spikegifted.net - Risk Management

Assessment and Monitoring: How exposed are we to these risks?

This is the task and the holy grail for every risk manager - knowing how expose his/her organization is to risk. It is easier said than done. In modern financial services industry, the majority of institutions have gone through a number of mergers or have been acquiring or been acquired by others, which means that risk is now more concentrated than previously. Different organizations have different risk systems and it takes time and costs money to harmonize the differing risk methodologies and risk systems. At the end of the day, all the senior managers want to know is the "one magic number" - how much are we exposed to client x? or how exposed are we to event y? Nothing fancy, they don't really care how the number is made up as long as they've this one number. Of course, as a risk manager, you would want to know where that magic number comes from or how the component of that number you're responsible for is made up. That's where assessment and monitoring comes into play.

Since we now have good understanding of how an institution become exposed to risks and we know what kinds of risks these are, we can now allow the specialists in each of these areas to go forward and figure out how big these risks are on a continual basis. Before I try and describe what risk analysts in each of the risk functions do to earn their living, I need to qualify my statements: Each of these risk functions are highly specialized areas. While I have knowledge in credit / counterparty risk and debt capital markets origination which give me a good understanding of some of the risk areas mentioned, I'd be the first one to admit that I lack knowledge in areas that I haven't been exposed to.

1) Market Risk: The method employed to assess and monitor market risk is a derived from a combination of market pricing theory (random walk theory), portfolio theorem and efficient market hypothesis. The obvious question here is: Why are risk managers employing methods and theories used by traders and investors? Traders and investors strife to find value in a market place where they've to distinguish the different noise and information to give themselves a competitive advantage in trading situations. Their desire to loose money is no more than that of a financial institution. Why reinvent the wheel? The very tools that they use to make a living can be employed to manage their trading risks. This background results in the universal usage of value at risk (VaR) or variants of VaR. For VaR to work, it requires a collection of masses of relevant historical market data. Market data can be split into types of products (e.g. bonds and equities have very different behavior) and geographical region (e.g. emerging market equity markets behave very differently to those in the developed markets). Huge amount of resources (time, money, talent, etc) are spent on gathering of data and to ensure that the data obtained are 'clean and consistent'. These sets of data are fed into models and simulations. Once a historical model has been built, current market can then be added to the mix. In the end, the risk manager will have the ability to calculate the exact market risk exposure giving the size of movements in the markets for the entire portfolio of assets, calculated to three or more standard deviations. The whole concept is down to volatility. For any financial institution, it is equally likely to gain money or loose money due to market movements and unlike traders, who take directional bets on the markets, risk managers only want to know how market movements will affect their entire portfolio. This model works in most market conditions. However, it makes a gross assumption about markets - they are always liquid - which is not always true. In a market that lacks liquidity, investors behave very differently and prices behave erratically also. While markets are generally efficient over a long period of time, they are incredibly inefficient in very short time frames. Fortunately, in an efficient and liquid market, movements due to short-term information deficiency are ultimately 'smoothed out' by the spread of information. But in an illiquid market, prices are not reflecting the information available and this scenario can quickly build up momentum of its own and distort the market in a very short space of time, which in turn drives the market even more illiquid, compounding the problem. This is the risk loosing liquidity, resulting in exposure to liquidity risk. This is probably one area within market risk which cannot be satisfactorily addressed by current risk models.

2) Credit Risk: The approach to assess and monitor market risk is purely quantitative, which is good for the purpose. However, this approach cannot function properly in a credit risk context. The monitoring of credit risk can be broken down to three major areas - lending risk, pre-settlement risk and settlement risk. Lending risk is the simplest of the three to understand, it is the risk of default by the borrower and its assessment is purely qualitative. Pre-settlement risk is risk of credit losses due to changes in market conditions between the time of trading and settlement and it is both quantitative and qualitative. Settlement risk is, as the name suggests, the risk exposure as result of failure of settlement. Due to the board range of credit risk, the topic is broken up based on the 'liquidity' of the products. Money markets and capital markets products (secondary markets) are the most liquid of all markets. Credit risk exposure in these markets can by worked out using a combination of quantitative and qualitative methods. Since methods employed in market risk already worked out the volatility of products across different markets, it is only logical that credit risk managers should utilize such existing methodologies for their own use. However, not all credits carry the same risk for the same transaction, it is therefore important to classify the quality of the credits. This is where the qualitative part of the process come into play. This begins with an initial credit assessment using financial information gathered, following by a thorough credit due diligence if required and continual assessment by the analyst responsible. It is detailed and time consuming, but there really isn't a way round it. Qualitative assessment cannot simply be replace by quantitative methods simply because numbers do not take account of characteristics - which is found in abundance in financial services industry. Naturally, the qualitative process also relies on the analysis of numbers, but there are lots of non-numeric factors to take into consideration. In the derivatives markets, option pricing theory is heavily utilized to assess the risk of options, while risk on futures and swaps are primarily worked out by using historical volatilities of the relevant markets. Over-the-counter products and complex derivatives are usually broken down to their individual components to evaluate the various risk components. Moving away from the money, capital and derivatives markets, there is even less scope of applying quantitative methods on data. The reason being: once you move away from the organized markets, the data set becomes significantly less abundant and they often lack consistency. Some may argue that if the time period is stretched back long enough, it is possible to gather a good data set. However that, in itself, is inconsistent as market characteristics changes over time and what is relevant 20 years ago are probably no longer so. There are other markets where human judgment is better placed to evaluate the risk involved - trade finance, project finance, guarantees, letters of credit are but a few examples. With products that involve collaterals, it is essential that the value and risk of the collaterals to be taken fully into consideration to either eliminate collateral risk and correlation risk.

