Whether that be the communication of changes to policies and procedures, communication of upcoming training, recent bad and good behaviour, or simply communicating responsibilities related to annual certifications.

Solutions like MyComplianceOffice can be used to both distribute and enforce the completion of such activity, you are assisting in creating the appropriate culture. 

What are the advantages of MyComplianceOffice’s compliance management platform?

MyComplianceOffice’s single integrated solution provides an easy Software as a Service (SaaS) platform for small and large firms to get started in embedding an integrated compliance management solution. Our software can assist firms with all aspects of Employee Compliance, Third-Party Risk as well as Firm Trade Surveillance to provide near real-time conflict checking across multiple data elements. Our solution uses integrated third-party company and security data to allow firms to quickly identify conflicts across all elements of their business.

What problems does technology like MycomplianceOffice solve for its customers?

MCO’s customers range from as small as 10 staff through to 100,000 and as such the breadth of challenges these firms face can be varied. However, at its core, our customers are challenged with the ability to provide timely, auditable and adequate information to regulators. A traditionally paper-based workflow becomes difficult to keep up with as your firm grows, some of our smaller firms have found that moving to technology has repurposed a compliance officer onto more productive activities. Some of our larger firms are challenged with disparate information in multiple different systems, that means traditionally slow turnaround time in clearing conflicts so front office teams can in fact do the needful and conduct their business. By moving to a single integrated solution where Deal Transaction Conflicts, Firm Trading and Employee Conflicts are managed in one solution, this time is significantly reduced.

Contact details

Website: mycomplianceoffice.com  

LinkedIn: https://www.linkedin.com/in/kellyannmchugh/

Email: advance@mycomplianceoffice.com

So, how can you determine the right amount of money to spend on risk management? The answer isn’t a simple numerical value or percentage, but rather a process of thinking that allows you to better grasp the potential risks of the business as a whole. 

Asking preliminary questions to frame thinking is the best place to start when making a determination.  By considering the key questions below, and reviewing the risks of each area of the business in isolation, you can perceive the bigger picture of potential risks.

Ask yourself:

• What kind of industry are you in?
• What kind of personally identifiable information (PII) or sensitive data do we handle?
• What is the current regulatory landscape of our industry?
• How complicated are our risks?
• What are the impact scores of our risks, both individually and aggregated?

Once these questions are answered, take time to dig deeper and examine how security needs vary throughout the company. It is the risk manager’s responsibility to identify these considerations for the CFO to review, but many managers have difficulty articulating and quantifying returns. This is because risk management projects often don’t have end dates or set metrics to report. Working together and communicating is key to understanding the security risks of the company.

As a result of the immense uncertainty surrounding risk management, it’s understandable that many CFOs use benchmarks to compare their spending to others in their industry.

Ask Vital Questions

The process of mitigating risks and interpreting results are both equally important. Keeping costs in line starts with asking the right questions from the very beginning. It’s hard to follow a budget if it ignores essential expenditures that could easily be identified by proper analysis of the risk management program. Asking vital questions about real dollars and business impacts will help to calculate actual costs and anticipated returns from planned projects.

Risks are constantly shifting and changing with business needs and practices. An effective risk management strategy accounts for this need for flexibility. The bottom line is that risk is hard to predict, making it crucial to continuously improve the process.

Create a Comprehensive Plan

Deciding the dollar amount to spend on risk may seem like a guessing game, but breaking it down into categories establishes a clearer picture of where the highest potential risks are. A risk management budget may be broken down differently depending on the needs of the business, but it’s beneficial to first divide it based on technical needs, compliance policies and procedures, and products necessary to run effectively.

Once this basic guideline has been established, more specific expenditures can be laid out. Any good risk management budget leaves room for regular monitoring and constant correction. The spending should be adjusted consistently to account for changing levels of risk exposure.

 Reference Points are Beneficial—But Only as Framework

As a result of the immense uncertainty surrounding risk management, it’s understandable that many CFOs use benchmarks to compare their spending to others in their industry. This gives CFOs the framework they need to prevent the company from falling behind competitors or overlooking security risks that could easily be averted. While these reports can be helpful in getting a general idea of larger industry trends, it doesn’t provide sufficient information to create a plan unique to an individual business.

As reported by CIO.com’s 2019 State of the CIO survey, nearly one-quarter of organisations (23%) are alloting 20% or more of their IT budget to risk management and security measures. This report surveyed 683 executives across a variety of industries and breaks down how this budget is typically spent. The findings suggest that the majority of the budget is spent keeping up with industry best practices (74%), followed by compliance mandates (69%), responding to a security incident that happened to the organisation (35%), mandates from the board of directors (33%), and responding to a security incident that happened to another organisation (29%).

Assessing industry reports can provide insight into how other companies are addressing their security risks, but basing numbers entirely off of industry averages is not an adequate method. CFOs must be aware of how their company may differ due to specific circumstances or goals. Many companies must abide by other factors such as regulatory requirements, customer expectations, and demands of partners.

