Tải bản đầy đủ - 0 (trang)
12 “Off-the-shelf” technology solutions that provide 80% or 90% of the capability a firm is seeking can be an ideal solution

12 “Off-the-shelf” technology solutions that provide 80% or 90% of the capability a firm is seeking can be an ideal solution

Tải bản đầy đủ - 0trang

Risk Infrastructure


to support the daily processing of business flows, including front-end trade entry, middle and

back-office functionality, basic control reporting and data back-up, must be ready to take

over for downed systems. A central core of this infrastructure plan should include risk-related

analytics and reporting that allow a firm to know its risks at the time of the crisis, and to engage

in basic business (or at least risk mitigation) for the duration of the crisis. Since business and

control managers cannot know when disaster will strike, they need to be able to reconstruct

their risk positions before the start of the next day’s market opening. This means that all

risk and financial information must be stored in duplicate in an offsite location at the end of

each business day. As part of the contingency planning process, it is also critical for alternate

trading, middle and back-office, and risk control systems to be regularly tested for access and

functionality. Indeed, a firm’s entire contingency planning process should be tested regularly,

to ensure that it operates as intended precisely when needed. Solid crisis management on the

technology front must, of course, be accompanied by planning related to key personnel. All

“front line” critical personnel involved with business generation, risk management, control

and settlements must be familiar with the contingency plan, how to access remote business

locations and how to make use of back-up technology platforms. They should also be familiar

with the suite of reports and information that will be available — this is particularly critical if

the offsite location is not a precise “mirror image” of the normal business technology platform,

but a scaled-down version with more limited functionality.

Summarizing the simple rules of infrastructure, we note the following:

r A risk process will often succeed, or fail, based on the quality of the underlying technological

infrastructure and, more specifically, the quality of the data.

r Data, which provides the risk and business functions with information needed to conduct







business and manage risk, must be well-defined, clean and robust, and flow from a single

source; appropriate audit checks should surround the data process to ensure ongoing integrity.

Minimum risk technology and data standards must be applied throughout the firm to ensure


Technology platforms (including underlying code governing analytics) must be under the

control of independent parties.

Risk platforms must always be as flexible as possible — since the financial markets change,

the technology supporting activities must be able to change in tandem.

While robust technology solutions are a necessary goal, business realities mean that temporary solutions must be accommodated — under strict controls, and with a view towards

developing more durable solutions.

Any changes in risk infrastructure, including technologies, methodologies, and so on, must

be thoroughly tested and documented in a proper test environment before being implemented.

Infrastructure contingency plans are an essential component of risk management — a firm

must be able to continue its risk-taking and risk management activities without pause in the

event of a disruption.



Throughout this text we have endeavored to present simple rules that we believe are crucial to

the creation of an effective risk management process. As noted, many of the rules are based on

collective risk management experience drawn from the marketplace. Crises, dislocations and

process failures that have occurred over the past few decades (and over the past few years, in

particular) provide valuable lessons for all institutions. Those who follow the lessons can improve their control processes — there are certainly enough “real life” examples to demonstrate

how processes can be strengthened in order to avoid, or minimize, risk-related problems. Those

who choose to ignore them do so at their own peril: for example, if a firm chooses not to create

an independent risk function or separate front and back-office duties, it is ignoring the lessons

of LTCM, Barings, Sumitomo Corporation and Daiwa Bank; if a bank chooses not to apply prudent credit lending and collateral standards when financing speculative projects, it is ignoring

the lessons of the Japanese banking sector during the speculative bubble of the 1990s; if a firm

does not properly account for the shortcomings of models, it is ignoring the lessons of National

Westminster Bank and Bank of Tokyo Mitsubishi; if a firm opts not to take account of liquidity

risk and collateral liquidation during stressed market conditions, it is ignoring the experience

of hedge funds and large international investment banks during the 1998 Russian crisis.

Many of the rules that we have presented emphasize logical and prudent approaches to

considering and managing risks; while the quantitative dimension of risk is of vital importance

(and must never be ignored) it has been our aim to stress the importance of the “common

sense” considerations that are occasionally forgotten or de-emphasized. We believe that firms

actively taking risk should be extremely careful not to overlook this qualitative dimension.

