Acknowledgements xv
Biography xvii
1 Introduction 1
1.1 Risk and risk management 1
1.2 Qualitative and quantitative approaches to risk management 2
1.3 Financial losses and failures of the risk process 6
1.3.1 Showa Shell Seikyu 8
1.3.2 Procter and Gamble 9
1.3.3 Metallgesellschaft 10
1.3.4 Orange County 10
1.3.5 Barings 11
1.3.6 Sumitomo Corporation 12
1.3.7 Long Term Capital Management (LTCM) 13
1.3.8 Enron 14
1.3.9 Allfirst 15
1.4 Diagnosing risk process problems 16
1.4.1 Flaws in governance 16
1.4.2 Flaws in identification and measurement 17
1.4.3 Flaws in reporting and monitoring 17
1.4.4 Flaws in management 18
1.4.5 Flaws in infrastructure 19
1.5 Strengthening risk practices 20
1.6 The simple rules of risk 21
1.6.1 The cardinal rules 22
2 Philosophy of Risk 25
2.1 Risk-taking should be aligned with other corporate priorities, directives and initiatives 25
2.2 Risk should be viewed on an enterprise-wide basis in order to understand how it impacts the entire organization 27
2.3 Deciding to become an active risk taker without implementing a robust risk process is likely to lead to financial losses 27
2.4 Actively assuming risk requires support from key stakeholders and commitment of necessary financial resources 28
2.5 Risk generates profits, and can therefore benefit a firm - it must, however, be managed properly 28
2.6 Risk is a finite resource that is driven by capital 29
2.7 Risk capacity is not free and proper compensation must be obtained; the process should be disciplined and applied without exception 30
2.8 More risk should be taken when it makes sense to do so - but only if the reasons are well established and the returns appropriate 30
2.9 A robust risk/return framework should be used to evaluate the performance of risk-taking activities 31
2.10 Risk-taking should be confined to areas in which a firm has technical expertise and a competitive advantage 31
2.11 "Worst case scenarios" happen with considerable frequency in an era of volatility and event risk. the lessons of history - financial cycles and crises - provide useful risk information 31
2.12 Understanding the dynamics of different risk classes can help define an approach to risk 32
2.13 Senior management should know the strengths, weaknesses, motivations, expertise and risk behavior of its business leaders and risk takers 33
2.14 Healthy skepticism - though not cynicism - can be useful in considering risks 33
2.15 Though risk activities of financial and non-financial companies are based on similar principles, they often feature important differences that must be thoroughly understood 34
2.16 Creating a risk capability and presence should be regarded as a long-term endeavor 34
2.17 Once a risk philosophy is defined, it should be communicated clearly and followed with discipline 35
3 Risk Governance 37
3.1 Risk classes need to be clearly defined and delineated 39
3.2 Clear expression of firm-wide risk appetite is essential 39
3.3 The risk governance structure should assign responsibility for risk to senior officials from various parts of the organization; these officials must ultimately be accountable to the board of directors 40
3.4 Accountability for risk must run from the top to the bottom of an organization; senior management must not claim to be unaware of risk, or be in a position where they are unaware of risk 41
3.5 Human judgment is remarkably valuable; years of "crisis experience" can be far more valuable than recommendations generated by models 41
3.6 Independence of the risk function must be undoubted 42
3.7 Other key control functions must remain equally independent of the business 43
3.8 The risk process must be dynamic in order to be truly effective 43
3.9 Disciplined application of the risk process is a necessity 43
3.10 An ineffective control process is a source of risk that must be addressed 44
3.11 Risk takers must have clear reporting lines and accountabilities 44
3.12 Compensation policies for risk takers must be rational 45
3.13 Trading managers and investment bankers should be the front line of risk management - accountable, in a measurable way, for assuming "good" risks 46
3.14 Once management has confidence in its risk process, it should let business managers conduct business and monitor the results 46
3.15 Appropriate limits should exist to control risks 47
3.16 Risk policies should be used to define and control all risk activities 47
3.17 A new product process should exist to evaluate the nuances and complexities of new instruments, markets and transactions; the same should apply to capital commitments 48
3.18 The nature and structure of risk policies, metrics and reporting should be reviewed regularly to account for changing dimensions of business 49
3.19 An effective disciplinary system is crucial; if limits/policies are breached, quick disciplinary action must be taken - if decisive action is not taken, the risk governance process loses credibility 49
3.20 The risk organization must carry stature, experience and authority in order to command respect 50
3.21 The knowledge that an experienced group of professionals is scrutinizing risk is a very powerful risk management tool 50
3.22 Hiring the best risk experts available, with a broad range of credit, market, legal and quantitative experience, is a worthwhile investment in the firm's future 51
