Tải bản đầy đủ - 0trang
12 “Off-the-shelf” technology solutions that provide 80% or 90% of the capability a firm is seeking can be an ideal solution
to support the daily processing of business ﬂows, including front-end trade entry, middle and
back-ofﬁce functionality, basic control reporting and data back-up, must be ready to take
over for downed systems. A central core of this infrastructure plan should include risk-related
analytics and reporting that allow a ﬁrm to know its risks at the time of the crisis, and to engage
in basic business (or at least risk mitigation) for the duration of the crisis. Since business and
control managers cannot know when disaster will strike, they need to be able to reconstruct
their risk positions before the start of the next day’s market opening. This means that all
risk and ﬁnancial information must be stored in duplicate in an offsite location at the end of
each business day. As part of the contingency planning process, it is also critical for alternate
trading, middle and back-ofﬁce, and risk control systems to be regularly tested for access and
functionality. Indeed, a ﬁrm’s entire contingency planning process should be tested regularly,
to ensure that it operates as intended precisely when needed. Solid crisis management on the
technology front must, of course, be accompanied by planning related to key personnel. All
“front line” critical personnel involved with business generation, risk management, control
and settlements must be familiar with the contingency plan, how to access remote business
locations and how to make use of back-up technology platforms. They should also be familiar
with the suite of reports and information that will be available — this is particularly critical if
the offsite location is not a precise “mirror image” of the normal business technology platform,
but a scaled-down version with more limited functionality.
Summarizing the simple rules of infrastructure, we note the following:
r A risk process will often succeed, or fail, based on the quality of the underlying technological
infrastructure and, more speciﬁcally, the quality of the data.
r Data, which provides the risk and business functions with information needed to conduct
business and manage risk, must be well-deﬁned, clean and robust, and ﬂow from a single
source; appropriate audit checks should surround the data process to ensure ongoing integrity.
Minimum risk technology and data standards must be applied throughout the ﬁrm to ensure
Technology platforms (including underlying code governing analytics) must be under the
control of independent parties.
Risk platforms must always be as ﬂexible as possible — since the ﬁnancial markets change,
the technology supporting activities must be able to change in tandem.
While robust technology solutions are a necessary goal, business realities mean that temporary solutions must be accommodated — under strict controls, and with a view towards
developing more durable solutions.
Any changes in risk infrastructure, including technologies, methodologies, and so on, must
be thoroughly tested and documented in a proper test environment before being implemented.
Infrastructure contingency plans are an essential component of risk management — a ﬁrm
must be able to continue its risk-taking and risk management activities without pause in the
event of a disruption.
Throughout this text we have endeavored to present simple rules that we believe are crucial to
the creation of an effective risk management process. As noted, many of the rules are based on
collective risk management experience drawn from the marketplace. Crises, dislocations and
process failures that have occurred over the past few decades (and over the past few years, in
particular) provide valuable lessons for all institutions. Those who follow the lessons can improve their control processes — there are certainly enough “real life” examples to demonstrate
how processes can be strengthened in order to avoid, or minimize, risk-related problems. Those
who choose to ignore them do so at their own peril: for example, if a ﬁrm chooses not to create
an independent risk function or separate front and back-ofﬁce duties, it is ignoring the lessons
of LTCM, Barings, Sumitomo Corporation and Daiwa Bank; if a bank chooses not to apply prudent credit lending and collateral standards when ﬁnancing speculative projects, it is ignoring
the lessons of the Japanese banking sector during the speculative bubble of the 1990s; if a ﬁrm
does not properly account for the shortcomings of models, it is ignoring the lessons of National
Westminster Bank and Bank of Tokyo Mitsubishi; if a ﬁrm opts not to take account of liquidity
risk and collateral liquidation during stressed market conditions, it is ignoring the experience
of hedge funds and large international investment banks during the 1998 Russian crisis.
Many of the rules that we have presented emphasize logical and prudent approaches to
considering and managing risks; while the quantitative dimension of risk is of vital importance
(and must never be ignored) it has been our aim to stress the importance of the “common
sense” considerations that are occasionally forgotten or de-emphasized. We believe that ﬁrms
actively taking risk should be extremely careful not to overlook this qualitative dimension.
