Ratings

The field of risk management has evolved in several significant ways during the past 20 years. The most visible—and perhaps most seductive—change has been in risk measurement. High-powered computing has made possible sophisticated modeling of market risks, based on the mathematics of portfolio theory and statistics known as Value-at-Risk (VaR) models. That modeling capability is now being grafted onto the areas of credit and operational risk measurement.

The seeming simplicity and precision of the answers one can get using these measurement techniques is very attractive to managers and regulators. Meanwhile, some risk managers, even at major financial firms, remain unconvinced of VaR's benefits. These managers maintain models merely to placate regulators, and they may not invest in updating and enhancing them. Developing a robust model or even implementing an off-the-shelf model entails careful thought, massive amounts of data feeds, continual testing, and constant refinement. Those who do not invest effort and money do not get a robust model, or even a useful one for risk diagnostic purposes. Their models won't produce results that are comparable to other models using seemingly similar techniques.

Whether or not they find value in VaR models, firms rely more on older sensitivity measures—DV01, nationals, gamma, and vega—for day-to-day risk management of individual trader positions. The belief is that such measures are more sensitive in picking up the risks of specific instruments than are the blunter measures of VaR. Firms also maintain very sophisticated models for the purpose of pricing the instruments they sell, because an incorrect price opens the firm to the possibility of being picked off by other dealers or customers and getting the profit-and-loss statement wrong.

Nevertheless, the VaR models appear to be a favorite tool of risk managers who see their main function as ensuring that the firm does not find itself with concentrated exposures to any risks. In contrast to the more granular types of risk limits traders have—notional amounts, sensitivity measures, and Greek measures, for example—VaR alone provides a common language of risk across all asset classes and remains more useful for analyzing aggregate exposures for complex portfolios. In addition, VaR helps a firm understand its exposure to certain scenarios or stress tests.

Most firms perform some sort of scenario or stress tests. The differences lie in how the stresses are developed—whether they represent only some historical worst cases or some hypothetical ones tailored to expose the firm's special vulnerabilities as well—and how sophisticated the models are in capturing the correlated effects of a shock to a specific market. For some firms, the stressed VaR becomes the firm-wide basis for limit-setting and capital allocation. That is good if the stressed scenarios were thoughtfully elaborated. If not, however, the stressed VaR becomes merely a very high limit that will never be breached and therefore will never trigger hard discussions about risk exposure.

Most seasoned risk managers understand that VaR models are merely to be used as diagnostic tools; they do not provide precise or scientific predictions of worst-case losses for the firm. Assumption-laden and data-dependent, VaR is best suited to depicting the recent past and not a future that could always suffer a paradigm shift or temporary discontinuity. Stress tests are more realistic than are daily VaR calculations for imagining a worst case and for setting capital. Daily VaR is more useful as a way of managing day-to-day trading exposures under normal market exposures.

We place emphasis on having robust models not because of their ability to produce precise measures of risk, but because of the systems requirements to operate them. These systems are very useful in providing a comprehensive aggregated view of risk positions in a framework that makes it possible to analyze the risk positions and their correlations. VaR models also are the only way in which correlations can be viewed across multiple instruments.

Given that risk measurement is not the be-all and end-all of managing risk, we place a great deal more emphasis on risk governance. Risk management is about the policies, the built-in incentives, and the communication of risk. It is about how a firm defines and enforces its risk culture.

It would seem obvious that the risk management function, whether it pertains to credit risk or market risk management, should be independent. But what does independence really mean? In terms of organizational structure, risk managers and back offices should not report to the front office—to traders or heads of markets. On that there is little disagreement; however, beyond that there is little consistency.

Market risk managers often report to the CFO or CEO of the investment banking or the capital markets division of a universal bank. We believe this does not represent sufficient separation of the risk function from those who are charged with revenue production. In the purist model, we see market risk managers with reporting lines that lead to the credit risk officer, who in turn reports to the CEO of the entire organization. This kind of centralized model seems preferable, but it is insufficient in itself to ensure the effectiveness of the risk management function. The danger of this model is that it could result in too much independence. Separating risk management too much from the business functions could result in too little interaction with and understanding of the trading business to facilitate truly informed decision making.

