Due May 7th!!!!

ERM Mission Statement

The mission of Knight Capital’s Enterprise Risk Management is to appropriately identify, measure, manage, report and monitor risks that affect the achievement of the company’s strategic, operational and financial objectives. The ERM framework is a hybrid of COSO and COBIT 5, which sets out policies and standards of practice related to risk governance, risk identification and monitoring, risk measurement, and risk control and mitigation. It also enhances the company’s ability to deal with IT-related risks.

We chose COSO because it can provide the company with:

1) Improved internal controls: A lot of companies and organizations have failed due to their incomplete ERM programs and ineffective internal controls. The COSO board updated the framework in 2013 and it can offer more effective internal controls for Knight Capital to better mitigate risks and help management make better decisions. [1]

2) Enhanced cybersecurity: Knight Capital “suffered a loss of nearly half a billion dollars after a defective software” several years ago. IT risks, such as cybersecurity threats and system failures, are the main risks the company is facing, and this new version of framework can can help the company because it pays more attention to cybersecurity. [1]

3) Cost savings: Saving cost is one of the main quests of Knight Capital management after the major failure. According to the COSO board, if a company implement the COSO 2013 framework in the right way, it will allow the company to “streamline processes, establish more effective internal controls and manage compliance costs.” [1] [2]

We chose COBIT 5 because:

It can provide the company with a common language for employees and business executives to communicate with each other about IT risks. According to Margaret Rouse, a senior IT expert from WhatIs.com, we believe that COBIT 5 has five main benefits:

1) Assure information is accurate to support business decisions

2) Maintain operational excellence by using technology effectively

3) Keep IT-related risks at an acceptable level

4) Optimize IT services and technology costs

5) Maintain compliance with relevant laws and regulations [3]

Governance Structure

Knight Capital requires an organized structure including a CRO, a steering committee, risk committee, and sub-committees. Since Knight Capital is a financial company, we proposed a risk structure dedicated to the needs of a financial firm. The board and management are central in the role to first define the tolerance to risk, defined and identify, measure the exposure, monitor, and mitigate the risks. In addition to the board and top management, subcommittees consists of qualified professionals to mitigate specific risks. Overall, this ERM structure should have Knight Capital to oversee, review, monitor, and mitigate all cross-entreprise risks within the company and to create value to the firm and to its stakeholders.

Executive Sponsors

The CRO’s main responsibilities include communicating with the Senior managers and the Board of Directions. The CRO should be a qualified and experienced officer and be fully independent of Knight Capital’s business units. The main responsibilities if the CRO is to oversee Knight Capital’s risk policies and carryout supervisory guidance and regulatory compliance effort throughout the firm. CRO should present key risk reports, data and analysis to the Board and governing body at least monthly and establish risk procedures, monitor risk, audit the management on how effective their risk procedures are, provide feedback, and evaluate the quality of risk management. The CRO should also identify and ensure Knight Capital is fully compliant with the regulatory laws. The CRO is also accountable for creating a strong and healthy operational risk culture that is communicated and understood throughout Knight Capital, this is done by setting clear expectations and rules and upholding the Code of Conduct. Other responsibilities of the CRO includes contingency planning, risk escalation, solving conflicts of interests, examining contractual agreements, audit planning and audit planning.

The Board of Directors is responsible for ensuring all risks are successfully managed, establishing a clear and strong risk control environment, and implementing policy decisions to maintain adequate and efficient internal controls. The Board should define Knight Capital’s risk appetite and the accept degree of risk exposure. The Board should be aware of the major aspects of Knight Capital’s risks and management at all times. The Board is also accountable for creating a strong and healthy operational risk culture that is communicated and understood throughout the firm, this is done by setting clear expectations and rules and upholding the Code of Conduct. A strong risk culture should include but not limited to transparency at all levels, a well-structured organization, deterrence towards excessive risk-taking, clear legal and ethical values, heavy emphasizes on good judgment, and a clear and strict tone that all employees are responsible of following company risk policies regardless of their position.

Risk Steering Committee

The Steering Committee is comprised of division heads or business unit heads. They create and advocate for executive risk strategies and communicate issues, challenges and concerns for their project teams.The Steering Committee should be comprised of qualified and experienced senior leaders of different operating units. The Committee is responsible to meet to review key risk reports such as target risk assessments and discuss future and current issues relating to the different risks of Knight Capital. The Steering Committee should also review the status of management’s current control and alignment with Knight Capital’s current risk appetite. The Steering Committee should also report to the Board and alert the Board swiftly if potential key risks arise.

