PRISM at the CBI... A Guide - Part 3 of 3

Well, as per my earlier entry, we have looked at how crucial impact and probability risk are to your understanding of PRISM... Note that as before, this is based on published documents from the Central Bank of Ireland such as PRISM Explained.

Now how will this affect how a firm is supervised and the work that will have to be done by a regulated firm.

Engagement
How a firm is supervised is dependent on their impact category - we would expect a large firm with a multi-billion Euro balance sheet to get more attention than one with a million Euro balance sheet. To quote PRISM Explained:

"Firms in each impact category will be supervised through the completion of engagement tasks. We will engage with all firms at a level that corresponds to their impact category; the higher the impact category, the higher the level of engagement."

Again it needs to be recognised that low impact firms have to be supervised in a different way:
"For our low impact firms, we aim to regulate to avoid sector-wide issues - such as widespread misselling by intermediaries - but there are circa ten thousand low impact firms and we will not seek to prevent individual failure. Rather, we will supervise these firms reactively - ensuring that an administrator or liquidator is appointed when they fail and that there is an orderly revocation of authorisation and winding-up in accordance with insolvency legislation"
So no matter how hard you work, as long as you are a large firm, you will get a certain level of attention from the Central Bank... and if you are a small one, then you have to recognise that the amount of attention you get may seem quite small.

As for the tasks that engagement involves - you'll get a good idea of these from Appendix A of PRISM Explained:

Risk Mitigation
Remember how the supervisor reviews a firms by risk category and gets an overall risk rating... here's a reminder:

What happens if you are judged to have a higher probability risk in one of these categories:

"Any risk category which is probability rated as medium-high or high must be mitigated. If a supervisor rates a firm medium-high or high probability in any risk category, he or she will be prompted by the PRISM application to open a Risk Mitigation Programme (RMP) issue, explaining the nature of the risk. Having opened the issue, the supervisor will construct one or more outcome-focused actions to reduce the risk to an acceptable level by a given deadline."

This comes back to what I wrote earlier about moving your firm down the probability risk axis in our diagram. If you have a review and you get a letter with a set of risk mitigation actions, then the best thing is to discuss it with the supervisor and find a way to get to the desired outcome. And to quote Deputy Governor Elderfield at the launch speech for PRISMhttp://www.centralbank.ie/press-area/speeches/Pages/AddressbyDeputyGovernorMatthewElderfield.aspx which I attended in December 2011:
"A further quality control mechanism built into the PRISM framework is giving firms a chance to comment on draft Risk Mitigation Programmes.  Once Risk Mitigation Programmes are written using the PRISM application, we plan to share them with firms in draft form, giving each firm ten working days to highlight factual inaccuracies, and, if it wishes, to propose alternative actions to mitigate unacceptable risks. 

Our plans to share drafts and listen to alternative risk mitigation suggestions are conditional on industry interacting appropriately.  We do not plan to soften our risk mitigation in response to feedback from firms that they are too demanding or too difficult.  We are introducing the sharing of draft Risk Mitigation Programmes on the basis that firms will react to them in an intelligent fashion, letting us know promptly when an issue is inaccurate but not seeking to deflect us from our desired outcome.  The final judgement on what must be done to mitigate unacceptable risks to financial stability and the consumer will remain with Central Bank supervisors. 

I believe in constructive dialogue and I believe in giving firms the chance to say how the outcomes we seek can be delivered in a better or more efficient way.  I also don’t believe that we are ever going to get every issue and every action right first time – hence my desire to trial this interaction with firms to help us quality assure our risk mitigation programmes.  I’d urge all firms to use this opportunity wisely."

If I get a chance, I will ask the Deputy Governor if firms used this opportunity wisely... or not...

Conclusion

• A firm's impact category will determine the engagement it will have with the Central Bank
• As impact can only be changed by such things as reducing the size of a firm, you should expect a certain amount of interaction related to the size of your firm
• Firms will have a risk mitigation programme and related actions assigned if they are judged to have a high probably risk
• You can influence the probability risk rating of your firm in how you respond to these issues and actions

PRISM at the CBI... A Guide - Part 2 of 3

I just finished an entry on how to understand two crucial elements of the PRISM system - Impact and Probability Risk. Before we move onto Engagement Tasks and Risk Mitigation, let's look at why PRISM exists. Note that as before, this is based on published documents from the Central Bank of Ireland such as PRISM Explained.

A lot of people are surprised when I tell them how many firms have to be supervised by the Central Bank of Ireland - according to PRISM Explained, this is over 10,000 firms... as have become evident after Ireland's recent financial crisis, a change was needed in how these firms are regulated. 

