Setting Up A Sound Risk Management Framework

  print  

This article is the first in a series of articles exploring risk management for institutional investors.

Risk has become a growing concern for most financial institutions today. Irrespective of whether this concern stems from an increasingly competitive marketplace or from more stringent regulations, financial institutions must have a robust risk management framework in place if they wish to survive in a more interconnected and complex world. The continuously growing level of sophistication of financial engineering has challenged risk systems to the limits - this is one of the causes of the sub-prime crisis - and pushed some employees to the edge as the recent case of rogue trading at Socièté Générale has demonstrated. In order to guarantee the appropriate management of activities, risk managers need to remain independent from the daily conduct of the business, possess the highest degree of integrity and empowerment within the organisation, and rely on robust and validated risk systems. Generally speaking, a robust risk management framework is based on five essential components: a strong corporate governance that diffuses a positive risk culture from the top to the bottom of the organisation, a coherent and exhaustive set of policies and procedures, the technological capability to extract data about the organisation's performance and the risk of its uncertain environment, know-how in measuring this uncertainty, and finally, its ability to monitor risk on an ongoing basis in order to optimise the risk taking process.

Corporate Governance = Positive Risk Culture

An organisation will not manage risk if its members do not decide to do so. Regulators struggle with that reality regularly. If an organisation sees some benefits in managing risk, then it will promote a positive risk culture across the board.

But truly, it belongs to the Board of Directors ("Board") to encourage discussions between the members of the organisation about its risk appetite. Ultimately, the Board will validate the policies and procedures, define the risk tolerance, and establish the risk strategy. Then, the main role of a risk management function is to act as an advisor to the Board and, as such, should be independent from senior management, which delegates its responsibility to manage risk to the risk management function. Internal constructive and meaningful debates lead to the development of a positive risk culture.

The main driver of a positive risk culture lies in individual accountability. If a risk or set of risks is assigned to a group, its management will be hazily diluted amongst its members without a clear understanding and accountability. Individual accountability maintains individual awareness at every level of an organisation. A risk or set of risks should fall into one's duties, and individuals' performance should be assessed according to their effectiveness in managing them.

A second attribute of a positive risk culture is the constant challenging of each other's decisions and ideas. This guarantees that everyone fully understands and acknowledges the pros and cons of a given decision, and evaluates the consequences for themselves and the organisation as a whole. Good decisions should be rewarded to encourage the generation of creative but realistic ideas.

Finally, a positive risk culture leads individuals to admit their own knowledge limits, which implies the identifying and managing of one's own capabilities. Defining appropriate training and encouraging the sharing of knowledge and experience maintains cohesion within and amongst teams.

Accountability, creativity, transparency, and honesty are the key attributes of the individuals working in a risk management function.

Polices = Procedures

Regulators are mainly concerned about minimising the risk that an organisation takes, while the organisation needs to be concerned about optimising this risk - achieving the greatest reward possible for an acceptable level of risk. Therefore, organisations should develop their own set of procedures, which should be aligned with the organisation's goals and risk appetite. Procedures crystallise one's tasks and duties. Once risk management personnel have been matched to their level of competency, interest, and accountability, procedures empower them in the eyes of the rest of the organisation.

Procedures should not be too lengthy, but still detailed enough to enable a replacement to perform these tasks in the absence of the allocated individual. Procedures also help an individual execute his duties by detailing every step that needs to be taken to complete a task. They should be clear, pragmatic, and to the point. Since activities within every organisation evolve along with the industry or the economy, procedures should be reviewed on a regular basis (at least once a year) to incorporate best practices, new regulation, or updates on systems and processes.

Data Utilization = Efficient Technology

Since intelligent decisions rely on timely and accurate information, the workflow of such information should be well thought-out and well managed. Data collection, and its enrichment and practical utilization, is a critical phase in any risk analysis. It is not uncommon that risk managers may spend up to 50% of their time on these necessary but tedious tasks.

Automation through technology could greatly help the risk management team by processing the hundreds of time-consuming steps required before the information included in any dataset can be utilized. Automation can also improve the communication within an organisation. For example, when a piece of information has been identified, checked, enriched and worked through, the outcome can be made available to many teams instantly.