Sub-Committees

The key focus would IT and cyber security since the fall of Knight Capital was due to an faulty computer program. The IT Committee would be comprised of technology experts who would ensure communication to the CRO, CEO, and the board and to make sure all the IT software and infrastructure are up to date. IT officers are responsible to ensure all our business and customers’ private information are safely secured. The IT committee should establish a comprehensive data loss protection plan that should help decide what immediate protocols and actions should be taken when a data breach occurs. Moreover, education is most important, thus employee trainings and technical support on how to appropriately handle and protect sensitive data should be done monthly. For financial risks, subcommittees are in charge of mitigating the impacts of market risk, asset and liability risks, and credit risks. For compliance risks, we featured an audit committee and a chief compliance officer to deal with the legal regulations of SEC and other government regulations. For example the audit committee should help the CRO through managing risk, compliance and oversight by examining Knight’s Capital’s internal Control processes, review audit mandates, overall risk oversight, and compliance with the law. We also have an ethics committees to push for a healthy and ethical culture within the firm. Overall, sub-committees add value to Knight Capital’s overall ERM system as a whole.

3.1 Covered Risk

The ERM project plan fully covers all types of risks, including strategic risks, operational risks, financial risks and IT risks. The hybrid ERM framework of COSO and COBIT can provide effective risk management towards all the risks, especially key risks of Knight Capital.

For IT Risk or Cyber Risk (Key Risk #1):

According to COBIT 5 rules, the company should treat information and related technology as assets, having IT controls like logical access control and IT computer operation controls, and having IT plan review and approval. Furthermore, in accordance with COSO, every part of the firm, including all daily IT operations should have internal controls, including policies, procedures and oversight. In addition, monitoring activities such as checklists and automated controls should be conducted to mitigate material IT weakness and software malfunctions.

For example, under the hybrid framework, several safety control points should be executed and double checked to detect and prevent future IT risk events.

1) The Power Peg code should be deleted to avoid activating it when they used the flag within the RLP software.

2) Pre-set capital thresholds should be linked to Knight’s entry of orders so that Knight would stop sending orders when it breached such thresholds.

3) There should be adequate controls at the point immediately prior to Knight’s submission of orders to the market to control erroneous orders.

For Operational Risks:

Compliance Risk (Key Risk #2): According to the hybrid ERM framework, Knight Capital should have ERM team monitor activities, risk assessments, compliance review assessments, enough training for employees and internal and external auditors. For example, if the company established and conducted the ERM framework to manage compliance risk, the wrong code would have been deleted to avoid activating it when the system was dealing with orders, then it would not violate SEC Regulations and the material risk event would not happen. For future compliance risk management, the company should conduct activities included in the framework and have enough supervision.

For other operational risks such as human resource risks and process risks, the three lines of defense, including business line management control with functions that own and manage risk, risk management and compliance oversight functions and independent assurance functions, established under the hybrid ERM framework would have great help to detect, prevent and mitigate such risks.

For Strategic Risks:

Governance Risk (Key Risk #3): According to the hybrid ERM framework, the company should first establish company-wide control environment, including company culture, policies, procedures and oversight. It should also have independent Board oversight, separation of duties, internal control accountability, clear communication, and oversight and authorization on daily operations. For example, to detect and prevent future risk events, material IT errors and daily operation errors should be supervised by CEO and the Board.

For other strategic risks such as business execution risk, international risk and regulatory risk, enough due diligence, risk assessments, advance risk response plans and ongoing risk monitoring required by the ERM project plan would help to manage and mitigate such risks.

For Financial Risks:

Knight Capital is exposed to many financial risks as it is a financial HFT trade, including risks related to market prices, foreign exchange rates and interest rates. Since the company works on high frequency trading every day, the market making activities take on position risks when they hedge instruments. Therefore, the valuation of its securities and long/short positions can change substantially in accordance with swings in market prices, in result affecting earnings or loss.

To manage and mitigate such risks, the company should carefully monitor financial trading and hedging activities, conduct financial risks assessments and financial loss assessment, and conduct scenario analysis and stress testing based on various market conditions regularly.

3.2 Outcomes of ERM program implementation

IT Risk Management:

After conducting the ERM project plan, reasonably designed controls and monitoring procedures for IT risks would detect and prevent software malfunctions that can result from code development and deployment. A robust and smooth IT system is the most important force for the daily operation and future development of Knight Capital as it is a high volume HFT trading company.

