The careful reader will recall the reference I made about my professor of business strategy at UCLA who taught his students that one should never
An Efficient Structure 197 expect to find the strategy of an institution or any other company to be written in black and white in a manifesto. But it is possible to make inferences, which prove to be quite accurate, based on patterns. The pattern in Figure 8.2 is that of the evolution of longer-term financial assets v. the trading portfolio in one of the better known money centre banks:
• From Year 1 to Year 4 this bank's behavioural pattern reflects a rapid growth in trading revenues - evidently, a top management decision.
• As this strategy has gained momentum, in Year 4 the board decided to focus on financial assets without soft-pedalling on trading.
This dual strategy based on one theme at a time worked well. From Year 1 to Year 5 the financial institution in question more than tripled its business connected to these two channels. It also took some added risks. If we wish to understand the risks our bank takes, we should establish behaviour
YEAR 1 YEAR 2 YEAR 3 YEAR 4 YEAR 5
LONGER-TERM FINANCIALS
TRADING PORTFOLIO
Figure 8.2 Evolution of longer-term financial assets v. the trading portfolio at a money centre bank
198 Management Appraisal and Accountability
patterns not only of the institution as a whole but also of our professionals:
loans officers, investment experts, and traders.
Behaviour patterns also assist in detecting possible fraud, and they can serve as prognosticators of coming trouble. For any practical purpose, patterns of the type I am discussing are a qualitative expression of sensitivities, and internal controls can make good use of them. For this purpose, some banks have developed a battery of tests which assist in establishing behaviour patterns, particularly looking for traders who:
• Refuse to talk to auditors, no matter what the reason
• Never take a holiday and even come to work on weekends
• Put firewalls in their databases and remove floppies 'for security reasons'
• Arrange their system so that nobody understands the maze of passwords they are using.
The fact that the last two bullet points have to do with networked workstations is not accidental. Internal controls should work interactively all the way to the front desk and the back office. Through agents and database mining it should be possible to check whether 'this' trader or 'that' loans officer always breaks limits and/or asks his supervisors for exceptions (see also Chapter 9).
Admittedly it is not easy, but it is important that auditing checks behavioural patterns and their evolution in the short to medium term (see also below). Subsequently, by on-the-spot inspection it should be possible to understand whether a person has been granted one exception after another, and therefore is treated by management as a golden boy, a protected species. When this is the case, chances are that:
• His trading in the past has escaped control because he was covered by his superiors and
• His trading is characterized by abnormal profits and/or abnormal losses, the latter kept most likely in the shadows.
Other ways to look for patterns is whether the trader or loans officer has a large mortgage, and/or big house, and/or expensive car; is status- symbol conscious and would do everything to protect his status; has trouble at home: is divorced or separated and the wife is after him. These are very practical issues which are worth management's and the auditor's attention.
Some banks now tune their informal internal controls in a way that they are able to detect whether some of their traders and officers are anti-social introverts, and in a bad mood even when making money. Or, are heavy
An Efficient Structure 199 drinkers or even on drugs. Or, shout at the back office and are always in friction bad relations with the risk management personnel.
'As a matter of principle,' said a senior risk management officer in London, 'the louder a man shouts the more he has to hide.' The same is true about being unavailable, too busy to look into control results, or unable to explain the mechanism which led to abnormal profits and commissions.
Because of these cases, only a steady and careful:
• Measuring
• Monitoring and
• Analysis
can help to find out what happens to our bank's exposure. The notions underpinning a systematic process of measuring, monitoring, and analyzing can be traced back to the early twentieth century when Frederick Winslow Taylor studied the time it takes to handle ingots. In the mid-1920s Dr F.B. Gilbreth examined the statistics from time studies and found that:
• The plotting of performance time tended to approximate the normal distribution; this greatly assists in matters of control.
• In about 95 per cent of cases the ratio of higher to lower productivity was about 2.2 - the other 5 per cent was exceptions.