Some of the risk rules we have discussed are simple in concept and easy to implement; they
require very little incremental effort and virtually no resources, but can add considerable control
value. For instance, requiring managers to know the skills and behaviors of their risk takers,
recognizing that large positions can create liquidity-induced losses, ensuring risk ofﬁcers are
always available for consultation, or requiring new products to be considered and approved
by an independent new product committee are all examples of simple, but effective, steps that
can be taken without burdening a ﬁrm’s resources. Others may be simple to understand but
more complicated to put in place, and may require considerable human, ﬁnancial or technology
resource commitments. Since they add value they are likely to be worth the incremental effort
and resources, though each ﬁrm must engage in its own cost/beneﬁt analysis and make that
determination. For instance, creating proper risk data templates, building ﬂexible trading and
risk technology, or stafﬁng a risk function with experienced professionals are all examples
of rules that are simple in concept and valuable from a control perspective, but which are
likely to require additional ﬁnancial and human resources. Regardless of the complexity of
implementation, the risk management process should incorporate as many of these rules as
possible. At a minimum, adherence to what we have termed the “cardinal rules” is advisable.
By implementing the cardinal rules, a ﬁrm can strengthen key elements of the process and so
gain greater conﬁdence in continuing, or expanding, risk-taking activities. Implementation of
The Simple Rules of Risk
the cardinal rules, or any of the broader rules we have presented, requires management support;
without a “top down” management push to create a strong risk culture based on fundamental
risk rules, a ﬁrm’s control process will never be as strong as it can, or should, be. Management
must be completely committed to creating a strong risk process.
As we have discussed, a risk process must be driven by a clear and concise philosophy
that delineates and deﬁnes all risk-taking activities. For some ﬁrms risk-bearing is a minor
component of overall business, with risks that should be minimized or eliminated whenever
possible. For others it forms the bulk of activities and revenues; in such cases a robust and
dynamic risk process is essential. Once a philosophy exists, a risk governance structure can be
created; this empowers groups and individuals within an organization to develop, implement
and maintain the risk process. Effective risk governance creates authority, responsibility and
accountability, and helps ensure that risk-taking does not occur in a vacuum. Once a governance
framework has been created, a risk control process can be built, or expanded, around the core
disciplines of identiﬁcation, quantiﬁcation, monitoring and management. While each of these
sectors requires attention and resources, the basic rules applicable to each are straightforward,
and based heavily on common sense, prudence, judgment and experience. The entire risk
process must be ﬂexible and dynamic; as ﬁnancial markets and associated risks change, a
control process must be able to change in tandem.
r The identiﬁcation phase focuses on understanding, in detail, the speciﬁc risk exposures being
contemplated. Risks must be understood and identiﬁed before they can be managed.
r The quantiﬁcation phase — where quantitative and qualitative approaches to risk manage-
ment intersect — assigns a ﬁnancial value to exposures that have been identiﬁed; without
assigning such a value, it is impossible to determine how much might be gained or lost
through risk activities. Quantiﬁcation also permits allocation of capital and establishment
of risk limits to control exposures.
The monitoring phase permits risk exposures to be tracked and reported; this allows internal
and external parties to understand the scope and magnitude of risk activities. Monitoring
also ensures compliance with limits and policies enacted by governance bodies.
The management phase allows for ongoing risk decisions and exposure adjustments; this
ensures all available tools, techniques, skills and experience are used to actively manage the
risks of the business.
Risk infrastructure surrounds the entire process. Such infrastructure permits the practical
measurement, monitoring and management of risk; the more advanced and ﬂexible the
infrastructure, the simpler the task of gathering, analyzing and transmitting risk information.
This does not mean the management of risk is any easier, it simply means that gaining
access to the information required to manage risk is easier — saving time and resources, and
allowing decisions to be made with greater conﬁdence.
It is important to re-emphasize that a risk process must draw in quantitative processes whenever
necessary; quantitative tools are an important dimension of risk management — forming an
essential element of the qualitative/quantitative risk partnership — and should be actively used.
Though certain mathematical tools have limitations and can expose a ﬁrm to speciﬁc risks,
they provide information that makes possible the practical management of risk.
