Simple Rules of Risk

ERIK BANKS has held senior risk management positions in several global financial institutions. In 2001, Erik joined XL Capitals weather/energy risk management subsidiary, Element Re, as Partner and Chief Risk Officer. Prior to that he spent 13 years at Merrill Lynch, where he was Managing Director of Corporate Risk Management, responsible for the firms risk infrastructure; before that he spent 8 years abroad, managing Merrills credit and market risk teams in London, Hong Kong and Tokyo. Prior to joining Merrill Lynch in 1988 he was credit officer at Citibank and Manufacturers Hanover in New York. Erik is author of seven other books on risk, emerging markets, derivatives, merchant banking and electronic finance; he is also editor and co-author of a book on weather risk management, and is working on various new financial texts.

• Acknowledgements xvBiography xvii1 Introduction 11.1 Risk and risk management 11.2 Qualitative and quantitative approaches to risk management 21.3 Financial losses and failures of the risk process 61.3.1 Showa Shell Seikyu 81.3.2 Procter and Gamble 91.3.3 Metallgesellschaft 101.3.4 Orange County 101.3.5 Barings 111.3.6 Sumitomo Corporation 121.3.7 Long Term Capital Management (LTCM) 131.3.8 Enron 141.3.9 Allfirst 151.4 Diagnosing risk process problems 161.4.1 Flaws in governance 161.4.2 Flaws in identification and measurement 171.4.3 Flaws in reporting and monitoring 171.4.4 Flaws in management 181.4.5 Flaws in infrastructure 191.5 Strengthening risk practices 201.6 The simple rules of risk 211.6.1 The cardinal rules 222 Philosophy of Risk 252.1 Risk-taking should be aligned with other corporate priorities, directives and initiatives 252.2 Risk should be viewed on an enterprise-wide basis in order to understand how it impacts the entire organization 272.3 Deciding to become an active risk taker without implementing a robust risk process is likely to lead to financial losses 272.4 Actively assuming risk requires support from key stakeholders and commitment of necessary financial resources 282.5 Risk generates profits, and can therefore benefit a firm — it must, however, be managed properly 282.6 Risk is a finite resource that is driven by capital 292.7 Risk capacity is not free and proper compensation must be obtained; the process should be disciplined and applied without exception 302.8 More risk should be taken when it makes sense to do so — but only if the reasons are well established and the returns appropriate 302.9 A robust risk/return framework should be used to evaluate the performance of risk-taking activities 312.10 Risk-taking should be confined to areas in which a firm has technical expertise and a competitive advantage 312.11 “Worst case scenarios” happen with considerable frequency in an era of volatility and event risk. the lessons of history — financial cycles and crises — provide useful risk information 312.12 Understanding the dynamics of different risk classes can help define an approach to risk 322.13 Senior management should know the strengths, weaknesses, motivations, expertise and risk behavior of its business leaders and risk takers 332.14 Healthy skepticism — though not cynicism — can be useful in considering risks 332.15 Though risk activities of financial and non-financial companies are based on similar principles, they often feature important differences that must be thoroughly understood 342.16 Creating a risk capability and presence should be regarded as a long-term endeavor 342.17 Once a risk philosophy is defined, it should be communicated clearly and followed with discipline 353 Risk Governance 373.1 Risk classes need to be clearly defined and delineated 393.2 Clear expression of firm-wide risk appetite is essential 393.3 The risk governance structure should assign responsibility for risk to senior officials from various parts of the organization; these officials must ultimately be accountable to the board of directors 403.4 Accountability for risk must run from the top to the bottom of an organization; senior management must not claim to be unaware of risk, or be in a position where they are unaware of risk 413.5 Human judgment is remarkably valuable; years of “crisis experience” can be far more valuable than recommendations generated by models 413.6 Independence of the risk function must be undoubted 423.7 Other key control functions must remain equally independent of the business 433.8 The risk process must be dynamic in order to be truly effective 433.9 Disciplined application of the risk process is a necessity 433.10 An ineffective control process is a source of risk that must be addressed 443.11 Risk takers must have clear reporting lines and accountabilities 443.12 Compensation policies for risk takers must be rational 453.13 Trading managers and investment bankers should be the front line of risk management — accountable, in a measurable way, for assuming “good” risks 463.14 Once management has confidence in its risk process, it should let business managers conduct business and monitor the results 463.15 Appropriate limits should exist to control risks 473.16 Risk policies should be used to define and control all risk activities 473.17 A new product process should exist to evaluate the nuances and complexities of new instruments, markets and transactions; the same should apply to capital commitments 483.18 The nature and structure of risk policies, metrics and reporting should be reviewed regularly to account for changing dimensions of