More important than the reporting lines to insuring independence is the quality of the people in the risk management function. They must have a stature within the organization that warrants the respect of the traders. That is a matter of personality, education, and experience, not of official designation. If risk managers understand the traders' businesses, can engage in meaningful, constructive dialogue with the traders, and can make forceful and sensible arguments, they can gain the respect of the traders. Otherwise, traders will always prevail, no matter how strict the enforcement approach proves to be.

What emerges, then, is the inherent tension between the requirement for independence and another critical tenant of good risk management: the need to foster communication within the firm between the risk takers, risk managers, and the full hierarchy of senior management. It is a question of the delicate balance between the need to control conflicts of interest and the need for a business partnership between the risk managers and the risk takers, for the risk takers must ultimately own the risk.

We have seen a variety of practices between the two extremes, with arguments supporting each model. The argument for the distributed model of organization, where the risk managers report to the business head or CFO of the business unit, rests on the belief that the interaction between risk management and the business is best fostered by risk management being embedded in the business. We have seen variations of this theme, where there is a relatively small corporate-level risk management function reporting to the CFO, and risk managers who face off with the business unit reporting to the CFO of that business unit, with only a dotted line to the central risk management function.

The argument for the purist model, with centralized risk management reporting to the CEO, is that it elevates the stature of risk management within the firm. Most importantly, risk will have a direct voice in strategic decisions of the firm, increasing the likelihood that the risk dimension will become integral to the process. It may also be easier to get funding for the risk function if the request is not made through the voice of the CFO. Knowing that risk management has direct access to the ear of the CEO could also exert a subtle influence on traders' attention to the opinions of risk management. True respect for risk management, however, must be earned in other ways that are more important than reporting structures. The key issue is the competencies of the people in the risk function, the quality of the dialogue they can have with the traders, and the value of the insights they can provide into the trading business itself.

While the industry is generally evolving toward a more centralized model, many firms still stop short of having risk management report to the CEO rather than the CFO, and some have switched back and forth on the issue. The distributed model seems to be more prevalent in the small, more specialized firms. It is the large, universal banks that have moved to the centralized model with a formal hierarchy that may start at the top with a chief risk officer, with those in charge of the various risk areas (credit operations, market risk, etc.) reporting in to that person. The issue is perhaps a function of the complexity of the business. For brokers, whose trading operations lie at the heart of their business, the CFOs tend to be very close to the business; a risk function that reports to the CFO renders the CFO as the de facto chief risk officer, similar to the more distributed models that have the risk function reporting to the CFO of the investment bank or capital markets division. For banks that also have retail and commercial banking operations, a more centralized function is needed.

Perhaps more important than the reporting lines are the subtler issues of the nature of the business partnership between risk and business units. Risk management must have the respect of the business units. Otherwise it will be ineffective, a sort of policeman or "ivory tower quant" group. The competencies of risk management must be on a par with those of the traders, which generally means that risk management has to be prepared to pay up for talent. A culture of constant contact and communication is also necessary. It is really a tricky issue of collaboration between the risk function and the traders. The business unit must see value in the risk function. It is, after all, in the best interests of the business to stay within the desired risk tolerance of the firm. The risk function can certainly help the business analyze its risks. It can provide a fresh and objective view of the proposed trades, one that should be valued by the traders. Ideally, traders should be willing to accept the risk function's opinion not because it has the authority to enforce that opinion, but because of the force of the argument it presents.

If the risk function is sometimes weak, it's because the role is merely one of calculating the risk equivalents and generating reports. In that case, risk management becomes a reporting and control function, which is not desirable. It reduces risk management to the role of a policeman, who is only there to tell traders when they have done wrong. We have also seen organizations in which reporting and control reported to the business unit, but the risk management unit was an independent, centralized function, using the reports and analysis generated by the control team. The business unit can want to control the analysis and reporting function because it is useful to management. While that arrangement lacks the attribute of independence, it could work if the interests of risk management and the business unit are allied. Nevertheless, it indicates a lack of respect for the risk function if the business feels the need to control the reporting.