But how can this be done:

• Do you assign 10,000 supervisors to the Central Bank and have them each regulate a firm
• But what about large firms like Allied Irish Banks - should they have one supervisor assigned when there is so much going on?
• If you assign one regulator per firm, then are you giving the same attention to all of Allied Irish Banks as you are giving Skibbereen Credit Union (no offense to them, I am a west Cork man, so they got picked...)
• If you have a more realistic number of supervisors like 500, how do you make sure you have enough people working on Allied Irish Banks and still give Skibbereen Credit Union the attention it requires.

It gets even more interesting if you look at the breakdown of regulated firms in Ireland... as per PRISM Explained, the number of firms in each Impact Category is approximately:

Now, that looks interesting, but wait until you see it in visual form:

You can't even see the Medium High and High firms there - even if you remove all the Low impact category firms, you still see the challenge here:

A set of quotes in PRISM Explained should be remembered here:

"Under PRISM, the most significant firms - those with the ability to have the greatest impact on financial stability and the consumer - will receive a high level of supervision under structured engagement plans, leading to early interventions to mitigate potential risks. Conversely, those firms which have the lowest potential adverse impact will be supervised reactively or through thematic assessment"

So whether we like or not or if we think a firm in a specific sector should get more attention, a decision has to be made on how best to apply limited resources.

"PRISM is designed to deliver value for the taxpayer. It explicitly recognises that we can only have a finite number of supervisors and that we must deploy them where they can make the greatest difference – on the firms which have the most impact."

We could ask the Central Bank to hire several hundred or even thousand more supervisors, but wouldn't we like to see an attempt being made to apply resources in an effective and efficient manner?

By way of analogy, An Garda Siochana does not take detectives off its Special Detective Unit to patrol shops after every case of shoplifting that is reported. Neither will we take resources from our most important firms to closely supervise economically insignificant firms. Clearly, if there is spate of “shoplifting” in an area, we will undertake appropriate investigation (as any police force would) and may reform our working practices/enforcement appetite to deal with the issue robustly to deter other firms from tolerating similar failings.)

As it says above, you need to apply your resources in an effective way - but you must be willing to look at changing this as required... I suspect that a member of the Central Bank, whose father was a policeman may have added the above analogy, but that is only speculation...

"In launching PRISM, we do not pretend that we can or should prevent all firms failing. Firms will and must be allowed to fail in a functioning market economy – the direct costs of staffing the Central Bank to guarantee absolutely no failures ever would be prohibitive."

We will see firms fail... we will have to hope that they are not as big as the country's major banks and that those larger institutions are being properly supervised by the right number of people...

PRISM at the CBI... A Guide - Part 1 of 3

I worked for a while with the Central Bank of Ireland's Risk Division and one of the things I get asked a lot about a lot is something called "PRISM"... this is the Central Bank of Ireland's risk-based supervision framework - PRISM stands for Probability Risk and Impact SysteM. The framework established a new approach for supervisory engagement with Irish regulated firms. Nice and simple?

Well, the thing that has suprised me is how some of the simplest concepts of PRISM have not been fully understood by the people in the regulated firms... what follows is just an explanation of Impact and Probability Risk - if you understand these, then you have a good grounding in how PRISM works. I will do a follow-up on Engagement and Risk Mitigation Programmes...

Note: When I joined the Central Bank, I signed a confidentiality agreement... they very kindly gave me a copy of this when I left... and a gentle reminder of the consequences of breaking it. Everything below can be found in the Central Bank's excellent PRISM Explained document. To prove this I have included quotes from the document where needed...all quotes are in italics and can be found in PRISM Explained...

What is PRISM?
Now, to get you started, here is an interview I did with William Mason, my old boss and the Head of the Central Bank's Risk Division at the recent GRC Summit in Farmleigh House. He talks about PRISM from about 01:35 in the below:

However the whole piece is important... the comments on business models and "getting behind the numbers" at the start will be important to your understanding of PRISM. To quote PRISM Explained, PRISM makes it "easier for our supervisors to challenge the financial firms they regulate, judge the risks therein and take action to mitigate those risks".

The important work here is "judge" - quantitative or "black box systems were understood by few (and bitter experience indicates that even those few had limited understanding) and thus were not subject to adequate challenge". We'll come back to that when we are looking at Probability Risk... first we need to understand the difference between Impact and Probability Risk. Have a look at the below:

Impact
Note that from left to right we have increasing Impact - from Low through to High. Impact for a firm is calculated using information received by the Central Bank in items such as regulatory returns. These are "combined to calculate an impact score for each firm so that, for each sector, we have a list of all the firms in that sector ordered by impact. These lists were used to divide all regulated firms into four categories: high impact, medium-high impact, medium-low impact and low impact."

Impact metrics are found in appendix C of PRISM Explained, but let's keep this simple. Let's say you take a simple model that balance sheet size drives the impact of firms in a sector... then the bigger your balance sheet, the higher your impact and thus the further to the right on the diagram your firm will fall.
Now this is important... as this is driven by regulatory returns, then the only convenient way to change the impact category of a firm is to do something like reducing your balance sheet size. What you can influence is your probability Risk... By the way the Central Bank did do a consultation on this impact approach - see CP49... if you didn't comment then, then it may be too late...