Some of the risk rules we have discussed are simple in concept and easy to implement; they

require very little incremental effort and virtually no resources, but can add considerable control

value. For instance, requiring managers to know the skills and behaviors of their risk takers,

recognizing that large positions can create liquidity-induced losses, ensuring risk officers are

always available for consultation, or requiring new products to be considered and approved

by an independent new product committee are all examples of simple, but effective, steps that

can be taken without burdening a firm’s resources. Others may be simple to understand but

more complicated to put in place, and may require considerable human, financial or technology

resource commitments. Since they add value they are likely to be worth the incremental effort

and resources, though each firm must engage in its own cost/benefit analysis and make that

determination. For instance, creating proper risk data templates, building flexible trading and

risk technology, or staffing a risk function with experienced professionals are all examples

of rules that are simple in concept and valuable from a control perspective, but which are

likely to require additional financial and human resources. Regardless of the complexity of

implementation, the risk management process should incorporate as many of these rules as

possible. At a minimum, adherence to what we have termed the “cardinal rules” is advisable.

By implementing the cardinal rules, a firm can strengthen key elements of the process and so

gain greater confidence in continuing, or expanding, risk-taking activities. Implementation of


The Simple Rules of Risk

the cardinal rules, or any of the broader rules we have presented, requires management support;

without a “top down” management push to create a strong risk culture based on fundamental

risk rules, a firm’s control process will never be as strong as it can, or should, be. Management

must be completely committed to creating a strong risk process.

As we have discussed, a risk process must be driven by a clear and concise philosophy

that delineates and defines all risk-taking activities. For some firms risk-bearing is a minor

component of overall business, with risks that should be minimized or eliminated whenever

possible. For others it forms the bulk of activities and revenues; in such cases a robust and

dynamic risk process is essential. Once a philosophy exists, a risk governance structure can be

created; this empowers groups and individuals within an organization to develop, implement

and maintain the risk process. Effective risk governance creates authority, responsibility and

accountability, and helps ensure that risk-taking does not occur in a vacuum. Once a governance

framework has been created, a risk control process can be built, or expanded, around the core

disciplines of identification, quantification, monitoring and management. While each of these

sectors requires attention and resources, the basic rules applicable to each are straightforward,

and based heavily on common sense, prudence, judgment and experience. The entire risk

process must be flexible and dynamic; as financial markets and associated risks change, a

control process must be able to change in tandem.

r The identification phase focuses on understanding, in detail, the specific risk exposures being

contemplated. Risks must be understood and identified before they can be managed.

r The quantification phase — where quantitative and qualitative approaches to risk manage-




ment intersect — assigns a financial value to exposures that have been identified; without

assigning such a value, it is impossible to determine how much might be gained or lost

through risk activities. Quantification also permits allocation of capital and establishment

of risk limits to control exposures.

The monitoring phase permits risk exposures to be tracked and reported; this allows internal

and external parties to understand the scope and magnitude of risk activities. Monitoring

also ensures compliance with limits and policies enacted by governance bodies.

The management phase allows for ongoing risk decisions and exposure adjustments; this

ensures all available tools, techniques, skills and experience are used to actively manage the

risks of the business.

Risk infrastructure surrounds the entire process. Such infrastructure permits the practical

measurement, monitoring and management of risk; the more advanced and flexible the

infrastructure, the simpler the task of gathering, analyzing and transmitting risk information.

This does not mean the management of risk is any easier, it simply means that gaining

access to the information required to manage risk is easier — saving time and resources, and

allowing decisions to be made with greater confidence.

It is important to re-emphasize that a risk process must draw in quantitative processes whenever

necessary; quantitative tools are an important dimension of risk management — forming an

essential element of the qualitative/quantitative risk partnership — and should be actively used.

Though certain mathematical tools have limitations and can expose a firm to specific risks,

they provide information that makes possible the practical management of risk.

Ultimately, the key to the “simple rules of risk” is remembering the lessons of history. The

financial markets contain many examples of institutions that failed to implement, or follow,

relatively basic rules of risk process and management. By remaining disciplined in creating,

and adhering to, a comprehensive risk process, a firm that actively assumes risk can prosper.

Selected References

Association of Finance Professionals, “Principles and Practices for the Oversight and Management of

Financial Risk,” AFP: New York (1998).

Bank for International Settlements, “Operational Risk Management,” Basel Committee Publications

No. 42: Basel (1998).

Bank for International Settlements, “Report on OTC Derivatives: Settlement Procedures and Counterparty

Risk Management,” CPSS Publications No. 27: Basel (1998).

Bank for International Settlements, “Recommendations for Public Disclosure of Trading and Derivatives

Activities of Banks and Securities Firms,” Basel Committee Publications No. 48: Basel (1999).