Ultimately, the key to the “simple rules of risk” is remembering the lessons of history. The
ﬁnancial markets contain many examples of institutions that failed to implement, or follow,
relatively basic rules of risk process and management. By remaining disciplined in creating,
and adhering to, a comprehensive risk process, a ﬁrm that actively assumes risk can prosper.
Association of Finance Professionals, “Principles and Practices for the Oversight and Management of
Financial Risk,” AFP: New York (1998).
Bank for International Settlements, “Operational Risk Management,” Basel Committee Publications
No. 42: Basel (1998).
Bank for International Settlements, “Report on OTC Derivatives: Settlement Procedures and Counterparty
Risk Management,” CPSS Publications No. 27: Basel (1998).
Bank for International Settlements, “Recommendations for Public Disclosure of Trading and Derivatives
Activities of Banks and Securities Firms,” Basel Committee Publications No. 48: Basel (1999).
Bank for International Settlements, “Credit Risk Modeling,” Basel Committee Publications No. 49: Basel
Bank for International Settlements, “A Survey of Stress Tests and Current Practice at Financial
Institutions,” Basel Committee Publications, April 2001.
Banks, E., The Credit Risk of Complex Derivatives, 2nd Ed., Macmillan: London (1996).
Basel Committee on Banking Supervision, “Sound Practices of Managing Liquidity in Banking Organizations,” Basel Committee Publications: Basel (2000).
Beder, T.S., “VAR: Seductive but Dangerous,” Financial Analysts Journal, September–October 1995.
Cagan, P., “The First Gentle Steps,” Futures and Options World, February 2002, pp. 48–51.
Caouette, J., E. Altman and P. Narayanan, Managing Credit Risk, John Wiley: New York (1998).
Carey, M., “Dimensions of Credit Risk and their Relationship to Economic Capital Requirements,”
Federal Reserve Board, March 15, 2000.
Celarier, M., “How the Banks Caught Hedge Fund Fever,” Global Finance, March 1994, pp. 48–53.
Chew, L., Managing Derivative Risks, John Wiley: New York (1996).
Counterparty Risk Management Policy Group, “Improving Counterparty Risk Management Practices,”
June 1999, New York.
Crouhy, M., R. Mark and D. Galai, Managing Risk, McGraw-Hill: New York (2000).
Das, S., “Liquidity Risk,” Futures and Options World, February 2002, pp. 55–62.
Decker, P., “The Changing Character of Liquidity and Liquidity Risk Management: A Regulator’s
Perspective,” Federal Reserve Bank of Chicago, April 2000.
Derivatives Policy Group, “ Framework for Voluntary Oversight,” DPG: New York (1995).
Diamond, D. and R. Rajan, “Liquidity Risk, Liquidity Creation and Financial Fragility: A Theory of
Banking,” University of Chicago Working Paper No. 476, July 1998.
Dowd, K., J. Aragones and C. Blanco, “Incorporating Stress Tests into Market Risk Modeling,” Derivatives Quarterly, Spring 2001, Vol. 7, No. 3.
Dufﬁe, D. and A. Ziegler, “Liquidity Risk,” Stanford University Working Paper, August 2001.
Garman, M., “Taking VAR to Pieces,” Risk Magazine, October 1997, pp. 70–71.
Giegerich, U., “How Companies can Use VAR Models,” The Treasurer, January 1997, pp. 29–32.
Group of 30, Global Derivatives Study Group, Derivatives: Practices and Principles, G30: Washington,
Hoppe, R., “VAR and the Unreal World,” Risk Magazine, July 1998, pp. 45–50.
International Organization of Securities Commissions, “Risk Management and Control Guidance for
Securities Firms and their Supervisors,” IOSCO: Basel (1998).
Jorion, P., “How Long Term Lost its Capital,” Risk, September 1999, pp. 31–36.
Jorion, P., Value-at-Risk, 2nd Ed., McGraw-Hill: New York (2000).
Kimball, R., “Failures in Risk Management,” New England Economic Review, January–February 2000.
King, J., Operational Risk: Measurement and Modeling, John Wiley: New York (2001).
Ofﬁce of the Comptroller of the Currency, “OCC Bulletin 2000-16, Risk Modeling,” OCC: Washington,
D.C. (May 2000).
Scholes, M., “Crisis and Risk Management,” Risk, May 2000, pp. 50–53.