Probability Risk
So what happens next? Well, the supervisor in the Central Bank now has to make a judgement on the risk of a firm. "Supervisors will form judgments on the risk probability posed by the firm in relation to each category. PRISM is a judgement- based system in that supervisors of higher impact firms will be required to make a conscious choice as to the riskiness of a firm at each level in each category."

Note two things fro the above - they are going to do this per a set of risk categories and this depends on the impact category of the firm... what I am going to explain below will be for firms in higher impact categories. As for "our low impact firms, we aim to regulate to avoid sector-wide issues - such as widespread misselling by intermediaries - but there are circa ten thousand low impact firms and we will not seek to prevent individual failure. Rather, we will supervise these firms reactively - ensuring that an administrator or liquidator is appointed when they fail and that there is an orderly revocation of authorisation and winding-up in accordance with insolvency legislation"

On the question of categories - have a look at this:

Start from the top... the "Overall Risk Rating" is the overall Probability Risk for a firm. This is driven by the categories below - so the supervisor will review the firm for Credit Risk, Market Risk etc. And for each category there are sub categories, so for Credit Risk, the supervisor will record their judgement on items such as the "Concentration of Credit Risk" for a firm. They can be guided by Key Risk Indicators or KRIs - so the supervisor might look at the data for how concentrated a firm is in it's lending to a certain set of customers or customer segment.

This drives the overall Credit Risk which may ultimately drive the overall risk rating for a firm... but note, this is the judgement of the supervisor... even if the KRIs for a firm are looking acceptable, they will be expected to record their opinion of the firm and not just signing off a set of numbers... it's not just looking at the output of a "black box" and ticking a box... they need to understand why a firm is in the business it is in and if it can sustain that business. Thus supervisors are asking a lot more questions of regulated firms...

It's interesting to note that the above can be taken to be a simple taxonomy of risks... more on this and ontologies in a future entry...

Conclusion
So let's put it all together:

• Impact measures the cost or damage the failure of a firm would have to the economy. It is calculated from regulatory returns. 
• In the above firm A's failure would have more of an impact on the economy than firm B. In a simple model based on just balance sheet size, we would expect Firm A to have a larger balance sheet in Euro than firm B.
• The only way to move a firm between impact categories is to reduce the impact score. For Firm X to move to the same impact category as firm Y, it would have to do something like reduce it's balance sheet size.

• Probability Risk is based on the judgement of the supervisor as to the probability that a firm will fail.
• In the above firm C has been judged to have a higher probability risk than firm B. This is based on the judgement of the supervisor and not just data such as KRIs.
• A firm can move between probability risk ratings by mitigating their risks and showing the supervisor the results of this... they will then change their judgement of the probability risk of the firm and it will move to a lower overall probability risk rating.
• Thus firm X could move to a overall risk rating of firm Y by showing risk mitigation.

More to follow on Risk Mitigation and Engagement tasks with the Central Bank in a future entry.

About me...

Justin McCarthy has worked in risk roles in many firms, including Bank of America Merrill Lynch, PricewaterhouseCoopers and with the Irish Financial Regulator at the Central Bank of Ireland. This work has allowed him to see the changes in risk management before, through and beyond the recent global financial crisis.



While at the Central Bank of Ireland, Justin worked on the PRISM project. PRISM is the Central Bank’s risk-based framework for the supervision of regulated firms. This involved working with staff and management throughout the bank as well as presentations to the Governor of the Central Bank and to the "Troika".

His current job is to help develop a publically funded centre for Governance, Risk and Compliance in the Financial Services industry. This work allows him to learn of many new risk initiatives, meet risk practitioners & thought leaders and to interact with staff and members from other Governance, Risk and Compliance bodies.

He is the Regional Director of the Irish PRMIA Chapter and is the co-chair of the EMEA Regional Directors committee as well as a member of the Education Committee. He was one of the founding members of the Irish PRMIA chapter. He was on the organizing committee of the PRMIA Global Event in 2012 and helped facilitate the PRMIA case study at the 2012 FSA Risk Symposium.
He was the organisor and chair of the GRC Summit Ireland 2012.

The Professional Risk Managers' International Association (PRMIA) is a non-profit professional association, governed by a Board of Directors directly elected by its global membership, of more than 88,000 members in 210 countries. PRMIA is represented globally by 60 chapters in major cities around the world, led by Regional Directors appointed by PRMIA's Board.

Justin has a BSc from UCC and an MBA from the Michael Smurfit Graduate School of Business at UCD. He is married to Sarah and has two children.

First entry...

Well, that's my blog set-up... Now I need to add some content...