3.23 Ensuring the risk function possesses the right mix of skills and experience strengthens the management process 51
3.24 Risk takers, risk managers and other control professionals should rotate regularly to remain "fresh" in their experience and perspectives 52
3.25 Risk expertise must be disseminated throughout the organization 52
3.26 Preserving an institutional memory of risk issues is important for future management of risk within a company 53
3.27 General risk education should be mandatory throughout the firm 53
3.28 Educational efforts should focus on concepts that are part of the daily operating environment 54
3.29 Risk specialists should question and probe until they are satisfied with the answers - they should not be afraid to query and challenge "business experts," even when it seems difficult to do so 54
3.30 Risk management spans many fronts - allies in audit, finance, legal and operations can help in the process 55
3.31 A constructive relationship with business units can be more productive than an adversarial one; but a constructive relationship does not mean approving all business deals and risks 55
3.32 Risk decisions should be made quickly and firmly; overruling the decisions of risk subordinates should be kept to an absolute minimum 56
3.33 Consistency is vital throughout the risk control organization; this eliminates the possibility of "internal arbitrage" across regions and businesses 56
3.34 Risk officers should be involved in every aspect of the firm that has a risk dimension to ensure that the proper perspective is always represented 57
3.35 A risk crisis management program, with clear authorities, responsibilities and expectations, should be designed for quick implementation 57
3.36 Sensitivity to regulatory requirements is important 58
3.37 The governance process must provide senior managers with an ability to view and manage risk on a regulatory/legal entity basis 58
3.38 Regular internal audits of the risk process should be performed 59
4 Risk Identification 61
4.1 Proper identification of risk can only occur after a thorough understanding of a product, transaction, market or process has been gained 61
4.2 All dimensions of risk must be identified; risks that might be less apparent at the time of analysis should not be ignored, as they can become more prominent as market conditions change 62
4.3 The identification process should serve as the base for the quantification process; risks that are identified should be quantified, and ultimately limited, in some manner 62
4.4 The identification process should follow a logical progression - beginning with the most common or essential, and moving on to the more complex or esoteric 63
4.5 In the search for more complex dimensions of risk, care must be taken not to overlook the most obvious risks 64
4.6 Risk identification should be an ongoing process that continually re-examines all dimensions of exposure 64
4.7 Risk officers should work with traders, product experts and finance personnel to analyze products and identify risks 65
4.8 Risk specialists must focus on details because the discipline is complex; but reviewing broader "macro" issues is also an important part of the risk process 65
4.9 Cooperation between different control units can lead to identification of risks that "cross boundaries" 66
4.10 All sources of settlement risk must be identified 66
4.11 Hedges may not always function as intended; potential "problem hedges" should be identified in advance 67
4.12 Risk arising from convergence/divergence trades must be identified 67
4.13 Models used to price and manage risks may contain risks of their own 68
4.14 Risk exposures created through changes in the structure and timing of cash flows must be identified 68
4.15 New products and markets can contain special risks that have not been encountered before; these risks should be thoroughly understood 69
4.16 Local markets may possess very unique risks and due care must be taken to understand them 69
4.17 "Risk-free" strategies with above average returns are rarely risk-free; pockets of "hidden" or structural risk may exist 70
4.18 If the identification process reveals that a large number of firms are extending credit to a counterparty, caution should be exercised 70
4.19 The existence of "credit cliffs" can result in the creation of sub-investment grade credit exposures, and should be identified in advance 71
4.20 Market risk concentrations must be properly identified 71
4.21 Understanding and identifying the links between liquidity, leverage, funding and exposure is vital 72
4.22 During times of market stress, market and credit risks can become linked; advance identification of these linkages can help avoid problems 72
4.23 Risk outside a specialist's domain that is discovered during the identification stage should be forwarded to a unit with direct responsibility 73
4.24 Identifying the source of the next "large loss" can provide guidance on the nature/quality of controls needed to protect against such a loss 73
4.25 If an unexpected loss occurs, the identification process may not be working correctly and should be reviewed 74
5 Risk Quantification and Analysis 77
5.1 Risks discovered in the identification stages should be decomposed into quantifiable terms; this allows exposures to be constrained and monitored 77