Don’t Overspend

While it’s important to have a holistic budget that includes every area of potential risk, spending too much on risk management can do little to actually impact risk exposure. It’s crucial that companies identify the defining amount where additional money isn’t justifiable for reducing risk. This point where investing more results in minimal results can be difficult to determine for risk management. It’s impossible to know if a specific risk might be avoided one year but arise next year or in the following years. Not accounting for a specific risk is a costly mistake for any business. Rolling the dice and hoping that something is avoided isn’t a long-term strategy for risk management. Both under-budgeting and over-budgeting for risk can be detrimental. Finding a balance by preparing for the worst while also being careful not to overspend on unlikely scenarios is the best approach to feeling confident in your risk management strategy.

The repercussions of loose risk management include fraud, commercial default, bankruptcy, operational error, and financial penalties stemming from a weak compliance environment, to name check just a few.

Risk management in the asset-based lending area is a constantly evolving discipline, says Kevin Day, CEO of HPD Software. There are many and varied views as to what constitutes best practice to minimise losses. Key areas worth investing in include the best technology; ensuring cybersecurity systems are up-to-date; constantly monitoring data flows and credit risk while recognising that different aspects of risk management take priority in different countries and jurisdictions. One of the biggest risks of all is people, so ensuring education and skills development plays a central role is just as important as bolstering technological protection.

The sheer range of risks is daunting. They include buyer credit risk – the risk that the buyer won’t pay due to financial inability; supplier fraud risk – the risk that the PO or invoice presented to the lender for financing may be fake or duplicative or may have been altered; receivable title risk – the risk that the supplier may have already assigned or pledged the receivable to another financial institution; and receivable transfer risk – the risk that applicable law may not allow the lender to take good and marketable title to the receivable.

Another risk lenders must deal with is understanding whether the buyer can settle the invoice fully and on time. Non-performance on the part of the supplier leads to commercial disputes – the risk that the buyer may claim that the goods or services provided by the supplier did not satisfy the requirements of the PO and refuse to pay (legitimately or otherwise). Another common issue is dilution risk – the risk that the buyer will not pay the full amount of the invoice. This may be due to credit notes issued to resolve commercial disputes, not necessarily related to the supplier’s performance in connection with the transaction at hand, or discounts taken for early settlement, volume purchases, loyalty programmes etc. There are payment risks too, such as payment delay risk – the risk that the buyer won’t pay in a timely fashion; and payment direction risk – the risk that the buyer will make the payment to the supplier or some other party instead of the lender.

Investigative operating cycles, collateral assessment and market monitoring will ensure a level of vigilance, helping a provider to profile their asset-based lending clients.

Invest in the best technology

Today the starting point of any effective risk management is technology. Financial institutions need to implement systems that can detect deteriorating profiles or fraudulent client activity significantly earlier than manual processes to mitigate potential losses. Gathering daily risk metrics to track trends and changes as they occur is ideal as it allows risk managers to constantly monitor client risk and instantly detect adverse trends. This also helps lenders to take a risk-based approach to portfolio management and target the ‘highest risk’ clients, so that users can manage larger portfolios and dedicate resources to the highest risk clients. Best practice is to centralise all information, giving lenders a single view of risk across the business. This helps lenders gain efficiencies and eliminate manual processes, freeing up time for value add tasks and increased customer engagement.

Our own HPD Lendscape platform offers such capabilities, allowing automation and streamlining of your data capture requirements so you can deliver a fast, hands-free funding product to your customers and real-time risk management information to your operational team. It also offers analytics and insight reporting via a smart dashboard for informed business finance management.

Cybersecurity is a key element of risk management

Cybersecurity is one of the key areas that any financial institution involved in asset-based lending needs to address. It is critical that a provider addresses the security of their data sources, where proper measures, including password protection, data encryption and secure communication channels are in place. Lenders must block the possibility that ABF accounts of their SME borrowers are hacked and information stolen which can be used by criminals to fraudulently request further funds from lenders to be sent to their own accounts.

Asset-based lenders and providers also need to constantly evaluate the safety of the environment of the outside company, as well as consider how they interface with the back-ups and safety systems they install. Smart secured lenders use multi-factor authentication for access to key information and are evaluating cybersecurity risk at all phases of the due diligence process, including evaluating client practices as a part of underwriting and field exams.

For those who operate across continents, it is important to understand the risk management culture in the markets to which they are looking to expand.

Investment in monitoring

Being able to accurately monitor, assess and analyse the streams of data that banks receive from their asset-based lending and factoring clients is another key area for risk management. Data on drawdowns on facilities, changing credit quality of the business, slow down in receivables and other business-critical factors can provide excellent insight into any potential fraudulent activity while also assessing any financial pressures or stress faced by the borrower.

Investigative operating cycles, collateral assessment and market monitoring will ensure a level of vigilance, helping a provider to profile their asset-based lending clients. Providing a streamlined, intuitive interface onto which a provider can visualise their borrower’s accounting activity, including accounts receivables and invoicing, can alert a provider to any adverse activity and market performance, enhancing their ability to assess risk. A well-structured, properly underwritten facility will help providers recognise, assess and mitigate risks unique to asset-based lending.

Having good quality source data also helps to ensure that any machine learning or AI techniques which can attempt to analyse and associate patterns of behaviour in diverse data sets will support data-driven decision making based on new knowledge and understanding that is as effective as possible.