Even exceptions, however, have limits. If a factory worker is superfast and always ends up with a very high ratio, he has a gimmick. A similar principle applies with traders who always fabricate high profits (and commissions for themselves) - but invariably the institution they work for ends up with toxic waste - and therefore with losses.
Though there are exceptions with outliers in profit figures (as in productivity), if these 'exceptions' multiply then the system has loopholes.
But it may also be a spike is legitimate. Therefore the chief risk management officer should think before he shouts, by having his assistants dig deeper into each case, and by asking the auditors to do their part of the job. Statistics are a valuable indicator not the evidence that something is right or wrong.
Digging deeper means examining the pattern (and the books) to find factual and documented evidence. Is the trader's record characterized by large trades in notional principal amount? Is he always betting on the same instrument? Does he have a significant number of forward transactions? Or a hoarding of:
• Long-term forward rate agreements?
• Currency-based swaps?
200 Management Appraisal and Accountability
• Illiquid positions?
• Very long maturities?
An internal control system should include models able to help in looking into behaviour patterns by default. Is there a diversification in regard to counterparties? In a steady observance of management policies and regulations? In a considerable measure, these are questions the auditors should be after. But qualitative answers can go only so far. A better method is quantification and the use of statistical quality control (SQC) charts. An example is shown in Figure 8.3 (Chorafas, 2000a).
This text has on repeated occasions brought the reader's attention to statistical distributions and tolerances. One of the key services offered by SQC charts is that they help in the exploitation of intraday statistics. Ewen if our bank's reporting system works interday, because of low technology, the trades which we do and the commitments we make are done intraday.
Are we able to:
• Check for intraday trading?
• Look for intraday patterns?
• Analyze how each dealer is trading?
• Find out with whom he is frequently in contact?
In other words, are the internal controls able to assist senior management in drilling down the layers of responsibility? Can the internal control system flush out who hedges and who speculates? Designing, implementing, and testing our institution's system of internal controls is a job-oriented proposition. Hence, the custom-made characteristics of the solution, to which I so often make reference.
The underlying control principles, however, are much more general and they get increasingly enriched with mathematical and statistical tools. An example is General Electric's Six Sigma methodology for quality control implemented not only by GE's manufacturing divisions but also by GE Capital. In a way very similar to the solution I have suggested, this methodology involves:
• Statistical quality control methods
• Chi-square testing to evaluate variance between two populations1
• Experimental design to permit a methodological test of hypothesis
• Graphical tools for process mapping
• A rigorous defect measurement method
• A dashboard to map progress towards customer satisfaction (very important in banking)
UPPER TOLERANCE LIMIT
- * - UPPER QUALITY CONTROL LIMIT
*
C X
*
*
*
LOWER QUALITY CONTROL LIMIT
LOWER TOLERANCE LIMIT
Figure 8.3 An SQC chart with tolerance limits and control limits
o
202 Management Appraisal and Accountability
• A Pareto diagram which exhibits relative frequency and/or size of events
• Root-cause analysis which targets original reasons for non-compliance or non-conformance
GE Capital has derived very significant benefits from the implementation of Six Sigma. GE management says that the new methodology permits to focus on quality, cost and other root issues. In practical terms, it helps in reducing cycle time, swapping defects and emphasising the value of each individual contribution. The whole approach, and its implementation in financial operations, is guided by a systematic methodology utilising training tools and doing a steady measurement of each individual performance.
DEVELOPING AND USING A SYSTEM OF INTERNAL MARGIN CALLS
The reader would appreciate that even if we have all the controls the Barings, LTCM, Morgan Grenfell, and NatWest cases might still happen.
But if we do not have the controls, then they will happen - and this makes a great deal of difference. No solution is foolproof, but one should not let every fool run in the wild and bring down in flames the institution for which he works.
A rigorous internal controls system would make it feasible to conduct a practical investigation concerning the relative strengths and weaknesses of the current organizational and procedural solutions. Analysis should go beyond the classical profit and loss (P&L) and into future gains and losses, including items which may not be that visible by looking into facts and figures presented in risk meetings, or by basing one's opinion on how is risk spoken about.