5.2 Though certain risks can be difficult to quantify, basic attempts at measurement are important in order to obtain an indication of riskiness 78
5.3 Models are based on assumptions that may, or may not, be realistic; assumptions, and the impact they can have on valuation, must be well understood 78
5.4 Models should not be used to the point of "blind faith"-they are only ancillary tools intended to supplement the risk process 79
5.5 It is important to know which risks are marked-to-model and why 80
5.6 The effects of volatility on risk exposures should be quantified 80
5.7 The impact of correlation between assets, and between assets and counterparties, should be quantified 81
5.8 The valuation of large positions should be regarded with skepticism; proof, through periodic, random liquidation exercises, can help provide an assessment of fair value 82
5.9 Use of traditional risk quantification techniques may underestimate potential market risk losses if a portfolio or business is very illiquid 82
5.10 Scenario analysis can be useful in quantifying how risk profiles change with fluctuating variables 83
5.11 Quantifying the effect of "disaster" scenarios on risk portfolios is useful, but managing to such scenarios is not an advisable practice 83
5.12 "Safe" assets and exposures can become risky in a crisis - quantifying the downside of such exposures is useful 84
5.13 Credit and market risk linkages should be quantified when possible 84
5.14 Leverage can magnify credit, market, funding and liquidity risks and must be factored into any quantification exercise 85
5.15 Relying on a mark-to-market calculation as an estimate of replacement cost at the time of default might result in an understatement 85
5.16 Quantifying credit exposures on a net basis should only be done when a firm has appropriate counterparty documentation and is operating in a jurisdiction where netting is legally recognized 86
5.17 The efficacy of risk analytics should be demonstrated through regular quantitative testing 86
5.18 Independent verification of the analytics used to quantify risks should be undertaken 87
6 Risk Monitoring and Reporting 89
6.1 If risk cannot be monitored it cannot be managed 89
6.2 Top risks should be monitored continuously 89
6.3 The use of a "risk watchlist" report, which alerts participants to potential concerns or problem areas, can be a valuable management tool 90
6.4 Standard risk reports should be supplemented by special reports that provide an indication of illiquidity, mismarks and other problems 90
6.5 It is more useful to have timely reporting of 90% of a firm's risk exposure than delayed reporting of 100% 91
6.6 Information should not come from multiple sources - a single, independent source should be used as the kernel for all reports, and should be audited for accuracy on a regular basis 91
6.7 The ability to relate profit and loss to risk, in detail, is paramount 92
6.8 Profits must be reviewed with the same rigor as losses as they may be indicative of large, or unknown, risks 93
6.9 Some risk positions generate losses instantaneously while others bleed profits over time; P&L decomposition can help identify losses in both cases 93
6.10 Reporting should focus on the essential - simple reports that convey the right information are often the most effective tool 94
6.11 Management reporting should generally commence with broad summaries of key risks for board directors and senior executives, and increase in detail as it moves down the management chain 94
6.12 Senior managers in the risk governance structure must receive and review risk information on a regular basis 94
6.13 Ready access to detailed risk information is critical 95
6.14 Reporting should be flexible enough to provide all relevant views of risk information 95
6.15 Regulatory reports are generally not sufficient to manage a complex business 96
6.16 Regulatory reporting requirements are likely to increase over time and should be borne in mind when designing reporting mechanisms 96
6.17 More, rather than less, disclosure of credit and market risks to external parties is preferable; it adds transparency and comfort 96
6.18 Reporting should not be aimed at very limited audiences or be done "for show" 97
6.19 Use of "flash reporting" can provide an early indication of P&L and risk performance 98
6.20 Monitoring processes should be implemented to verify the nature of collateral and counterparties 98
6.21 Public credit ratings can be useful for "third party" confirmation and monitoring, but should not be regarded as a substitute for proprietary internal ratings 99
6.22 Financial markets contain a great deal of credit information - monitoring the stock prices and credit spreads of counterparties can be helpful, especially on the downside 99
7 Risk Management 101
7.1 Risk managers should be visible and available 101
7.2 Risk officers and risk takers should discuss risk issues on a regular basis 101
7.3 Risk managers should be in regular contact with market participants - the market has a great deal of information that can be used in daily management of risk 102
7.4 Risk managers should strive to be "value added" by searching for beneficial risk solutions whenever possible 102
7.5 Risk decisions should be documented clearly in order to avoid errors and misinterpretation; good documentation establishes a proper audit trail 103