business 493.19 An effective disciplinary system is crucial; if limits/policies are breached, quick disciplinary action must be taken — if decisive action is not taken, the risk governance process loses credibility 493.20 The risk organization must carry stature, experience and authority in order to command respect 503.21 The knowledge that an experienced group of professionals is scrutinizing risk is a very powerful risk management tool 503.22 Hiring the best risk experts available, with a broad range of credit, market, legal and quantitative experience, is a worthwhile investment in the firm’s future 513.23 Ensuring the risk function possesses the right mix of skills and experience strengthens the management process 513.24 Risk takers, risk managers and other control professionals should rotate regularly to remain “fresh” in their experience and perspectives 523.25 Risk expertise must be disseminated throughout the organization 523.26 Preserving an institutional memory of risk issues is important for future management of risk within a company 533.27 General risk education should be mandatory throughout the firm 533.28 Educational efforts should focus on concepts that are part of the daily operating environment 543.29 Risk specialists should question and probe until they are satisfied with the answers — they should not be afraid to query and challenge “business experts,” even when it seems difficult to do so 543.30 Risk management spans many fronts — allies in audit, finance, legal and operations can help in the process 553.31 A constructive relationship with business units can be more productive than an adversarial one; but a constructive relationship does not mean approving all business deals and risks 553.32 Risk decisions should be made quickly and firmly; overruling the decisions of risk subordinates should be kept to an absolute minimum 563.33 Consistency is vital throughout the risk control organization; this eliminates the possibility of “internal arbitrage” across regions and businesses 563.34 Risk officers should be involved in every aspect of the firm that has a risk dimension to ensure that the proper perspective is always represented 573.35 A risk crisis management program, with clear authorities, responsibilities and expectations, should be designed for quick implementation 573.36 Sensitivity to regulatory requirements is important 583.37 The governance process must provide senior managers with an ability to view and manage risk on a regulatory/legal entity basis 583.38 Regular internal audits of the risk process should be performed 594 Risk Identification 614.1 Proper identification of risk can only occur after a thorough understanding of a product, transaction, market or process has been gained 614.2 All dimensions of risk must be identified; risks that might be less apparent at the time of analysis should not be ignored, as they can become more prominent as market conditions change 624.3 The identification process should serve as the base for the quantification process; risks that are identified should be quantified, and ultimately limited, in some manner 624.4 The identification process should follow a logical progression — beginning with the most common or essential, and moving on to the more complex or esoteric 634.5 In the search for more complex dimensions of risk, care must be taken not to overlook the most obvious risks 644.6 Risk identification should be an ongoing process that continually re-examines all dimensions of exposure 644.7 Risk officers should work with traders, product experts and finance personnel to analyze products and identify risks 654.8 Risk specialists must focus on details because the discipline is complex; but reviewing broader “macro” issues is also an important part of the risk process 654.9 Cooperation between different control units can lead to identification of risks that “cross boundaries” 664.10 All sources of settlement risk must be identified 664.11 Hedges may not always function as intended; potential “problem hedges” should be identified in advance 674.12 Risk arising from convergence/divergence trades must be identified 674.13 Models used to price and manage risks may contain risks of their own 684.14 Risk exposures created through changes in the structure and timing of cash flows must be identified 684.15 New products and markets can contain special risks that have not been encountered before; these risks should be thoroughly understood 694.16 Local markets may possess very unique risks and due care must be taken to understand them 694.17 “Risk-free” strategies with above average returns are rarely risk-free; pockets of “hidden” or structural risk may exist 704.18 If the identification process reveals that a large number of firms are extending credit to a counterparty, caution should be exercised 704.19 The existence of “credit cliffs” can result in the creation of sub-investment grade credit exposures, and should be identified in advance 714.20 Market risk concentrations must be properly identified 714.21 Understanding and identifying the links between liquidity, leverage, funding and exposure is vital 724.22 During times of market stress, market and credit risks can become linked; advance identification of these linkages can help avoid problems 724.23 Risk outside a specialist’s domain that is discovered during the identification stage should be forwarded to a unit with direct responsibility 734.24 Identifying the source of the next “large loss” can provide guidance