Recognising regional priorities

It is not only market operations that need to be considered when it comes to managing risk for asset-based lenders. For those who operate across continents, it is important to understand the risk management culture in the markets to which they are looking to expand. For example, a recent report by the Institute of International Finance found that in the Asia-Pacific region, asset-based lenders are primarily concerned with business model viability, while African and Middle-Eastern regions are more concerned about third-party failures and ransomware, and North American providers place more importance on protecting a firm’s reputation. Ultimately, it is how financial institutions streamline these different priorities into one functional hub that will determine the success of lenders, where cross-industry, cross-border considerations can be centralised to provide accurate, monitored forecasting and data visualisations.

Risk management can never deliver a completely risk-free environment in today’s very fast-moving and interconnected markets, however, implementing the above initiatives will ensure that it is as effective as possible for the benefit of the financial institution involved and also its asset-based lending and factoring corporate clients.

Strategic risk management has long been lauded within businesses both large and small as a key contributor to successfully achieving business objectives. However communication between risk teams and a business can often be lost in translation. Richard Pike, Founder and CEO, Governor Software, argues that in order to link risks to objectives, businesses must transition from a risk register to a network view. This approach not only allows organisation to visualise the interconnectedness of risks but also provides the context associated in a clearly recorded and digestible fashion.  

Regardless of industry, there is a significant focus on risk management as a core part of a well-run regulated entity, with risks generally separated into categories that are dealt with depending upon the approaches to their measurement, monitoring and management.

However, the creation of lists of risks (often termed risk registers) has traditionally led to core business functions not taking full responsibility for their risk exposure or the risk function’s work not aligning with the business functions. For example, when the risk function is used for gathering risk information and reporting it to senior stakeholders and regulators, the risk information often becomes divorced from business information – exacerbating the issue.

With regulatory pressure unrelenting, particularly in the financial services industry, there is a clear need for all levels of a business to understand the risks they are running in order to clearly communicate these risks, and their status, to stakeholders including the three lines of defence, regulators, senior management and investors.

In order to mitigate this problem, a number of institutions have taken to linking the business objectives of the firm to its risks. This serves not only to anchor the risks within the business lines but also make them more relevant.

How it works today

The current practice of risk teams providing lists of risks to management for their review has some major faults and recognising these is a precursor to usefully linking risks to business objectives.

Firstly, modern business is complex and interconnected; the higher up the organisation the more interconnected things become, with risks often being combined and having multiple different outcomes. For example, the risk associated with internal fraud can be categorised as a compliance risk and also as an operational risk.

Secondly, and particularly evident in non-financial risks, is the hierarchy and aggregation effect that a simple list does not communicate. Why is a particular risk important to my business? So what? These are regular questions that result from a senior executive reviewing a risk register. While one solution is to add context - setting out how a risk might arise and how it might impact the business - this can quickly result in information overload.

Finally, within a standard risk register, it is often difficult to assign ownership and responsibility. This can result in either no ownership being attributed or defaulting to a second line resource, which could leave an organisation exposed.

From risk register to network

In order to prepare a firm to link risks to objectives, it needs to transition from a risk register to a network. This allows for the interconnectedness and context associated with risks to be recorded and communicated as a network.

The benefit of a network is that it can handle multiple connections between items, at the same time they can be easily separated (into different levels or categories) while retaining their connectivity. Other object types can also be added to the network to incorporate context where necessary (e.g. policies and regulations).

In addition, when risk teams communicate risks within a network environment it stimulates conversations and challenges people to explore the linkages and interdependencies.

Linking risks to business objectives

As useful as a network of risks is, it is not directly related to the business. In order to make risk discussions more relevant it is important to anchor the risk network to key dimensions within the business.

While there are a number of dimensions that a firm could use – from organisation units, processes, legal entities and policies - it is becoming clear that linking to business objectives is the most beneficial, as modern businesses are increasingly organising themselves using this method. Indeed, as the link between strategic objectives and risks is realised at the top of an organisation, it makes sense to continue that process throughout the firm.

As objectives cascade down a company, it is possible for risk teams to sit with individual managers to understand those objectives and glean the risks that most effect the achievement of them. In cases where managers are also utilising Critical Success Factors, it will also be possible to drive out the risks to those.

The second part of the process is to understand and document the control environment in light of the new linkages. This new perspective will better identify key controls and those controls that provide little or no value regarding the achievement of objectives.

Once the set of risks are linked to objectives, it is vital to report progress using Key Risk Indicators against those same objectives. If you consider the accounting world, all managers expect to get a report of accounts on a regular basis, so they can understand their financial performance. The same should be available in the ‘objectives and risks’ world. A clear set of reports from the risk team of the main risks to a set of objectives will help a manager to control those risks and increase their ability to achieve objectives.

As risk teams work with managers to link risks to objectives, it will become clear that risks fall into three separate buckets; internal, transactional and contextual. The reason that these categories emerge is that managers are focused on what they can control or influence in order to achieve their objectives. These categories clearly differentiate risks by the way they may be controlled (or not) and so add real value to the managers involved.

Benefits of linking risks to business objectives

When the exercise is completed across the entire organisation, the result will be a network of risks tied to the relevant objectives.

Each manager will clearly understand the risks inherent to their objectives and be clear on where responsibility for managing those risks lies. They will have explicitly called out the assumptions about their contextual environment that are baked into their objectives and the firm will have a better understanding of all those externalities that are implicit in their entire business plan.