3) Operational risk: Both market and credit risks deal with problems external to the financial institution. Operational risk looks at risks arise out of the internal functioning of the organization. Operational risk is the art of quantifying internal system and human errors. Various models have be devised to come up to these magic numbers, but they all base on the following parameters: probably of failure (an event), loss generated by a given event (loss), throughput volume (exposure) and quality of the system (quality index). Probably of failure is derived from historical frequency of a given type of event taken place in a number of transactions. Loss generated by that event is quantified by the actual loss - usually the replacement cost (derived from volatility) of a given failed trade - the quantitative part of Pre-settlement risk. Exposure is number of transactions. And finally, the quality index is an arbitrary measure of how well the internal system function. This method only works for areas where a large number of transactions takes place and the risk managers can gather good statistical data. However, in parts of the operations where there're fewer transactions - like underwriting of debt or equity issues, exotic derivative transactions, securitization and loan administration - there are simply insufficient data points for the risk managers to draw meaningful statistical point for the models. Operational risk management is still very much in its infancy. Ideas and methodologies are still be experimented and the 'correct' approach is still a long way from being universal. Given that most important parameter for working out operational risk is not a number derived from data, the process of working out operational risk exposure of a financial institution is, as far as I'm concern, still an art rather than a science.

4) Legal and Regulatory Risks: For some people, legal risk is part of operational risk, which probably has some truth in it. This is because legal risk arise as the result of a failure of an institution's internal legal procedure or in cases where third party carrying out legal work for an institution, it is being questioned by investors. However, given that the process of assessment of legal risk is entirely qualitative, it is difficult for me to classify it as part of something that involves, by and large, a quantitative process. Both legal and regulatory risks are assessed and monitored by the legal, compliance and internal audit departments within the institution. In cases where third parties are carrying out the work, complicated legal languages are used to remove the firms responsibility to the third party and it is up that party to ensure that their work satisfy any legal requirements. The internal control departments tend to carry out regular audits of the various operations within the financial institution to ensure that the operators are operating within regulatory limits and that the processes carried out are consistent and accountable. Additionally, it is essential for risk professionals to keep abreast of developments with regards to the regulatory environment and anticipate any changes that may affect their institutions' compliance for these rules and regulations as and when they become active.

5) Reputation and Underwriting Risks: This is another entirely qualitative area. Obviously, if an organization behaves itself and not fall foul with the regulators and law enforcement organizations, it will not incur any reputation risk (or regulatory or legal risk, for that matter). However, the underwriting risk (and execution risk) is harder to get around. In today's global financial services market place, relationship managers, marketing departments and product specialists aggressively push their products to the clients. It is vital to understand both the suitability of a particular product for the client while keeping an eye on the market's perception of the appropriateness of such a transaction. Gaining a mandate can bring both revenue as well as valuable marketing exposure. However, the failure to execute a mandate or not completing a transaction in what the client or the market sees as appropriate terms will mean a significant reputation risk or completing a transaction by putting significant portion of the transaction onto the organization's own books would mean taking on significant underwriting risk.

6) Systemic Risk: By its very own nature, systemic risk is probably the most difficult to assess and monitor and for a good reason: it arises when there's dislocation within the system and the resultant effects affect many players within the market like a domino effect. When there is a system dislocation, systemic risk can be distilled down to the individual components that make up the risk exposure of an institution - market risk, credit risk, operational risk, etc. In essence, if all areas of risk of an institution are diligently assessed and monitored, systemic risk can be monitored - the 'one magic number' for a given client, counterparty, groups of client, a country or even to all exposure. The technique for risk managers to assess potential exposure in a systemic risk scenario is to 'stress their risk systems'. Simply put, they introduce the wildest swings into the data pool and attempt to 'simulate' an event situation. Is this a realistic approach to such situation? We don't know for the simple reason that there're (fortunately) insufficient data points to indicate whether the 'simulations' are accurate. The best and risk manager can do is to copy previous events and may be magnifying the severity to 'simulate' the situation. However, events have a nasty habit of doing the unpredictable and unexpected and their effects may not be immediate. Additionally, each event has different consequences as the way individual events affect the market and hence it is handled by the market is also different.

Next - Mitigation
Back to top