on the nature/quality of controls needed to protect against such a loss 734.25 If an unexpected loss occurs, the identification process may not be working correctly and should be reviewed 745 Risk Quantification and Analysis 775.1 Risks discovered in the identification stages should be decomposed into quantifiable terms; this allows exposures to be constrained and monitored 775.2 Though certain risks can be difficult to quantify, basic attempts at measurement are important in order to obtain an indication of riskiness 785.3 Models are based on assumptions that may, or may not, be realistic; assumptions, and the impact they can have on valuation, must be well understood 785.4 Models should not be used to the point of “blind faith”—they are only ancillary tools intended to supplement the risk process 795.5 It is important to know which risks are marked-to-model and why 805.6 The effects of volatility on risk exposures should be quantified 805.7 The impact of correlation between assets, and between assets and counterparties, should be quantified 815.8 The valuation of large positions should be regarded with skepticism; proof, through periodic, random liquidation exercises, can help provide an assessment of fair value 825.9 Use of traditional risk quantification techniques may underestimate potential market risk losses if a portfolio or business is very illiquid 825.10 Scenario analysis can be useful in quantifying how risk profiles change with fluctuating variables 835.11 Quantifying the effect of “disaster” scenarios on risk portfolios is useful, but managing to such scenarios is not an advisable practice 835.12 “Safe” assets and exposures can become risky in a crisis — quantifying the downside of such exposures is useful 845.13 Credit and market risk linkages should be quantified when possible 845.14 Leverage can magnify credit, market, funding and liquidity risks and must be factored into any quantification exercise 855.15 Relying on a mark-to-market calculation as an estimate of replacement cost at the time of default might result in an understatement 855.16 Quantifying credit exposures on a net basis should only be done when a firm has appropriate counterparty documentation and is operating in a jurisdiction where netting is legally recognized 865.17 The efficacy of risk analytics should be demonstrated through regular quantitative testing 865.18 Independent verification of the analytics used to quantify risks should be undertaken 876 Risk Monitoring and Reporting 896.1 If risk cannot be monitored it cannot be managed 896.2 Top risks should be monitored continuously 896.3 The use of a “risk watchlist” report, which alerts participants to potential concerns or problem areas, can be a valuable management tool 906.4 Standard risk reports should be supplemented by special reports that provide an indication of illiquidity, mismarks and other problems 906.5 It is more useful to have timely reporting of 90% of a firm’s risk exposure than delayed reporting of 100% 916.6 Information should not come from multiple sources — a single, independent source should be used as the kernel for all reports, and should be audited for accuracy on a regular basis 916.7 The ability to relate profit and loss to risk, in detail, is paramount 926.8 Profits must be reviewed with the same rigor as losses as they may be indicative of large, or unknown, risks 936.9 Some risk positions generate losses instantaneously while others bleed profits over time; P&L decomposition can help identify losses in both cases 936.10 Reporting should focus on the essential — simple reports that convey the right information are often the most effective tool 946.11 Management reporting should generally commence with broad summaries of key risks for board directors and senior executives, and increase in detail as it moves down the management chain 946.12 Senior managers in the risk governance structure must receive and review risk information on a regular basis 946.13 Ready access to detailed risk information is critical 956.14 Reporting should be flexible enough to provide all relevant views of risk information 956.15 Regulatory reports are generally not sufficient to manage a complex business 966.16 Regulatory reporting requirements are likely to increase over time and should be borne in mind when designing reporting mechanisms 966.17 More, rather than less, disclosure of credit and market risks to external parties is preferable; it adds transparency and comfort 966.18 Reporting should not be aimed at very limited audiences or be done “for show” 976.19 Use of “flash reporting” can provide an early indication of P&L and risk performance 986.20 Monitoring processes should be implemented to verify the nature of collateral and counterparties 986.21 Public credit ratings can be useful for “third party” confirmation and monitoring, but should not be regarded as a substitute for proprietary internal ratings 996.22 Financial markets contain a great deal of credit information — monitoring the stock prices and credit spreads of counterparties can be helpful, especially on the downside 997 Risk Management 1017.1 Risk managers should be visible and available 1017.2 Risk officers and risk takers should discuss risk issues on a regular basis 1017.3 Risk managers should be in regular contact with market participants — the market has a great deal of information that can be used in daily management of risk 1027.4 Risk managers should strive to be “value added” by searching for beneficial