Within this environment, it is possible for risk teams to present reports on items such as loss events and control test results in the context of those risks and objectives, making them very relevant to business managers and senior managers alike.

In turn, individual teams within the company will better understand how they inter-relate and this should result in improved communications throughout the firm.

Conclusion

Regulatory and board pressures along with emerging business standards mean now is the opportune time to embed a risk network within the business objectives of a firm. The long-term aim of which should be that risk reporting and management becomes a normal practice throughout the firm akin to financial management and reporting.

Indeed, the exercise of understanding the risks that relate to a team’s objectives has extra benefits over and above providing context for risk reporting. It greatly enhances a manager’s understanding of their relationships to internal and external parties and will make it more likely that they will achieve their objectives; which is good for the manager, team and overall firm.

Ultimately, the more relevant risk teams can make their work, the more likely they are to both enhance the risk management activities across a firm and achieve their own objectives.

To hear about Employee Benefits in the US, Finance Monthly reached out to Tiffany Kapp, Managing Partner at Custom Business Solutions (CBS) - Professional Employer Organisation (PEO) located in Southern West Virginia.

Tell us about the services that CBS and other PEOs offer.

Professional Employer Organisations typically provide services that help streamline essential administrative business functions, so our clients can focus on being successful and profitable.

As a PEO, CBS can pool all our clients’ employees into one large group and in return, we can then offer large group rates. We administer the employee benefits and relieve the employer of the burden of open enrolment, reconciliation and termination of benefits.

CBS enables clients to cost-effectively outsource the management of human resources, employee benefits, payroll, workers’ compensation, risk management, safety management, training and development.

What are the minimum legal requirements regarding employee benefit plans in West Virginia?

A small group can be as little as two employees. However, the small group rates are based on age and tobacco use. Joining a PEO allows a small group to be pulled into a large group with blended rates.

Could you talk us through recent legislative changes in the Professional Employer Organisation landscape?

The Small Business Efficiency Act of 2014 required the IRS to establish a certification program for PEOs. This act affects the employment tax liabilities of both the PEO and its customers and is something that gives structure to the PEO industry. CBS is currently in the process of becoming certified through the IRS.

What is some statistical evidence that you can provide on the benefits of using a PEO?

The PEO Industry has grown significantly over the past 30 years. According to a recent study noted by economists Laurie Bassi and Dan McMurrer, a business that uses a PEO has 10 to 14% lower employee turnover, grows 7 to 9% faster and is 50% less likely to go out of business.

Contact details:

Website: cbswv.com

Telephone: 681-238-5732

In the last few years we have seen the frequency and severity of third-party cyberattacks against global financial institutions continue to increase. According to Tom Turner, CEO at BitSight, there is a growing need for more effective risk management firms in the financial services sector.

One of the biggest reported attacks against financial organisations occurred in early 2016, when $81 million was taken from accounts at Bangladesh Bank. Unknown hackers used SWIFT credentials of Bangladesh Central Bank employees to send more than three dozen fraudulent money transfer requests to the Federal Reserve Bank of New York asking the bank to transfer millions of the Bangladesh Bank's funds to bank accounts in the Philippines, Sri Lanka and other parts of Asia. The Bangladesh Bank managed to halt $850 million in other transactions, and a typo made by the hackers raised suspicions that prevented them from stealing the full $1 billion they were after.

Landscape

The Financial Conduct Authority (FCA) reported 69 attacks in 2017 compared to 38 reported in 2016, a rise of more than 80% in the last year. We saw two main trends last year. First, there was a continuation of cyberattacks targeting systems running SWIFT — a fundamental part of the world’s financial ecosystem. Because SWIFT software is unified and used by almost all the major players in the financial market, attackers were able to use malware to manipulate applications responsible for cross-border transactions, making it possible to withdraw money from any financial organisation in the world. Victims of these attacks included several banks in more than 10 countries around the world. Second, we saw the range of financial organisations that cybercriminals have been trying to penetrate expand significantly. Different cybercriminal groups attacked bank infrastructure, e-money systems, cryptocurrency exchanges and capital management funds. Their main goal was to withdraw very large sums of money.

With the evolving risk landscape and the challenges of new potential risks including third party risks, companies within financial services need a set of management procedures and a framework for identifying, assessing and mitigating the risks these challenges present. Effective risk management offers sound judgement in making decisions about what is the appropriate resource allocation to minimise and mitigate risk exposure.

Risk management lifecycle

The basic principle of a risk management lifecycle is to mitigate risk, transfer risk and accept/monitor risk. This involves identification, assessment, treatment, monitoring and reporting.

In order to mitigate risk, an organisation must measure cyber risk performance and incentivise critical third-party vendors to address security issues through vendor collaboration.

In terms of identification, you can’t manage your risks if you don’t know what they are, or if they exist. The first step is to uncover the risks and define them in a detailed, structured format. You need to identify the potential events that would most influence your ability to achieve your objectives, then define them and assign ownership.

Once the risks are identified they need to be examined in terms of likelihood and impact, also known as assessment. It is important to assess the probability of a risk, and its consequences. This will help identify which risks are priorities and require the most attention. You need to have some way of comparing risks relative to each other and deciding which are acceptable and which require further management. In this way you establish your organisation’s risk appetite.