7.6 When a potential risk problem is discovered, immediate action must be taken; problems must not be permitted to grow out of control 103
7.7 Risk decisions should not be driven by competitive pressures 104
7.8 If other institutions do not want to accept a risk-bearing deal, there may be a reason for it - it is important to determine whether it should be a factor in approving or declining the risk 104
7.9 Prudent risk reserve mechanisms should be established for concentrated, complex, illiquid or marked-to-model risks 105
7.10 Credit reserve mechanisms should be implemented in order to encourage active management of credit risks 105
7.11 Failure to price the cost of credit risk will ultimately lead to a misbalanced credit portfolio and credit losses 106
7.12 A risk is not hedged or sold until it is actually hedged or sold; just because it is "theoretically" possible to hedge or sell a risk does not mean that it can be done 106
7.13 Active management of asset and funding liquidity is vital in order to avoid potential losses 107
7.14 Since liquidity has a tendency to disappear quickly, conservative liquidation assumptions should be used when managing risks 108
7.15 An investment account must not be regarded as a trading account for illiquid positions 109
7.16 Large deals mean large - and possibly illiquid or unhedgeable - risks; they must be managed carefully and command an appropriate premium 109
7.17 Concentrated risks can be very damaging and must be managed actively 109
7.18 Risk takers should be limited to taking risk in specific markets and instruments 110
7.19 Risk-bearing positions must be booked/housed in officially sanctioned trading systems 110
7.20 Using financial incentives and penalties to influence risk-taking behavior is an effective management tool 111
7.21 Aggressive risk-taking behavior, which may ultimately create risk problems, should be managed closely 111
7.22 Risk mitigation should not be mistaken for risk migration 112
7.23 Risk mitigation/migration tools should be used wherever possible 112
7.24 Attempting to predict what will happen in the future is hazardous - the risk function should be realistic in assessing the time horizon of deals, structures and credits 113
7.25 Understanding why a client is entering into a complex risk trade is important; if suitability emerges as an issue, it should be made known to legal officers 114
7.26 Strong client sales practices can help mitigate risks 114
7.27 Executing a risk-bearing deal to accommodate a client or build a client relationship does not justify the assumption of bad risk 115
7.28 Where possible and feasible - and without compromising confidentiality - counterparty information should be shared with others seeking to extend credit 115
7.29 Collateral taken in support of an exposure should relate directly to counterparty credit quality, the size of the risk exposure and relevant concentration/liquidity parameters 116
7.30 Legal and operational staff should be familiar with triggers and clauses that can be influenced by credit, market and liquidity events 116
7.31 Legal documentation that protects multiple products/eventualities can help control risk exposures 117
7.32 A legal documentation backlog may ultimately lead to operational/legal errors and losses - authorizations, guarantees, confirmations and master agreements should always be as current as possible 117
7.33 Establishing documentary targets and thresholds can help limit operational and legal risks; incomplete documentation should be prioritized by creditworthiness and risk exposure 118
8 Risk Infrastructure 121
8.1 Data is the fundamental component of any risk process - bad data leads to bad information and bad risk decisions 121
8.2 A single source of trade data should be used whenever possible to ensure consistency; when this is not possible, data processes must be properly reconciled and audited 122
8.3 Technology should be made as flexible as possible in order to accommodate the changing business environment 123
8.4 Risk requirements should be a central part of any business technology blueprint 123
8.5 Technology changes that impact risk management, finance, legal, regulatory reporting and operations should always be considered jointly 124
8.6 Minimum standards related to risk technology, analytics and reporting should be applied to all risk-taking business 124
8.7 A risk control system is not a risk management system; the two are different and both are necessary 125
8.8 The technology platform that generates valuations and risk information must be under the scrutiny/control of technological auditors/risk managers 126
8.9 Changes in risk measures, processes or technology by the trading or risk management functions must be thoroughly developed, tested, reviewed and documented before being implemented 126
8.10 Use of short-term, temporary infrastructure solutions is acceptable, but these should be replaced by robust solutions as soon as possible 127
8.11 When automated infrastructure solutions are not available, the best manual solutions, with checks and balances, should be implemented 127
8.12 "Off-the-shelf" technology solutions that provide 80% or 90% of the capability a firm is seeking can be an ideal solution 128
8.13 Infrastructure contingency plans should take account of all risk requirements 128
9 Summary 131
Selected References 133
Index 135