Schwartz, R. and C. Smith, Derivatives Handbook: Risk Management and Control, John Wiley: New
Shepheard-Walwyn, T. and R. Litterman, “Building a Coherent Risk Measurement and Capital
Optimization Model for Financial Firms,” Federal Reserve Bank of New York Economic Policy
Review, October 1998, pp. 171–182.
Shireff, D., “The Eve of Destruction,” Euromoney, November 1998, pp. 34–36.
Smith, C., “Is Disclosure in the Balance?” Futures and Options World, May 2001, pp. 45–48.
Smithson, C., “Firmwide Risk: How Firms are Integrating Risk Management,” Risk, March 1997, p. 10.
Smithson, C., Managing Financial Risk, 3rd Ed., McGraw-Hill: New York (1998).
Stein, J., “The Integration of Market and Credit Risk Measurement,” Financial Engineering News, November 1998.
Taleb, N., Dynamic Hedging, John Wiley: New York (1996).
Tomasula, D., “Plugging the Holes in Risk Systems,” Wall Street and Technology, 1996, Vol. 14,
Wendel, C., “The New Face of Credit Risk Management,” RMA Publications: New York (1999).
Aged inventory penalties, 111
Allﬁrst, 15–16, 45
Askin Management, 107
Asset risk, 4, see also Liquidity risk
Bank for International Settlements (BIS), 20
Bank of Tokyo Mitsubishi, 68
Bankers Trust, 9
Barings, 11–12, 45
Basis risk, 4, see also Market risk
Regulatory versus management, 29–30
Cardinal rules, 22–23, 31–32, 40–42, 62, 80,
92–93, 107–108, 121–122
Concentration risk, 4, see also Market risk
Conﬁrmation risk, 4, see also Operational
Control risk, 4, see also Operational risk
Credit risk, 1, 63, see also Risk
Curve risk, 4, see also Market risk
Daiwa Bank, 45
Default risk, 4, see also Credit risk
Derivatives, deﬁnition of, 5
Derivatives Policy Group (DPG), 20
Directional risk, 4, see also Market risk
Documentation risk, 4, see also Legal risk
Enron, 14–15, 84, 97
European currency crisis (1992), 32
Individual losses, 8
Fraud risk, 4, see also Operational risk
Funding risk, 4, see also Liquidity risk
G30, see Group of 30
Creation of, 37–39
Crisis management, 57
Disciplinary system/violations, 49–50
Disciplined application, 42–43
Dynamic process review, 42
Firm decisions, 56
Front line of management, 46
General process, 38
Human judgment, 41–42
Ineffective control, 44
Institutional memory, 54
Internal audits, 59
Key-man risk, 53
Legal entity risk, 58
Management reporting lines, 44–45
New product process, 48
Regulatory requirements, 58
Risk appetite, 40
Risk education, 54–55
Structure and responsibility, 40
Summary of rules, 59
Group of 30 (G30), 20
Historical rate rollover, 9
Cash ﬂow risk, 68–69
Concentration risk, 71
Convergence/divergence risk, 67–68
Continuous re-examination, 64–65
Cooperation in analysis, 65–66
Credit cliffs, 71
Excessive credit risk, 70
Hidden/esoteric risks, 62
Large losses, 73–74
Liquidity and leverage, 72
Local markets, 69–70
Macro analysis, 65–66
Model risk, 68
New products, 69
Obvious risks, 64
Problem hedges, 67
Product/market understanding, 61–62
Progression of analysis, 63
Risk-free strategies, 70
Summary of rules, 75–76
Unexpected loss, 74
Contingency plans, 128–129
Data consistency, 122–123
Documenting technology changes,
Flexible technologies, 123
Manual solutions, 127–128
Minimum technology standards,
“Off the shelf” solutions, 128
Risk control system versus risk
management system, 125–126
Risk technology requirements, 123–124
Short-term solutions, 127
Summary of rules, 129
Technical audit oversight, 126
Infrastructure risk, 4
International Swap and Derivatives
Association (ISDA), 86
Junk bond market crash (1990), 32
LDC crisis (1980s), 32, 43