To transfer risk, an organisation is advised to influence vendors to purchase cyber insurance to transfer risk in the event of a cyber event.

Once the risk has been assessed, an approach for treatment of each risk must now be defined. After assessment, some risks may require no action, to only be continuously monitored, but those that are seen as not acceptable will require an action or mitigation plan to prevent, reduce, or transfer that risk.

To accept and monitor risk, the organisation must understand potential security gaps and may need to accept certain risks due to business drivers or resource scarcity.

Once the risk is identified, assessed and a treatment process defined, it must be continuously monitored. Risk is evolutionary and can always change. The review process is essential for proactive risk management.

Reporting at each stage is a core part of driving decision-making in effective risk management. Therefore, the reporting framework should be defined at an early point in the risk management process, by focusing on report content, format and frequency of production.

Managing with risk transfer

Risk transfer is a strategy that enterprises are considering more and more. It mitigates potential risks and complies with cyber security standards. As cybercrime rises, an insurer’s view of cybersecurity has changed from being a pure IT risk to one that requires board-level attention. Insurance is now viewed as fundamental in offsetting the effects of a cyberattack on a financial institution. However, insurers will want to know that appropriate and audited measures are in place to prevent an attack in the first place and respond correctly when cybersecurity does fail. An organisation’s risk management responsibility now extends down the supply chain and insurers will want to know the organisation’s strategies to monitor and mitigate third party vendor risk.

Simplifying risk management and the transfer of risk can also be accomplished by measuring your organisation’s security rating. This is a similar approach to credit ratings for calculating risk. Ratings provide insight into the security posture of third parties as well as your own organisation. The measurement of ratings offers cost saving, transparency, validation and governance to organisations willing to undertake this model.

The benefits of security ratings will be as critical as credit ratings and other factors considered in business partnership decisions in the very near future. The ratings model within risk management can help organisations collaborate and have productive data-driven conversations with regards to risk and security, where they may not have been able to previously.

Long term potential

This year we will see a continuation of third-party cyberattacks targeting systems running SWIFT, allowing attackers to use malware in financial institutions to manipulate applications responsible for cross-border transactions across the world. Banks generally have more robust cyber defences than other sectors, because of the sensitive nature of their industry and to meet regulatory requirements. However, once breached, financial services organisations’ greatest fear is copycat attacks. This is where an effective risk management strategy can enable better cost management and risk visibility related to business operational activities. This leads to better management of market place, competitive and economic conditions, and increases leverage and consolidation of different risk management functions.

GDPR requires every firm to classify, review and enhance controls around its third parties (ref: GDPR Chapter 4)

As the GDPR go-live date of 25^th May 2018 looms, every CFO and their colleagues responsible for both risk management and third parties should be aware of the importance of third-party relationships. Articles within the GDPR set out the fundamental requirements for ‘Data Controllers’ - about the nature of external contracts, the ongoing relationships with third-party ‘Data Processors’ and governing and managing those relationships effectively. Compliance around personal data is currently ‘centre stage’, but GDPR provides an opportunity for a firm to improve the way in which its relationships with all third parties are managed and controlled, to derive wider value and business improvement.

The impact on business reputation from effective third-party management

Most business sectors rely upon a complex network of interrelationships and interconnected processing - the so-called ‘extended enterprise’, or ‘business ecosystem’. Within such models, trust becomes a key issue. Dealing with an external partner or supplier means there is an implicit exchange of trust, and in doing so, you commit to trust the other party with your own, valued, business reputation. Any firm can transfer some responsibility to handle, protect and process personal data correctly, in line with an agreement between the parties. But it cannot transfer the accountability. This is recognised within GDPR, and also the impending, new UK Data Protection Bill.

That some unfortunate incident will arise somewhere within the web of business relationships around your own firm is increasingly probable. Through GDPR, the general public is becoming more informed and increasingly concerned about privacy. Anyone potentially impacted by any incident involving personal data, plus also the wider ‘court of public opinion’, will seek answers to fundamental questions, e.g. should the firm have considered the possibility of such an issue arising?  Could the firm have done more to mitigate the issue? This becomes more complex when third parties are involved in the business value chain.

The Information Commissioner’s Office (ICO), who may suddenly be alerted to your existence, would start any enquiries with such fundamental questions. If you struggled to meet the ICO’s expectations about senior management being accountable for understanding, and being assured about how personal data is processed and managed, including by any appointed third parties, doubtless you would be on the back foot.

As any breach involving personal data manifests, unfolds and becomes public, it is highly probable that your business reputation will be impacted in some way. Typically, significant management time will then be required to attempt to rebuild that reputation, with consequent impact on the bottom line.

Organising and prioritising GDPR work on third parties

Driven by GDPR, your corporate inbox may reflect letters from various third-party suppliers, often including proposed changes to contractual terms. A piecemeal approach to responding is unlikely to be sensible or efficient. As a minimum, the CFO, or fellow responsible executive, should lay down three very straightforward challenges:

The challenge is usually far larger than initially expected, i.e. there may be third-party relationships managed disparately across the firm, some with no formal contract; little understanding about how you might classify those relationships for data protection purposes; or an over ambitious estimate of the effort required to become compliant.