Bank for International Settlements, “Credit Risk Modeling,” Basel Committee Publications No. 49: Basel


Bank for International Settlements, “A Survey of Stress Tests and Current Practice at Financial

Institutions,” Basel Committee Publications, April 2001.

Banks, E., The Credit Risk of Complex Derivatives, 2nd Ed., Macmillan: London (1996).

Basel Committee on Banking Supervision, “Sound Practices of Managing Liquidity in Banking Organizations,” Basel Committee Publications: Basel (2000).

Beder, T.S., “VAR: Seductive but Dangerous,” Financial Analysts Journal, September–October 1995.

Cagan, P., “The First Gentle Steps,” Futures and Options World, February 2002, pp. 48–51.

Caouette, J., E. Altman and P. Narayanan, Managing Credit Risk, John Wiley: New York (1998).

Carey, M., “Dimensions of Credit Risk and their Relationship to Economic Capital Requirements,”

Federal Reserve Board, March 15, 2000.

Celarier, M., “How the Banks Caught Hedge Fund Fever,” Global Finance, March 1994, pp. 48–53.

Chew, L., Managing Derivative Risks, John Wiley: New York (1996).

Counterparty Risk Management Policy Group, “Improving Counterparty Risk Management Practices,”

June 1999, New York.

Crouhy, M., R. Mark and D. Galai, Managing Risk, McGraw-Hill: New York (2000).

Das, S., “Liquidity Risk,” Futures and Options World, February 2002, pp. 55–62.

Decker, P., “The Changing Character of Liquidity and Liquidity Risk Management: A Regulator’s

Perspective,” Federal Reserve Bank of Chicago, April 2000.

Derivatives Policy Group, “ Framework for Voluntary Oversight,” DPG: New York (1995).

Diamond, D. and R. Rajan, “Liquidity Risk, Liquidity Creation and Financial Fragility: A Theory of

Banking,” University of Chicago Working Paper No. 476, July 1998.

Dowd, K., J. Aragones and C. Blanco, “Incorporating Stress Tests into Market Risk Modeling,” Derivatives Quarterly, Spring 2001, Vol. 7, No. 3.

Duffie, D. and A. Ziegler, “Liquidity Risk,” Stanford University Working Paper, August 2001.

Garman, M., “Taking VAR to Pieces,” Risk Magazine, October 1997, pp. 70–71.

Giegerich, U., “How Companies can Use VAR Models,” The Treasurer, January 1997, pp. 29–32.

Group of 30, Global Derivatives Study Group, Derivatives: Practices and Principles, G30: Washington,

D.C. (1993).

Hoppe, R., “VAR and the Unreal World,” Risk Magazine, July 1998, pp. 45–50.


Selected References

International Organization of Securities Commissions, “Risk Management and Control Guidance for

Securities Firms and their Supervisors,” IOSCO: Basel (1998).

Jorion, P., “How Long Term Lost its Capital,” Risk, September 1999, pp. 31–36.

Jorion, P., Value-at-Risk, 2nd Ed., McGraw-Hill: New York (2000).

Kimball, R., “Failures in Risk Management,” New England Economic Review, January–February 2000.

King, J., Operational Risk: Measurement and Modeling, John Wiley: New York (2001).

Office of the Comptroller of the Currency, “OCC Bulletin 2000-16, Risk Modeling,” OCC: Washington,

D.C. (May 2000).

Scholes, M., “Crisis and Risk Management,” Risk, May 2000, pp. 50–53.

Schwartz, R. and C. Smith, Derivatives Handbook: Risk Management and Control, John Wiley: New

York (1997).

Shepheard-Walwyn, T. and R. Litterman, “Building a Coherent Risk Measurement and Capital

Optimization Model for Financial Firms,” Federal Reserve Bank of New York Economic Policy

Review, October 1998, pp. 171–182.

Shireff, D., “The Eve of Destruction,” Euromoney, November 1998, pp. 34–36.

Smith, C., “Is Disclosure in the Balance?” Futures and Options World, May 2001, pp. 45–48.

Smithson, C., “Firmwide Risk: How Firms are Integrating Risk Management,” Risk, March 1997, p. 10.

Smithson, C., Managing Financial Risk, 3rd Ed., McGraw-Hill: New York (1998).

Stein, J., “The Integration of Market and Credit Risk Measurement,” Financial Engineering News, November 1998.

Taleb, N., Dynamic Hedging, John Wiley: New York (1996).