Operational Risk Management:

Applying the ERM framework and having Chief Compliance Officer, Operational Risk Officer and ERM team, Knight Capital can have much better operational risk control and management. The company can file the previous incidents, dig into the root causes and risky points within the company and the systems, find the reasons why Knight’s controls failed to limit the harm from those incidents and learn from the past to prevent similar problems recurring. These advanced risk management activities would have great effects dealing with problems incurred by people, processes and systems.

Strategic Risk Management:

The hybrid ERM framework supports better decision making through the process of risk identification and quantification, and aligns decision-making with strategy, thus creating value for stakeholders and the company with better strategic decisions backed by ERM metrics and data. In addition, better enterprise-wide governance can enhance the execution and implementation of great strategies of Knight Capital.

Financial Risk Management:

Since Knight Capital is a financial company, it is exposed to various financial risks. The ERM project plan would have great positive effects on the financial risk management, including better management on foreign exchange rate exposure, fluctuations on market price and interest rates exposure. In addition, under the implementation of ERM project plan, the investments of Knight Capital will be diversified and the portfolio will be reasonable.

Roles and responsibility for each risk addressed

Financial risk- Financial Risk Officer: Financial Risk Officer will oversee the finance risks and will be held accountable for any future risks.

· Credit Risk Committee:Oversee Knight Capital’s financial activities regarding default rates and reports to ERM committee.

· Market Risk Officer: Oversee national and international market fluctuation and reports to ERM committee.

· Asset Liability Committee: Oversee Knight Capital’s ability to pay debt and its liquidity ratios and reports to ERM committee.

Operational risk-Operational Risk Officer: oversee operational risk related activities and will be held accountable for risk events.

· Chief Compliance Officer: Oversee Knight Capital’s actions regarding regulations and laws. It will make sure corporate actions are comply with laws and regulations. It reports to CRO.

· Ethic Committee: Supervise corporate culture and report to ERM committee. It makes sure corporate decision and culture is align with Knight Capital’s mission and code of conduct.

Information and Technology Risk:Information Security Risk Officer and IT Committee

· Information Security Risk Officer: oversee, monitor information technology securities.it reports to CRO.

· IT Committee: It supervise information technology risks and will be held accountable for future risk events. It reports to ERM committee.

Strategic risk- Strategic Risk Officer and ERM Committee

· Strategic Risk Officer: oversee strategy risks and make sure the strategy will be implemented as designed.It reports to ERM committee.

· ERM Committee: Oversee risks and make sure all the risk related activities are align with Knight Capital’s strategy and mission. It reports to Risk Steering Committee, which will directly report to the CEO.

External Resources

External resources are vital and necessary for Knight Capital. There exist some professional and technological problems that may require expertise to resolve. Based on the $440 million glitch incident, Enterprise Risk Management team definitely need invite external expertise to create an advanced and more effective program.

First, ERM need to hire legal group to analyze the incident that related to some legal and regulation issues. Especially focused on SEC violations, there is list of Knight SEC violations, such as “a written procedure requiring a simple double-check of the deployment of the RLP code could have identified that a server had been missed”, further “Knight did not have adequate controls and supervisory procedures to guide employees’ response to incidents, Knight needed clear guidance for its technology personnel as to when to disconnect a malfunctioning system from the market” (P. Liu). ERM and legal counsel have to work together in order to giving an effective and correct response.

Second, top 4 auditing counsels are also important. ERM team can work with them to make sure the audit analysis and system information are following with GAAP accordance. External audit will be able to giving deep analysis and plan based on the Knight’s financial statement and from the lost of the glitch incident to mitigate the risk from accounting perspectives.

Finally, they need to work with IT professional groups and consultants for the complex IT problem and implementation. The root reason that causes the incident is because of the IT issue, so hiring an professional IT experts are the most important and effective factor to saving the company and also benefit for future implementations. It will motivate the speed to solving the root of the problem and then mitigate the risk.