Identifying ‘processors’ and compliant contractual terms

The classification of each third-party relationship is vitally important. Fundamentally, not all a firm’s ‘third parties’ are Data Processors from a data protection perspective. For those relationships that involve personal data, many may actually be ‘controller to controller’. A few others may be in the ‘joint controller’ category.

Only the balance will be ‘controller to processor’, which then invoke the specific GDPR requirements on the management of, and assurance around, Data Processors. The ICO website provides useful guidance on the characteristics of the relationship to help determine this classification.

Although you should ideally be proactive in doing your own inventory and classification work, third parties writing to you should make it clear how they classify their relationship with you. You must verify this carefully. Some considerations here include: which party collects what type of personal data, according to what lawful basis; and which party(ies) is (/are) determining the purpose and how the personal data gets processed. Further detailed analysis is required in each specific case.

If you identify another party as a ‘processor’ of personal data, it is a key priority to ensure that a suitable, compliant contract exists. The predecessor to GDPR, the DPA 1998, set out two minimum contractual provisions i.e. re a processor acting on the controller’s instructions; and provisions to be in place to implement security over personal data.

For GDPR, the ICO website includes guidance on a further six key provisions that now need to be reflected in contracts with third-party processors. This complex area has not been understood or applied well in practice, so this guidance is helpful.

Ongoing responsibilities regarding privacy, oversight & assessment

A working definition of third-party risk management is ‘the implementation of policies, strategies and processes to identify, assess, manage, and control risks presented by external third parties throughout the life cycle of relationships’, i.e. certainly not a one off compliance exercise for GDPR, but an ongoing responsibility and an imperative for effective management, both of commercial outcomes and business reputation.

Crowe’s view is that there components are required for an effective third-party risk management approach that incorporates privacy risks. A comprehensive understanding of how personal data is handled across all business functions is a pre-requisite.

1. Third-party privacy management approach

The firm’s privacy policies and notices should have been reviewed and be compliant for GDPR. But the privacy management approach should include a process to manage privacy risks across the supplier lifecycle. It should include: a classification of third parties, by third-party type and business risk; an appropriate privacy impact assessment if required; the standard and execution of privacy due diligence; the requirement for periodic assurance on privacy elements; and privacy-aligned contractual clauses to be incorporated.

For high-priority third parties, you need to be clear on how the control framework at the third party operates, including how they would respond to any incident involving personal data.

2. Third-party oversight and control framework

Firms benefit from implementing a holistic oversight and control framework around their third parties. Taking privacy as just one of the components, this framework should incorporate all aspects required to manage third parties, including all required policies and standards. It should also include a formal reporting process, covering issues to be managed and escalated.

Definition of expected minimum standards for third parties is key, e.g. IT processing – ongoing ISO 27001 certification; core business processing – ongoing evidence through SOC reports; and payment processing – ongoing PCI-DSS compliance. Clearly, the specific standards and required controls will vary by type of third party. The involvement of the Finance function in monitoring key control standards can be essential.

3. An ongoing third-party assessment programme

An effective management and governance approach for third parties requires a tiered assessment programme, using a risk-based, ‘triage’ concept for the nature and frequency of that assessment. The programme should reflect how those reviews and visits get executed e.g. questionnaire, third-party site visit etc.

When it’s done right, it’s never done

Effective management of third parties is complex. It has become a ‘core competence’ in many firms, and a competitive differentiator between firms. A holistic approach means delivering ongoing assurance around third parties, within a structured and risk-based framework. Getting it right can bring commercial returns, but can also help to protect the firm’s reputation - including where events or incidents arise.

GDPR brings new energy, which, although just focused on the personal data management imperative, can be helpful in highlighting that third-party risks have typically not been well managed to date. GDPR brings an ongoing responsibility for compliance, but also for firms to continue to implement effective governance, control and accountability over their network of third-party relationships.

Website: www.crowehorwath.com/UK 

Crowe Horwath LLP is a member of the Crowe Horwath International (CHI) network of accounting, tax, risk and performance management firms. Crowe has years of experience implementing regulatory and compliance changes and helping firms refine their approach to risk management. Justin Baxter is a Partner in the London office and together with Neil Adams, and Neil Mockett, they are leading the development with clients of practical and pragmatic approaches to the challenges presented by GDPR and third-party risk management.

"Industry research uncovered that nearly half of financial advisors are either at or approaching retirement over the coming decade. More than 200,000 new financial professionals are needed to replace these retiring financial advisors, financial analysts, and wealth managers, to take over their clients and retainers," quotes Texas A&M law professor William Byrnes from an industry report. William Byrnes is a pioneer of online legal education and one of America’s most influential wealth planning and tax authors, with his books selling 25,000 print copies annually with like amount of online readers. This month, Finance Monthly had the privilege to speak with him about initiating Wealth Management program at Texas A&M University School of Law.

Why did you initiate a wealth management graduate program?