Tomasula, D., “Plugging the Holes in Risk Systems,” Wall Street and Technology, 1996, Vol. 14,

pp. 45–47.

Wendel, C., “The New Face of Credit Risk Management,” RMA Publications: New York (1999).


Aged inventory penalties, 111

Allfirst, 15–16, 45

Andersen, 15

Askin Management, 107

Asset risk, 4, see also Liquidity risk

Bank for International Settlements (BIS), 20

Bank of Tokyo Mitsubishi, 68

Bankers Trust, 9

Barings, 11–12, 45

Basis risk, 4, see also Market risk


Regulatory versus management, 29–30

Cardinal rules, 22–23, 31–32, 40–42, 62, 80,

92–93, 107–108, 121–122

Concentration risk, 4, see also Market risk

Confirmation risk, 4, see also Operational


Control risk, 4, see also Operational risk

Credit risk, 1, 63, see also Risk

Curve risk, 4, see also Market risk

Daiwa Bank, 45

Default risk, 4, see also Credit risk

Derivatives, definition of, 5

Derivatives Policy Group (DPG), 20

Directional risk, 4, see also Market risk

Documentation risk, 4, see also Legal risk

Enron, 14–15, 84, 97

European currency crisis (1992), 32

Financial dislocations,

Individual losses, 8

Summary, 6

Fraud risk, 4, see also Operational risk

Funding risk, 4, see also Liquidity risk

G30, see Group of 30

Governance, 37–59

Accountability, 41

Allies, 55

Challenging/probing, 54

Compensation, 45

Consistency, 56

Creation of, 37–39

Crisis management, 57

Disciplinary system/violations, 49–50

Disciplined application, 42–43

Dynamic process review, 42

Experience, 51

Expertise, 52–53

Firm decisions, 56

Front line of management, 46

General process, 38

Human judgment, 41–42

Independence, 42–43

Ineffective control, 44

Institutional memory, 54

Internal audits, 59

Key-man risk, 53

Legal entity risk, 58

Limits, 47

Management reporting lines, 44–45

New product process, 48

Overview, 37

Policies, 47

Regulatory requirements, 58

Relationships, 55

Risk appetite, 40

Risk education, 54–55

Stature, 50

Structure and responsibility, 40

Summary of rules, 59

Group of 30 (G30), 20

Historical rate rollover, 9



Identification, 61–75

Cash flow risk, 68–69

Concentration risk, 71

Convergence/divergence risk, 67–68

Continuous re-examination, 64–65

Cooperation in analysis, 65–66

Credit cliffs, 71

Excessive credit risk, 70

Hidden/esoteric risks, 62

Large losses, 73–74

Liquidity and leverage, 72

Local markets, 69–70

Macro analysis, 65–66

Model risk, 68

New products, 69

Obvious risks, 64

Overview, 61

Problem hedges, 67

Product/market understanding, 61–62

Progression of analysis, 63

Risk-free strategies, 70

Summary of rules, 75–76

Unexpected loss, 74

Infrastructure, 121–129

Contingency plans, 128–129

Data, 121–122

Data consistency, 122–123

Documenting technology changes,


Flexible technologies, 123

Manual solutions, 127–128

Minimum technology standards,


“Off the shelf” solutions, 128

Overview, 121

Risk control system versus risk

management system, 125–126

Risk technology requirements, 123–124

Short-term solutions, 127

Summary of rules, 129

Technical audit oversight, 126

Infrastructure risk, 4

International Swap and Derivatives

Association (ISDA), 86

Junk bond market crash (1990), 32

LDC crisis (1980s), 32, 43

Legal risk, 1, see also Risk

Lessons of history, 32

Liquidity adjusted value-at-risk (LAVAR), 83

Liquidity risk, 1, see also Risk

Local markets, 69–70

Long Term Capital Management (LTCM),

13–14, 32, 42, 43

Management of risk, 101–119

Aggressive behavior, 111–112

Client motivations, 114

Client relationships, 115

Client sales practices, 114–115

Competitive pressures, 104

Concentrated risks, 109–110

Cost of credit, 106

Credit information, 115–116

Discovery of problems, 103–104

Documenting decisions, 103

Investment accounts, 109

Large risks, 109

Legal backlog, 117–118

Legal triggers/documents, 116–117

Liquidity assumptions, 108–109

Liquidity management, 107–108