Risk Tools and Risk Technology

A risk technology platform along with risk tools are needed to aggregate enterprise risks across the firm. Using a risk technology platform would allow to aggregate all risks from individual departments in one place to conduct meaningful comparison. It would also allow external data to be used along with internal risks data in order to utilize all the information. Integration of all the risks within Knight Capital on a single platform that are updated regularly is an effective tool for Knight Capital to monitor and measure risks as well as recording risks for data. The risk technology platform should include tools and metrics such as KPI metrics, performance indicators, and others such as the following:

Loss Data Collection (LDC)

Knight Capital follows the framework of the Loss Data Collection Program standards provided in Basel II. Loss Data Collection is key to understanding the potential and current risk in a Knight Capital, it is the process where a firm captures the risk loss that has occurred in order to learn from and to create better policies in the future. Data from this tool is helpful in measuring and managing operational risk at Knight Capital as it help identify control weakness, understand cost, help develop an capital model and capture impacts. All business units, domestic and abroad should submit loss data collection monthly.

Stress-Testing

Knight Capital is a financial firm that focuses on electronic trading, thus financial risks are highly significant and impactful to the firm. One tool to measure and quantify such risks is through stress-testing through scenarios analysis, value-at-risk analysis, and regression analysis. This would allow Knight Capital to simulate risks to test scenarios and see whether the asset and liability are sufficient to survive. Thus, stress-testing is an important tool to have for Knight Capital to strengthen their portfolio against potential market occurrences and catastrophes.

TimeLine

Knight Capital plan to develop an advanced ERM program based on at least 18 months and needed to be revised and continued. Phase I, we qualified and experienced senior leaders from different operating units, and oversight and monitor risks, the stage of process we estimate around five months; Phase II, we manage and oversight risks, compliances and internal control processes, mandates. IT experts, updated IT software and infrastructure, detect any potential threats, create data loss protection plan, periodically check IT security (seven months); Phase III, then we training and educating all stakeholders about IT security, creating standards and policies, adopting professional ERM plan (seven months); Phase IV, as ERM program is an ongoing process, so we will customize, revise and advance our ERM plan based on different and instant situations.

Implementation budget

Knight capital’s ERM project team includes one CRO, four steering committee members, four sub-committee members and one external auditor. The payment for these employees is taken the average salary in the industry as reference. Knight capital also needs to pay the insurance for these ten employees: $900 per person per year. The training fee for employee cost $1000 in the first year plus $500 and $250 in the second and third year, in case of upgrade of the system that employees need to be re-educated. After third year, Knight capital can use on the job training that original employees train new employees, thus there is no extra training fee. The office expense including printing fee and office supplies fee. The system design fee is a one-time payment for the first year with a $300 maintenance fee and $500 upgrade fee per year after the first year. The total cost for the project team is about $600000 every year which is way less than Knight capital’s $440 million loss.

Conclusion

Our designed ERM plan will help Knight Capital from six different perspectives.

First, it will support Knight Capital in better decision making. ERM plan will help Knight Capital identify risk and quantify risk to ensure risk and return balance. In this way, Knight Capital will integrate risk consideration into decision making process.

Secondly, it will prioritize risk and risk mitigation for Knight Capital. Based on risk identification and quantification, Knight Capital will rank its risks and risk related actions to ensure the riskiest events will get mitigated.

Thirdly, it will create a healthy corporate culture. The three lines of defense, which includes Management, Risk Committee and Audit, will ensure the corporate actions are align with company mission and culture. Designated responsibility and roles will forsters a risk aware culture.

Fourthly, it will assure key risks and return are well-understood in Knight Capital. By prioritizing risks and balancing returns will help Knight Capital better assign its capital.

Fifthly, it will align decision-making with strategy. ERM plan creates value for stakeholders and company with better strategic decisions backed by ERM metrics and data

Last but not least, it will enhance reporting and compliance. ERM plan creates a sound guideline and foundation for strong internal and external reporting and compliance, builds investor trusts and confidence

Overall, the ERM plan will help Knight Capital to prevent, monitor and mitigate future risks. ERM provides immense benefits to a company as both the employees, managers, and stakeholders share the same framework, responsibilities, and view to approach risk. This ultimately creates a safer environment for the business and prioritizes key risks to be addressed.

References

[1] The Benefits of Adopting the COSO 2013 Framework

https://www.roberthalf.com/blog/management-tips/the-benefits-of-adopting-the-coso-2013-framework-even-if-you-arent-required-to

[2] Operational Risk – a case of Knight Capital

https://sandyyadav.com/2015/07/13/operational-risk-a-case-of-knight-capital/

[3] COBIT 5 (Control Objectives for Information and Related Technology 5)

http://searchcompliance.techtarget.com/definition/COBIT-5-Control-Objectives-for-Information-and-Related-Technology-5

P. Liu, Knight Capital Americans LLC, 2017. Ivey Publishing. Pdf.