Discussions with large financial institutions, Big 4 accounting partners, and AmLaw 250 attorneys led me to understand why they are not finding qualified graduates for management positions. Hiring partners have disclosed to me that the wealth industry does not need adversarial or controversy skills and that it does not find the ability to read appellate decisions particularly helpful for wealth advisory. Firms are seeking future leaders that demonstrate in the recruitment process practice ready skills, such as team collaboration to design and present innovative client solutions, a holistic approach to client advisory drawing upon many areas of research, such as industry, market, and legal, soft skills to develop and manage cradle-to-grave client relationships, ethics and judgement in addressing compliance and risk. Also, hiring partners are seeking employees with the ability to communicate in written form for clients and boards. I heard several comments about associates not being able to write well and requiring substantial non-billable time to fix mistakes.

What makes Texas A&M the right institution for this wealth management graduate program?

When Texas A&M University’s new law school approached me, I decided it was the right institution to solve the wealth industry’s skills expectation gap! Texas A&M University is ranked #4 among the elite public universities by Money Magazine, #4 among all elite universities by Washington Monthly, and #4 by US News for best value among national public universities. Sure, rankings are an important indication of quality.

But what really attracted me to Texas A&M is its focus on innovation. As Ernest & Young concluded after its Tax Insights magazine interview: ‘The State of Texas not only established a new law school at the university but also gave it carte blanche to create a new education model’. EY also found that ‘Texas A&M University is among the pioneers of change in tax education’ and tax considerations are a key factor in wealth management. Texas A&M is not living on its past accomplishments, Texas A&M innovates and instills the ability to innovate in its faculty and graduates.

What more can you tell us about the program?

Designed to build expertise for both lawyers and non-lawyers, the wealth management program takes a deep dive into the legal aspects of finance, regulation, risk, and compliance. Lawyers and non-lawyers immerse together with a deep dive into the intricacies of managing wealth and risk. After an extensive RFP process, we partnered with Ken Randall of iLaw, BarBri’s newly acquired academic developer partner group for two primary reasons. First, Ken served twenty years as Dean of Alabama, taking it to the 1^st tier and maintaining 1^st tier status partly by offering high-quality online education throughout the United States. Second, Ken has assembled an industry-leading executive team that offers flexibility, scalability, and cross pollination for the highest quality program development.

Courses have been designed in an asynchronous online format, allowing students to participate in multimedia enabled lectures and learning experiences on their own schedule, providing flexibility for the industry professional who must juggle clients, family, and academic obligations.

But our asynchronous format is neither talking head nor Netflix binge-watching. Each course’s development team strives to deliver an integrated learning experience and includes a Texas A&M subject matter expert partnered with an iLaw multimedia specialist and instructional designer. We’ve combined this state-of-the-art design with live online group interactions and campus events such as the annual financial planning career conference with its awards banquet and two days of financial institution career presentations. In addition, we seek monthly feedback from our pilot class to calibrate the courses and improve the program experience.

What is the profile of Texas A&M Law’s graduate wealth students?

The pilot cohort of 30 professionals is split evenly between lawyers and non-lawyer, each with a median professional experience of approximately 10 years, which is manageable for testing our courses and the back office administrative and tech support in a large public university environment with nearly 70,000 students. This coming year we will expand our diversity to include international professionals and gauge the effectiveness of our 24/7 support systems across global time zones and cultural variances. I envision selecting up to 60 diversely qualified candidates annually to maintain the prestige of this Aggie degree.

Texas A&M University School of Law launched its revolutionary online graduate curricula in Wealth Management and Risk Management in 2017. More information may be found at law.tamu.edu/distance-education/wealth-management  

Howard Ebo is the Managing Partner of Commonwealth of Atlanta – a company that was formed to address the needs of individuals, executives and small to midsize companies (with revenues between 300K and 15M) that were underserved by larger financial institutions. Here Howard tells us more about the company, the services that it offers and the most common challenges that it is faced with.

Please tell me a little about the typical insurance matters Commonwealth of Atlanta deals with?

At Commonwealth of Atlanta we specialize in all types of risk management through insurance. Dependant on a client’s needs, we may recommend term life, universal life, variable universal life, whole life and/or disability income insurances for protection. We take a 21^st century approach to addressing client and business needs by examining their entire financial picture and then helping them towards their unique goals. We provide solutions utilizing our strategic partners in advance planning, insurance concepts, and product partners to help solve for client’s concerns resulting in peace of mind. We specialize in four core areas:

• Wealth Accumulation
• Risk Management
• Tax Reduction Strategies
• Retirement and Estate Planning

In fact, we were recently featured in the Wall Street Journal, Atlanta Wealth Guide, which highlighted our 21st Century service oriented approach to servicing clients.

What would you say are the specific challenges of assisting clients with insurance?

Our 21^st century approach to address business owner’s needs is remarkable. We strategize with our internal experts to provide advance planning concepts which helps our clients view insurance as protection as well as an asset to their long term plans.

What strategies do you implement to minimize financial burdens in regards to insurance packages? 

Our 21^st century approach allows for flexibility and creativity when coming up with recommendations for clients. Our access to premiere advance planning experts allows us to bring our best collective thoughts and strategies to consider.

What are the particular challenges that insurers in the US have been facing over the past year in relation to changes in what customers expect in terms of products and services? 

Consumers have been faced with a need to know more as they take on more financial responsibilities; some of which may have been covered or shared with an employer in the past. At Commonwealth of Atlanta we believe in educating our clients to help them make informed decisions for their families and businesses. Whatever the situation is, we help educate and close gaps by providing personalized service.

