Tải bản đầy đủ - 0 (trang)
35 A risk crisis management program, with clear authorities, responsibilities and expectations, should be designed for quick implementation

35 A risk crisis management program, with clear authorities, responsibilities and expectations, should be designed for quick implementation

Tải bản đầy đủ - 0trang

58



The Simple Rules of Risk



3.36 SENSITIVITY TO REGULATORY REQUIREMENTS

IS IMPORTANT

Regulators play an important role in the advancement of risk management processes and

their directives and requirements must be taken seriously. Though firms may periodically feel

“overwhelmed” by the number of rules and regulations that must be followed, or the quantity

of risk information which must be submitted, they must remember that the requirements exist

for a reason — to ensure that a firm has a prudent risk process or to help identify and resolve

process problems. Though the regulatory process is not perfect, and certainly not guaranteed to

solve every problem or forestall every disaster, the efforts are an important step forward in an

environment where markets are increasingly volatile and interdependent. By ensuring that firms

that fall under the jurisdiction of a particular regulatory authority adhere to established rules,

the markets gain comfort and security that participants meet minimum financial and control

standards. Far greater benefit can be gained when institutions operate through companies or

subsidiaries subject to regulatory oversight — rather than offshore entities that may not be

subject to the same rules. Greater transparency, of course, comes at a price — typically in

the form of additional personnel and infrastructure to ensure that regulatory requirements are

being addressed. This is generally regarded as a worthwhile investment, as is the occasional

inconvenience of having to provide alternate forms of information. As indicated, the regulatory

process is not perfect; just because regulators demand adherence to particular rules or insist

on specific types of reporting does not mean that problems will be avoided. Many examples

serve as reminders of “less than perfect” regulatory mechanisms, and reinforce the fact that

regulations alone cannot act as a substitute for internal risk processes. Nonetheless, sensitivity

to the demands of regulators is an important part of governance, and well worth the time and

effort.



3.37 THE GOVERNANCE PROCESS MUST PROVIDE SENIOR

MANAGERS WITH AN ABILITY TO VIEW AND MANAGE RISK

ON A REGULATORY/LEGAL ENTITY BASIS

While individual book-runners and traders care primarily about the risk that they are responsible for managing, risk officers and business managers are generally interested in reviewing

consolidated risk profiles that reflect the exposures a firm has across products and geographic

regions. For instance, if a firm runs Japanese interest rate risk in London, New York and Tokyo,

a shift in the market will affect the positions in each center and, by definition, the consolidated

position — this is the firm’s true exposure. While consolidated risk views across products and

national boundaries are very useful from an overall corporate risk management perspective,

the proper governance structure must also provide for risk views by legal entity. This is particularly important in an era where local regulators hold senior executives and directors of

each individual legal entity accountable for the risk they run in their units. To ensure the

governance process functions as intended, local legal entity risk must be visible to the local

executives; they must also be given, in certain instances, authority to influence or reshape the

local entity’s risk profile. For instance, if a global firm operates a broad-based book of risk

businesses, including currency and equity trading through an important London-based legal

entity, it must be able to segregate all London risk exposures — including market and credit

risks associated with the currency and equity businesses. The London directors can then claim

to have access to risk information that permits discussion, analysis and possible management



Risk Governance



59



action. More importantly, directors will be able to discharge their fiduciary duties in an effective and prudent manner, and regulators will derive comfort from the fact that local managers

and directors have sufficient information to manage the risk of the local legal entity.



3.38 REGULAR INTERNAL AUDITS OF THE RISK PROCESS

SHOULD BE PERFORMED

In order to ensure that the risk governance structure in general, and the risk management

process in particular, operates in an effective manner, regular audits should be performed by

the firm’s internal audit function. The audit program should be thorough enough to identify

potential failures in risk process, communication, policy, enforcement, and so on. Large firms

often have auditors dedicated to ongoing review of the risk function. Since the discipline is

specialized, and since it covers a diverse group of areas (including credit risk, market risk,

risk technology, quantitative risk, and so on), this is often an effective use of resources. When

dedicated risk auditors are available, they can review individual components of the risk process;

by the time they have completed their overall work they will be ready to commence the process

again. Smaller firms that do not have the resources necessary to hire dedicated risk auditors may

opt to conduct general external audits of the governance process; these can be supplemented by

reviews of select “priority” areas. For example, if a firm has implemented a new risk technology

platform that produces risk aggregation and reporting for management and regulators, a specific

audit of the platform is advisable. Likewise, if special limits have been created to cap a specific

type of risk, an audit of their efficacy in controlling risk exposure might be warranted.

Summarizing the simple rules applicable to the risk governance process, we note the following:



r The effective governance framework begins by defining the firm’s risk philosophy in terms

of risk appetite across different risk classes.



r A risk mandate assigns risk accountability to those at the highest levels of the firm and

recognizes that business managers are the front line of risk management.



r Proper governance addresses the creation of a risk function — and associated risk committees, limits and policies — that can help control overall exposures.



r The overall risk process must be absolutely independent of the businesses generating risk;

r

r

r

r



this is typically accomplished by forming an independent risk management function and

developing strong internal audit practices.

Governance must also concern itself with proper management reporting lines (particularly

for those in risk-taking roles), compensation policies, education, risk communication and

knowledge dissemination.

A flawed control process is a considerable source of risk — care must be taken to ensure that

no problems exist.

Ultimately, the successful structure is based on discipline, communication and consistency.