risk solutions whenever possible 1027.5 Risk decisions should be documented clearly in order to avoid errors and misinterpretation; good documentation establishes a proper audit trail 1037.6 When a potential risk problem is discovered, immediate action must be taken; problems must not be permitted to grow out of control 1037.7 Risk decisions should not be driven by competitive pressures 1047.8 If other institutions do not want to accept a risk-bearing deal, there may be a reason for it — it is important to determine whether it should be a factor in approving or declining the risk 1047.9 Prudent risk reserve mechanisms should be established for concentrated, complex, illiquid or marked-to-model risks 1057.10 Credit reserve mechanisms should be implemented in order to encourage active management of credit risks 1057.11 Failure to price the cost of credit risk will ultimately lead to a misbalanced credit portfolio and credit losses 1067.12 A risk is not hedged or sold until it is actually hedged or sold; just because it is “theoretically” possible to hedge or sell a risk does not mean that it can be done 1067.13 Active management of asset and funding liquidity is vital in order to avoid potential losses 1077.14 Since liquidity has a tendency to disappear quickly, conservative liquidation assumptions should be used when managing risks 1087.15 An investment account must not be regarded as a trading account for illiquid positions 1097.16 Large deals mean large — and possibly illiquid or unhedgeable — risks; they must be managed carefully and command an appropriate premium 1097.17 Concentrated risks can be very damaging and must be managed actively 1097.18 Risk takers should be limited to taking risk in specific markets and instruments 1107.19 Risk-bearing positions must be booked/housed in officially sanctioned trading systems 1107.20 Using financial incentives and penalties to influence risk-taking behavior is an effective management tool 1117.21 Aggressive risk-taking behavior, which may ultimately create risk problems, should be managed closely 1117.22 Risk mitigation should not be mistaken for risk migration 1127.23 Risk mitigation/migration tools should be used wherever possible 1127.24 Attempting to predict what will happen in the future is hazardous — the risk function should be realistic in assessing the time horizon of deals, structures and credits 1137.25 Understanding why a client is entering into a complex risk trade is important; if suitability emerges as an issue, it should be made known to legal officers 1147.26 Strong client sales practices can help mitigate risks 1147.27 Executing a risk-bearing deal to accommodate a client or build a client relationship does not justify the assumption of bad risk 1157.28 Where possible and feasible — and without compromising confidentiality — counterparty information should be shared with others seeking to extend credit 1157.29 Collateral taken in support of an exposure should relate directly to counterparty credit quality, the size of the risk exposure and relevant concentration/liquidity parameters 1167.30 Legal and operational staff should be familiar with triggers and clauses that can be influenced by credit, market and liquidity events 1167.31 Legal documentation that protects multiple products/eventualities can help control risk exposures 1177.32 A legal documentation backlog may ultimately lead to operational/legal errors and losses — authorizations, guarantees, confirmations and master agreements should always be as current as possible 1177.33 Establishing documentary targets and thresholds can help limit operational and legal risks; incomplete documentation should be prioritized by creditworthiness and risk exposure 1188 Risk Infrastructure 1218.1 Data is the fundamental component of any risk process — bad data leads to bad information and bad risk decisions 1218.2 A single source of trade data should be used whenever possible to ensure consistency; when this is not possible, data processes must be properly reconciled and audited 1228.3 Technology should be made as flexible as possible in order to accommodate the changing business environment 1238.4 Risk requirements should be a central part of any business technology blueprint 1238.5 Technology changes that impact risk management, finance, legal, regulatory reporting and operations should always be considered jointly 1248.6 Minimum standards related to risk technology, analytics and reporting should be applied to all risk-taking business 1248.7 A risk control system is not a risk management system; the two are different and both are necessary 1258.8 The technology platform that generates valuations and risk information must be under the scrutiny/control of technological auditors/risk managers 1268.9 Changes in risk measures, processes or technology by the trading or risk management functions must be thoroughly developed, tested, reviewed and documented before being implemented 1268.10 Use of short-term, temporary infrastructure solutions is acceptable, but these should be replaced by robust solutions as soon as possible 1278.11 When automated infrastructure solutions are not available, the best manual solutions, with checks and balances, should be implemented 1278.12 “Off-the-shelf” technology solutions that provide 80% or 90% of the capability a firm is seeking can be an ideal solution 1288.13 Infrastructure contingency plans should take account of all risk requirements 1289 Summary 131Selected References 133Index 135