How are you currently lobbying or working towards the development of new insurance regulations or permissible strategies in the state of Atlanta, or nationally?

Many of our agents at Commonwealth of Atlanta are active members in national financial associations to stay abreast and adapt to changes in regulations. All of our agents complete continuing education in the financial industry, which enables them to bring the most current thinking and best strategies to serve our clients.

Can you tell us about your involvement in the community and its impact?

At Commonwealth Atlanta we support and encourage individual and group activities in support of our community. Our agents work on passion projects such as Atlanta Community Food Bank, Open Hand and many more, volunteering their time and talents.

Contact details:

Address: 5909 Peachtree Dunwoody Road, Building D, Suite 990, Atlanta, GA 30328

Phone: (+1) 678-342-3100

Website: cwbfs.com

By Magnus Walker, Director of Trading and Risk for Inprova Energy

To increase gains and avoid losses when playing the 'lottery' of flexible and volume energy purchasing, businesses must carefully manage risk, says Magnus Walker, Director of Trading and Risk for Inprova Energy.

He sets out a five-step process to help businesses prepare a risk management plan and trading strategy that can ensure resilience in the face of bullish wholesale commodity market conditions and sharp increases in non-commodity charges.

Don't dice with volatility

The wholesale energy market is incredibly volatile and unpredictable. Prices can move dramatically in response to market triggers - such as a cold snap, geopolitical instability, currency fluctuations or supply and capacity problems.

With professional help, this risk can be contained.  It's often believed that fixed rate contracts are less risky than flexible contracts, which is a fallacy. While fixed rates do provide budget certainty, the odds are 1:365 of picking the day of the year when the market is at its lowest to fix a deal.

In comparison, flexible purchasing offers more opportunity to buy chunks of your energy volume at points in time when the commodity market dips.

The obvious danger is missing the market troughs and then purchasing energy when the market peaks because you're only watching the market occasionally.  This is why any flexible purchasing strategy should be supported by a robust risk management system and trading strategy to limit potential losses by ensuring that you never hit the top of the market.  .

A risk management process/system should identify the risks to be measured and valued, the company’s objectives and risk limits, and the amount the buyer is willing or prepared to miss out on. These risk limits or “triggers” should also account for unwind time (the time it takes to hedge a position) amongst other factors.

Seek sound advice and involve your board

To implement a corporate energy risk management strategy – rather than simply managing market risk, an integrated approach should be developed at board level.

Risk management is complex, so it's sensible to seek expert advice to carry out an initial forecast assessment using established and proven modeling techniques. This will highlight the options available and determine your appetite towards price risk.

It's important to quantify the potential risk and fully understand how a change in the wholesale energy price will impact your energy purchasing costs. From there, an optimum price and risk strategy can be agreed, implemented and monitored.

Reputable energy advisers, and some energy suppliers, can support you.

Understand risk management methods

There are various methods used to manage risk. In the case of market risk, ‘forward purchases’ of different contracts will help to mitigate the risk of leaving contracts until an inopportune point. For example, you could purchase a proportion of your expected energy requirements at a fixed price for the duration of the contract, then build up the remainder by purchasing fixed-price blocks on the forward market at different times.

Alternatively, you may link wholesale prices to a benchmark or index of market levels, but then include a risk management strategy to guard against sharp price moves.

Some larger energy users may also have their own on-site generation, trading surplus energy on the grid to limit exposure to higher prices.

Get to grips with limits

A risk management plan, in which the trader is only allowed to make purchases within a set range, can limit any potential market losses, but can also constrain gains should the market drop.

Further levels of complexity could be added with automatic triggers and trades, should certain price movements take place and close out against indices near to delivery.

However, complex deals, which require more market monitoring, will be costlier to manage.  Sometimes simpler and more straightforward risk management strategies can be equally effective, if professionally managed by experienced teams with access to live market prices.

Risk management is a continuous process

Your actual risk position will change day-to-day in line with the market, so ongoing monitoring and analysis of your market position is required. As in financial markets, mark to market (MtM) principles allow you to regularly assess the risk of your market position. Feedback by your professional manager on your open positions will help to determine the trading strategy throughout your flexible contract, ensuring that you buy at the right times to maintain energy price risk within agreed levels.

What works for you at the start of the contract is likely to change, so regularly review and discuss your buying strategy. A good consultant should offer this as a matter of course for large energy consumers with complex and changeable energy requirements.

In summary

Your risks to your overall energy spend will rise with increased market volatility. It can be contained, but only through a properly managed and written risk management solution. This should follow an in depth assessment of your organisation's appetite for risk and procurement needs.

With an appropriate recorded and agreed trading strategy in place, procurement should  be executed by a team with live market price feeds, the right monitoring and reporting systems, and ability to recognise changing market conditions. This team should be proactive in advising customers on the best energy procurement routes, and review and amend the strategy, with the aim of avoiding market shocks.

Inprova Energy is one of the UK's top ten business energy procurement and management consultancies and manages around 3,000 gas and electricity supply contracts on behalf of clients, including Virgin Atlantic, Hotel du Vin, National Grid, Carlsberg and retail group White Stuff.  

Further information: www.inprovaenergy.com, 0330 166 4444