As the previous section has explained, a pattern analysis is valuable because it gives many clues and leads to asking critical questions, even if it might not be pointing outright to the detection of malpractice. Patterns are also an instrumental tool for another reason. They can be used to reconfirm that the controls which are in place do their job. That's the sense of keeping a process within upper and lower control limits the way presented in Figure 8.3.
The visibility provided through pattern analysis permits us to ask a number of crucial questions: Are all the positions mapped into the system? Are there any positions left outside of the system? If ' y e s ' , why is it so? Have the internal auditors highlighted these exclusions as
An Efficient Structure 203 shortcomings? Are these shortcomings taken seriously and acted upon?
A good investigative policy is to ask everyone individually where the greatest risk lies in the trading book, then compare the answers to queries like the following:
• Is the independent risk management function really independent?
• Are there provisions for bad risks? If 'yes', at which level of confidence?
Who decides about them?
Simulation can complement such findings, as well as help to answer other queries: How much can our bank lose in an event like the 1987 stockmarket crash? In a debacle of bonds similar to that of 1994? In a meltdown like the East Asian in 1997 and Russian in 1998? Where is the biggest risk in our portfolio? How big could be the loss? Is this possible loss within the risk appetite of our bank? Within the time horizon which reflects the policy of the board?
But simulation needs not only models. It is also very hungry for input.
Typically, mathematics is the 20 per cent of the problem; the other 80 per cent is data. Therefore internal controls should be worked in a way which promotes complete, timely, and accurate data collection by pinpointing individual responsibilities. We have spoken on several occasions of this requirement.
An example on what is feasible in terms of processes and responsibilities in a risk control sense is a system of internal margin calls. Such procedures have been established by some institutions. Let me start with a query by way of introduction to this subject. Is capital a substitute for risk management? Fundamentally, the answer to this query is 'No!' Because:
• / / w e cannot quantify the possible size of our losses
• Then we will run out of capital very fast.
There is a joke at Wall Street that the way to make a small fortune is to start with a big one. Using a comfortable amount of capital for trading, or as insurance, is no comprehensive approach to risk control and, quite definitely, it is no good measure for setting internal control alerts. But used in an ingenious way, capital at risk could be an instrumental input (Chorafas, 2000b). That's why a system of internal margin calls can be a good way of checking on exposure:
204 Management Appraisal and Accountability
• Based on the standard deviation of the risk distribution
• Using the concept of a central reinsurance policy and
• Leading to dynamic analysis of recognized gains and losses.
For instance, any individual member of the operation at the front desk, from loans to derivatives and other channels, should be reinsured by a central fund to which it contributes part of its profit margin when it is contracting business. Also, when realizing profits. This sort of insurance system is an interesting concept which has characterized the Federal Deposit Insurance Corporation (FDIC), since its inception in the 1930s (Chorafas, 2000d).
One of the advantages presented by a steady internal reinsurance solution is that it puts the breaks on extravagant profit claims and commissions.
Another is that capital is put aside for the rainy day when the situation is manageable. Internal margin calls or reinsurance contribution should be calculated not just on actual amounts, but also on the basis of risks being taken some time in the future - because of the commitments being made.
This approach revamps and restructures the concept of capital at risk. It makes risk positions a function of business opportunity in the face of uncertainty involved in assumed position(s). Banks which in their internal controls have followed a strategy of internal margin calls found that, over time, risk becomes more limited because it is more visible. Internal margin calls confine it to a level where capital loss does not jeopardize:
• The substance of the bank's activities
• Its assumed risk profile(s) and
• The profit expectations by operational unit.
Banks do calculate a risk profile, but in the majority of cases they keep at a summary level which is not enough. The statistics in Figure 8.4 come from a money centre bank and identify average market risks assumed in five major channels of activity in two consecutive years at. the end of the 1990s.
These market risk statistics are classified in five major channels. It is evident that, for internal control purposes, there should be at least two further layers of detail.