Mitigation versus migration, 112–113

Organized risk-taking, 110

Overview, 101

Proper collateral, 116

Refusal to deal, 104–105

Risk reserves, 105-1-6

Summary of rules, 118–119

Theoretical hedges/sales, 106–107

Time horizons, 113–114

Use of authorized systems, 110–111

Use of incentives/penalties, 111

Value-added cooperation, 102–103

Visibility of risk officers, 101–102

Market risk, 1, see also Risk

Marking-to-model, 80

Merrill Lynch, 11

Metallgesellshaft, 10

Mexican peso crisis (1994), 32

Model risk, 4

Assumptions, 78–79

Identification, 68

Independent verification, 87

Limitations, 79–80

Monitoring and reporting, 89–100

Collateral and counterparty verification, 98–99

Detailed information, 95

Essential items, 94

Flash reporting, 98

Market information, 99–100

Overview, 89

Profit and loss (P&L) explain process, 92–93

Profit review, 93

Public ratings, 99

Regulatory reporting, 96–97

Relevant views, 95–96

Risk watchlist, 90

Senior management, 94–95

Single sources, 91–92


Standard and special reporting, 90–91

Summary of rules, 100

Timely reporting, 91

Top risks, 89–90

National Westminster, 68

New products, 48, 69

Operational risk, 1, see also Risk

Orange County, 10–11, 70

Philosophy of risk, 25–35

Communication of, 35

Defining risk categories, 37

Overview, 25

Risk-taking behavior, 33

Summary of rules, 35

Procter and Gamble, 9–10

Profit and loss (P&L) explain process, 92–93

Qualitative risk management, 1–3

Quantification, 77–88

Correlation, 81–82

Credit/market linkages, 84–85

Disaster scenarios, 83–84

Illiquid positions, 82–83

Large positions, 82

Leveraged positions, 85

Model assumptions, 78–79

Model limitations, 79–80

Model verification, 87

Net credit exposures, 86

Overview, 77

“Safe” assets, 84

Scenario analysis, 83

Summary of rules, 87–88

VAR backtesting, 86–87

Volatility, 80–81

Quantitative risk management, 1–3, 5–6

Quantitative testing, 86–87

Random liquidation, 82

Replacement cost addition, 85–86


And Capital, 29

And Return, 30

Asset, 4

“Bad” versus “good”, 28

Basis, 4, 67

Concentration, 4, 71

Confirmation, 4

Control, 4

Correlation, 4, 67, 81

Credit, 1, 63

Curve, 4

Default, 4

Definition of, 1

Directional, 4

Documentation, 4

Enterprise-wide, 27

Fraud, 4

Funding, 4, 72

Glossary, 4

Governance, 37–59

Identification, 61–75

Infrastructure, 4, 121–129

Legal, 1

Liquidity, 1, 72

Management, 101–119

Market, 1, 63

Model, 4, 68, 79–80, 87

Monitoring and reporting, 89–100

Operational, 1, 78

Philosophy, 25–35

Quantification, 77–88

Settlement, 4, 64, 66–67

Sovereign, 4

Spread, 4

Suitability, 4

Summary of classes, 3

Volatility, 4

Risk appetite, 40

Risk categories, 37

Defining, 39

Risk education, 54–55

Risk limits, 40, 47

Risk policies, 47

Risk problems, diagnosing, 16

Flaws in governance, 16–17

Flaws in identification/measurement, 17

Flaws in infrastructure, 19–20

Flaws in management, 18–19

Flaws in reporting/monitoring, 17–18

Risk process,

Creation of robust process, 27–28

Failures, 6–16

General diagram, 26

Strengthening, 20–21

Risk/return framework, 31


Alignment, 25–27

Behavior, 33

Financial versus non-financial, 34

Organized, 110

Russian crisis (1998), 13, 31, 43

Scenarios, 31

Settlement risk, 4, 64, 66–67, see also Credit





Showa Shell Seikyu, 8–9

Simple rules of risk,

Cardinal rules, 22–23

Summary, 21–22

Sovereign risk, 4, see also Credit


Spread risk, 4, see also Market risk

Stack and roll hedge, 10

Stock market crash (1987), 32

Suitability risk, 4

Sumitomo Corporation, 12–13

Unexpected losses, 74

Value-at-risk (VAR), 5, 77, 79, 124

Volatility risk, 4, see also Market risk

Zero coupon swaps, 61, 68

Tài liệu bạn tìm kiếm đã sẵn sàng tải về

12 “Off-the-shelf” technology solutions that provide 80% or 90% of the capability a firm is seeking can be an ideal solution

Tải bản đầy đủ ngay(0 tr)