On the question of limits-setting, all firms have some formal limits structure to govern market risk takers, not unlike the limits structures governing credit risk-taking. They vary in how involved the risk management function is in setting those limits at each level of the limits hierarchy—the overall firm-wide limit, the business unit-level limits, the desk limits, and the trader limits. The industry norm is for risk management to participate in the process down to the desk level. In large firms, which can have many traders to a desk, the responsibility for cascading the limits down to the trader level is the responsibility of the desk head. In some firms, however, individual traders have no limits at all! In some firms, where a centralized risk management function is newer and where the business units control more of the risk process, risk cascades the firm-wide limit only down to the business unit level. In others, with a purist form of centralized risk management, risk cascades down to the individual trader. The industry norm, however, strikes a balance between giving risk management control over risk concentrations and making risk management so involved in individual trades that they risk becoming like traders or business managers themselves. Just as the cascading process for limits is important, so is the methodology used to arrive at the limits. How much input does the business have in the process versus risk management? We believe risk management should drive the process, though it should do so in collaboration with the business units, and with a deep understanding of the business needs and prospects, the risk appetite, and the budget goals of the firm.

There is also a variation in limit-setting philosophy. Some like to set limits high, at a level that expresses a stressed case level of potential losses that is deemed tolerable to the firm. Risk management then typically would not interfere unless the limits were in danger of being breached. Others like to set limits low, so that there would be frequent requests for temporary excesses, on the theory that this process triggers communication and keeps risk managers informed. Communication would seem to be a good thing, but if excesses are granted on the basis of the business sense of the trade and its risk-reward trade-off, does frequent granting of excesses turn risk managers into business managers themselves? Is it not better to let traders operate freely, subject only to broad exposure constraints?

There is also industry variation on how important intraday limits are. Some desks would normally experience a high daily turnover of positions (currencies, government bonds, cash equities), others less. Most firms believe the desk heads would expect traders to stay within their limits during the entire day, and that desk heads would have a feel for whether that was true based on real-time position-tracking systems. But only a couple of firms have an ability to monitor intraday limits in real time. Merely having a set of limits is not a sufficient condition for defining the risk appetite of a firm. As carefully as the limits may be defined and attuned to the budget and the realities of the business environment, they do not capture the essence of what the risk culture should be. In fact, they could backfire, in that traders could game them—try to maximize the amount of trades they can do while staying within their risk limits. Something else is needed to provide a moral compass, which everyone in the firm can use to make myriads of daily decisions about appropriateness beyond the question of whether a trade is within limits. "No surprises" is one attempt at such a standard but is too vague and trite, because it could apply to any firm. A clear qualitative description of the risk appetite should include reference to the desired risk profile of the firm, its strategic and its budget goals. A holistic perspective on risk appetite would also include a crisp quantification in terms of stress limits or stop-loss limits and its impact on the firm's capital and earnings.

One important piece of the intricate risk management puzzle is the back office, the processing function. Not only is it important that the back office cannot be subverted—incented to allow the front office to manipulate the trade processing in ways that alter the profit and loss statement; it is also important that it be adequately resourced to handle large volumes of trades. Controls in the back office have played a large role in many of the most visible trading debacles. Yet risk managers frequently are unfamiliar with that area. The back office still is seen as a service center, frequently reporting to the business unit, though not to the front office traders within it. Less frequently, it reports to the COO or CEO of the group. It seems to us that this critical process of the risk management framework should be under the purview of risk management. For one thing, it may have better access to resources if it reported to a risk management framework that itself had a high stature within the firm. As it is, back-office capacity is frequently outrun by volumes. The caveat is that at present, risk management does not generally have the skill set or the experience. That skill could be acquired over time, and would further the more holistic view of risk in an enterprise-wide risk framework.

As different as the risk structures at various large firms are, it is sometimes difficult to say that different structures may work for different types of firms. In particular, the smaller, more focused types of trading houses have thrived for years with a relatively decentralized type of structure, with less formal documentation and procedures and less in the way of checks and balances from independent bodies. They rely instead on excellent communication flow and a strong understanding of the firm's risk appetite on the part of all business managers. The problem is that as a firm grows, it may become too complex to work in this fashion. The point at which that happens will not necessarily be apparent ex ante. Thus, our position is that the following attributes of best practices are important:

• A robust internal information system is needed that permits sophisticated analysis of portfolio risks and stress testing;
• Risk limits need to be assigned by the risk function down to the desk level; and
• A holistic and well-articulated risk tolerance statement is an important aspect of developing a strong risk culture.

The risk function needs to strive to attain a high stature within the firm. A centralized reporting framework reporting to the CEO is preferable but insufficient to ensure the independence of the risk function. An emphasis on the quality of personnel who can work effectively in a partnership with the business units is a critical aspect of a strong risk function.