Risk Measurement = Value-at-Risk

One of the most candid questions one can ask a risk manager is how much risk the organisation is taking. The question seems so simple that it is hard to imagine that it takes many complex mathematical models to draw simply the beginning of an answer. Risk management teams have historically calculated various risk measures, such as the size of open positions, the degree of maturity mismatch in the net position, the exposures of every single asset, the volatilities of those assets, and so on. These measures are very diverse and seem difficult not only to implement since the market is constantly evolving, but also to enforce within a multi-layered and multi-location organisation. For more than 15 years, a risk statistic called Value-at-Risk has arisen as a powerful tool to capture with a single estimate the complexity of an organisation's portfolio because of its ease to use and to implement across the board (though this apparent simplicity can be misleading at times since VaR is only valid within the set of assumptions that has surrounded its computation).

Value-at-Risk (or VaR) calculates the worst expected loss over a given horizon at a given confidence level under normal market conditions. It provides a single number summarising the organisation's exposure to market risk and the likelihood of an unfavourable move. VaR provides a predictive tool to prevent portfolio managers from exceeding risk tolerances that have been developed in the portfolio policies. It can be measured at the portfolio, sector, asset class, and security level. Multiple VaR methodologies are available and each has its own benefits and drawbacks. The three main methodologies are Parametric (also called Analytical), Historical Simulations, and Monte Carlo Simulations. (These will be studied in greater detail in a future edition of this newsletter.) To illustrate, suppose a $100 million portfolio has a monthly VaR of $8.3 million with a 99% confidence level. VaR simply means that there is a 1% chance for losses greater than $8.3 million in any given month of a defined holding period under normal market conditions.

Since VaR gives only one estimated number, it should be complemented with "what-if" scenarios to provide a bit of substance about the change of VaR that results from various changes in the market. These scenarios, also called stress tests, help identify extreme events that could trigger catastrophic losses. They test market, historical, or user-defined scenarios (e.g., what happens to the performance of the portfolio if interest rates rise sharply). Stress testing can be applied at the market, sector, curve industry, or even security level. Some examples include parallel shifts in equity, FX, spread, interest, or volatility.

Finally, in order to reconcile the capability of VaR to forecast a potential large loss, every VaR model should be backtested. Backtesting validates that actual losses are in line with forecasted losses. It entails comparing the historical VaR estimates with their associated portfolio returns. Frequent so-called violations of VaR - meaning that the actual losses have exceeded the forecasted losses more than expected - is an indication that VaR has not been well fine-tuned or that another methodology should be employed for this portfolio.

Supervision = Ongoing Monitoring

Once VaR has been produced, it needs to be analysed and interpreted against the investment policy and the risk tolerance of the investment management. This is generally done within an Investment or Risk Management Committee. However, since the process of computing VaR can be computerised, its oversight can also be automated. VaR limits can be assigned at various levels within a portfolio: total, country, industry, sector, asset class, counterparty, currency, etc. These VaR limits work exactly the same as the market risk limits, stop-loss limits, exposure limits, and counterparty limits do.

In order to operate properly, a risk management function needs to be independent from the day-to-day operations and protected from any kinds of influences. To ensure that senior management keeps the risk management function separate from the business, independent controls must be put in place. Ongoing audits and external validations of the models and procedures used in a risk management function can benefit both the risk management team as well as the executives of the organisation.

Conclusion

As risk is intrinsically linked to the performance of a fund, having an efficient risk management framework in place is crucial to any organisation that manages money. This framework must integrate the various components of the framework and make them work as a virtuous cycle. First, a positive risk culture promoted from the top of an organisation throughout its baseline sets a solid necessary foundation to acknowledge and raise awareness about risk. Second, the establishment of a set of policies and procedures provides every employee with clear guidelines to deal with the risk. Third, the treatment of data gathers evidence of risk. Fourth, risk measurement produces quantitative indicators of the amplitude and of the potential optimisation of the risk. Finally, the supervision of risk maintains its presence within manageable boundaries.

Risk management is an art and also a science in the sense that it takes years to acquire the required quantitative skills to model risk and then years to incorporate the output of all these models into a broader and more qualitative picture. Only the implementation of a sound risk management framework can enable any organisation to get to that advanced stage.

The next article in the risk management series will present an overview of Value-at-Risk.