Legal risk, 1, see also Risk
Lessons of history, 32
Liquidity adjusted value-at-risk (LAVAR), 83
Liquidity risk, 1, see also Risk
Local markets, 69–70
Long Term Capital Management (LTCM),
13–14, 32, 42, 43
Management of risk, 101–119
Aggressive behavior, 111–112
Client motivations, 114
Client relationships, 115
Client sales practices, 114–115
Competitive pressures, 104
Concentrated risks, 109–110
Cost of credit, 106
Credit information, 115–116
Discovery of problems, 103–104
Documenting decisions, 103
Investment accounts, 109
Large risks, 109
Legal backlog, 117–118
Legal triggers/documents, 116–117
Liquidity assumptions, 108–109
Liquidity management, 107–108
Mitigation versus migration, 112–113
Organized risk-taking, 110
Proper collateral, 116
Refusal to deal, 104–105
Risk reserves, 105-1-6
Summary of rules, 118–119
Theoretical hedges/sales, 106–107
Time horizons, 113–114
Use of authorized systems, 110–111
Use of incentives/penalties, 111
Value-added cooperation, 102–103
Visibility of risk ofﬁcers, 101–102
Market risk, 1, see also Risk
Merrill Lynch, 11
Mexican peso crisis (1994), 32
Model risk, 4
Independent veriﬁcation, 87
Monitoring and reporting, 89–100
Collateral and counterparty veriﬁcation, 98–99
Detailed information, 95
Essential items, 94
Flash reporting, 98
Market information, 99–100
Proﬁt and loss (P&L) explain process, 92–93
Proﬁt review, 93
Public ratings, 99
Regulatory reporting, 96–97
Relevant views, 95–96
Risk watchlist, 90
Senior management, 94–95
Single sources, 91–92
Standard and special reporting, 90–91
Summary of rules, 100
Timely reporting, 91
Top risks, 89–90
National Westminster, 68
New products, 48, 69
Operational risk, 1, see also Risk
Orange County, 10–11, 70
Philosophy of risk, 25–35
Communication of, 35
Deﬁning risk categories, 37
Risk-taking behavior, 33
Summary of rules, 35
Procter and Gamble, 9–10
Proﬁt and loss (P&L) explain process, 92–93
Qualitative risk management, 1–3
Credit/market linkages, 84–85
Disaster scenarios, 83–84
Illiquid positions, 82–83
Large positions, 82
Leveraged positions, 85
Model assumptions, 78–79
Model limitations, 79–80
Model veriﬁcation, 87
Net credit exposures, 86
“Safe” assets, 84
Scenario analysis, 83
Summary of rules, 87–88
VAR backtesting, 86–87
Quantitative risk management, 1–3, 5–6
Quantitative testing, 86–87
Random liquidation, 82
Replacement cost addition, 85–86
And Capital, 29
And Return, 30
“Bad” versus “good”, 28
Basis, 4, 67
Concentration, 4, 71
Correlation, 4, 67, 81
Credit, 1, 63
Deﬁnition of, 1
Funding, 4, 72
Infrastructure, 4, 121–129
Liquidity, 1, 72
Market, 1, 63
Model, 4, 68, 79–80, 87
Monitoring and reporting, 89–100
Operational, 1, 78
Settlement, 4, 64, 66–67
Summary of classes, 3
Risk appetite, 40
Risk categories, 37
Risk education, 54–55
Risk limits, 40, 47
Risk policies, 47
Risk problems, diagnosing, 16
Flaws in governance, 16–17
Flaws in identiﬁcation/measurement, 17
Flaws in infrastructure, 19–20
Flaws in management, 18–19
Flaws in reporting/monitoring, 17–18
Creation of robust process, 27–28
General diagram, 26
Risk/return framework, 31
Financial versus non-ﬁnancial, 34
Russian crisis (1998), 13, 31, 43
Settlement risk, 4, 64, 66–67, see also Credit
Showa Shell Seikyu, 8–9
Simple rules of risk,
Cardinal rules, 22–23
Sovereign risk, 4, see also Credit
Spread risk, 4, see also Market risk
Stack and roll hedge, 10
Stock market crash (1987), 32
Suitability risk, 4
Sumitomo Corporation, 12–13
Unexpected losses, 74
Value-at-risk (VAR), 5, 77, 79, 124
Volatility risk, 4, see also Market risk
Zero coupon swaps, 61, 68