Elements of governance, like other dimensions of the risk management process, must be

dynamic — able to adapt as market circumstances and firm-wide priorities change.



4

Risk Identification

Once a risk philosophy has been considered and a governance framework established or enhanced, the practical task of managing risk is set in motion. The first step in the process centers

on the proper identification of risk — only through complete and accurate identification can

a firm then measure, report and manage its exposures. The identification task may be simple

or complex, depending on the nature of a firm’s business, the scope of its product offerings

and the extent of its geographic reach. Those responsible for identifying risks must generally

examine all elements of a business or product line in order to determine how risk is generated.

Risks may be created by deals, transactions, products, instruments or models, or they may arise

through business or control processes. This means that all areas of the firm that have the potential to create risk — including business lines such as treasury, trading and business origination,

as well as control functions such as legal, operations and settlements — must be analyzed in

detail. Regardless of source, it is important for the identification phase to be as thorough as

possible, as it generates the risk “roadmap” used in subsequent stages of the management

process.



4.1 PROPER IDENTIFICATION OF RISK CAN ONLY

OCCUR AFTER A THOROUGH UNDERSTANDING

OF A PRODUCT, TRANSACTION, MARKET

OR PROCESS HAS BEEN GAINED

In order to identify all dimensions of risk the target product, transaction, market or process must

be thoroughly understood. Only by truly understanding how the underlying reference operates

can a control officer discern different elements of risk. It is not sufficient to simply assume

knowledge of how a market, product or process functions; each situation must be analyzed

to learn how the reference operates and generates payoffs/liabilities. By understanding these

mechanics, the control officer can isolate and identify different areas of risk. For instance, if a

credit officer is asked to identify the risk of a zero-coupon payer swap (where the firm pays an

annual floating rate and receives a lump sum at maturity), she must not assume that the structure

functions as a standard swap, with the normal risks that characterize such an instrument; in

fact, she must understand the nature of the cash flows that underpin the zero-coupon swap.

After reviewing them in detail she will determine that the swap acts as an unsecured loan,

generating more credit exposure than an equivalent “vanilla” structure; failure to understand

the workings of the swap could result in a misidentification of risk and lead to an erroneous

credit decision. Accordingly, a thorough understanding of a deal, process or reference must

precede any attempt at risk identification.



62



The Simple Rules of Risk



4.2 ALL DIMENSIONS OF RISK MUST BE IDENTIFIED; RISKS

THAT MIGHT BE LESS APPARENT AT THE TIME OF ANALYSIS

SHOULD NOT BE IGNORED, AS THEY CAN BECOME MORE

PROMINENT AS MARKET CONDITIONS CHANGE

Identifying risk can be very complex, particularly when it involves esoteric instruments, structures or business lines. These may carry less obvious, or “hidden,” exposures that can be

overlooked, and which may not become apparent until it is too late (i.e. after a loss has been

sustained). Therefore, care and diligence in the identification stage is an essential requirement.

In order to implement a robust identification process, qualified staff should be assigned the

task of understanding, reviewing and vetting products, deals and businesses in order to discern

the different types of risk that might be present — or that might arise in the future. In some

cases a product or business might be relatively easy to understand and analyze; this permits

risks to be identified with ease. For example, purchasing an equity option from a bank exposes

a firm to a basic credit risk (the risk that the bank must perform on its obligation if the option

is exercised with value) and basic market risks (the risk that changes in the underlying stock

price, volatility or risk-free rate will change the value of the option). While quantifying these

risks might be more challenging, the actual identification is straightforward. In other situations

the risks of a product or business might be very complex, making identification much more

difficult. When such complexity exists, it is advisable to consult with other experts, such as

quantitative research staff or product developers. For instance, a firm might wish to deal in an

exotic derivative with special payout features based on multiple asset classes. In this instance

the risk function may be able to identify the presence of credit risk with relative ease, but may

have more difficulty identifying all aspects of market risk; the product might be sensitive to

small or large moves in each of the underlying assets, the correlations between the assets, the

volatilities and cross-volatilities, and so on. Some risks might not even exist at the inception of

a transaction, but may appear once particular events come to pass; the process must therefore

take account of exposures that appear with the passage of time, movement of a market or triggering of some external event. For instance, if a firm purchases a knock-in option from another

counterparty that has value only once a barrier is breached it must recognize that, although no

risk exposure exists on trade date, exposure could arise in the future.

Properly identifying all dimensions of risk is so central to the initial stages of risk management that this concept becomes one of the “cardinal rules.”



4.3 THE IDENTIFICATION PROCESS SHOULD SERVE AS THE

BASE FOR THE QUANTIFICATION PROCESS; RISKS THAT ARE

IDENTIFIED SHOULD BE QUANTIFIED, AND ULTIMATELY

LIMITED, IN SOME MANNER

As we have noted, identification is a prerequisite for quantifying, monitoring and managing risk.

When undertaking the identification process, it is important that risks uncovered be quantified

and then limited. Since it is of little use to identify a series of risks and then fail to control

them, the list of risks identified should form the basis for the quantification effort to follow. For

example, risk officers who identify certain credit, market and liquidity risks can record them in

order to quantify and limit them in subsequent stages of the process. If a firm decides not to limit

a particular risk it has identified, its reasons should be properly documented in order to create

an audit trail. For instance, if after analyzing a particular financial instrument a risk officer



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

35 A risk crisis management program, with clear authorities, responsibilities and expectations, should be designed for quick implementation

Tải bản đầy đủ ngay(0 tr)

×