Notice that in Year 2 the institution in question reduced its cross-risk by half, and also slightly its interest rate exposure. To the contrary, currency exchange risk has increased by about 15 per cent, essentially absorbing the reduction in business in the other channels. Figure 8.4 provides a good estimate of this bank's strategic approach to exposure to its main five trading channels, but internal control should offer much more than that. It should feed detailed data into real-time simulators which upkeep the
PER CENT
YEAR 1 YEAR 2
YEAR 2
YEAR 1 YEAR 2
INTEREST RATES
FOREIGN EXCHANGE
TOTAL EQUITIES
RISK
Figure 8.4 Average market risks of a money centre bank, over a period of 2 years
YEAR 1 YEAR 2 YEAR 1 YEAR 2
COMMODITIES EXPOSURE
CROSS- RISKS
O
206 Management Appraisal and Accountability
management information system, enabling authorized executives to reach exposure figures by:
• Instrument
• Counterparty
• Branch and
• Trader.
Contrary to the usual practice of waiting to be presented with a report, a good manager asks for information at the spur of the moment. He does not give advanced notice on what he might need, and does not wait for the answer to be brought to him on a plate. He finds it himself or herself, through database mining and agents.
By means of interactive computational finance, board members and senior executives who are worth their salt judge the consistency, accuracy, and timeliness of their bank's position - along with the quality of its information system. By following intraday statistics, they decide if their people control the assumed exposure or are simply after profits and commissions, no matter what happens to the institution for which they work.
INTERNAL CONTROLS SHOULD HIGHLIGHT INFORMATION TECHNOLOGY FAILURES
Let's talk first about the principles which characterize a well run company.
//' top management really cares about assumed exposure, then structural decisions concerning internal controls reflect the fact that a crucial factor in financial reporting is transparency. Exposure resulting from any activity is tracked, and to do so in an adequate manner the missions given to internal control:
• Are very clear
• Well understood and
• Self-explanatory.
An order always risks being misinterpreted, and misunderstanding is one of the enemies of success. Like project planning, internal control needs a framework and the first step is correct and unambiguous problem definition. As I have explained on repeated occasions, no two banks have the same problem to solve in connection with internal control, but we can
An Efficient Structure 207 always learn from those that have effective solutions. What practically all have to face, however, are problems connected with their information technology which are very similar.
Information technology problems are so similar from one company to the next because they have common roots. These are first of all an EDP' mentality. In the 1950s the anagram used to mean 'electronic data processing'. 50 years down the line, say tier-1 banks in New York, EDP means 'emotionally disturbed people'. That says much about the culture.
But there are also other reasons for backwater conditions in information technology.
Company politics is one of them. To eat up a huge budget every year, with so little return on investment, the way EDP does, it must be that somebody is covering the unable, the unwilling, and the unnecessary.
Usually, this is the board when its members are not computer literate. This is of course to the detriment of the company and its interests, as divisions, departments, and branches are left with obsolete mainframes, substandard 20-year or 30-year old software, and other frills.
It is in no way a coincidence that companies which are interested in establishing and maintaining a system of internal controls pay a great deal of attention to streamlining their information technology, and to developing solutions which are state of the art. In a meeting in Boston, State Street Bank mentioned a manufacturing company specializing in building materials whose chief risk management officer is a senior executive in the treasury unit. His mission is to:
• Look at commodity prices globally, projecting on price evolution and auditing procurement practices and
• Evaluate the company's dependency on information technology and the risks it is taking when there are IT failures.
Few companies appreciate the importance of this second bullet point, and usually banks are not among them. Yet, the effectiveness of all the internal controls we put in place depends on information technology. If communications, computers, and software don't use knowledge engineer- ing artefacts and don't work with 99.99 per cent reliability, the company will be hurt. It may even be paralyzed in its risk management functions.
This statement is true for any company but, other things being equal, multinational enterprises are more vulnerable to IT hangup and failures than local ones. In the example of the manufacturing company used by the State Street Bank, about 50 per cent of the business is in the United States, the other 50 per cent international. For many years, the management of this