As we have seen in the Introduction, the board has several committees: Audit, Financial, Corporate Governance, Compensation, and Technology. Also, more recently, top-tier financial institutions have a Risk Management Committee at board level. This, however, is not yet a general practice even if it is beyond any doubt that risk management, and the unavoidable damage control associated with it, are two most critical functions. On both of them depends the very survival of the institution. Risk management should definitely be on the board’s agenda.
One of the executives who participated in the research that led to this book made the suggestion: ‘Why not give, at least in the interim till the appropriate Board authority on risk management is put in place, this responsibility to the Audit Committee?’ Two reasons support the wisdom of doing so. The one is that, as we saw in sections 2 and 3, the functions of auditing are expanding well beyond the accounting books into areas where qualification is just as important as quantifi- cation – if not even more so. The auditing of internal control is an example.
The second reason is just as pragmatic. The Basel Committee suggests that in order to effectively control risk an independent review of the risk measurement system should be carried out regularly by the bank’s internal auditing body.
Basel adds that besides risk auditing, senior management must be actively involved in risk control and review the daily, or ad hoc reports produced by the independent risk control unit. More to the point:
● Risk management models must be closely integrated into both the day-to- day and longer-term management of the bank
● Board-level supervision of risk control methods, procedures, and results is a ‘must’, and
● The output of experimentation on exposure – including worst-case scenar- ios – should not only be reviewed by senior management, but also reflected in policies and limits set by the board.
Sound management practice would ensure that the bank’s risk management organization (or organizationsif credit, market, and operational risk control are not integrated), not only report(s) directly to senior management, but also is supervised by a committee that is given the authority to evaluate relationships between measures of:
● Corporate risk exposure
● Trading limits and lending, and
● Other variables keeping risk under lock and key.
The bank should also conduct regular backtesting, comparing the risk measures generated by models with actual results, including recognized but not yet real- ized profits and loss, in the way that IFRS stipulates it should be done. As can- not be repeated too often, new accounting rules, auditing, and risk control correlate one with another.
Well-managed banks have already taken steps in the direction of top management involvement, a process further promoted by supervisory authorities which note that a bank’s primary objective should be to maintain its financial soundness and contribute to the stability of the financial system as a whole. The personal involvement of board members is necessary to make such a policy successful.
The likelihood is that committees established at middle management level will not be able to deliver, if for no other reason than because conflicts of interest handicap their work. Take Bank Gamma as a case study. In the late 1990s it insti- tuted a Risk Councilwith four members: the director of treasury and trading, the chief credit officer, the assistant director of trading who also had backoffice func- tions, and the chief risk manager, reporting to the director of trading. This com- position violated two cardinal rules at the same time:
● That traders and loans officers in exercise of such duties should never be entrusted with risk control, and
● The functions of the frontdesk and the backoffice should be separated by a thick wall, rather than being brought under the same authority.
As far as heavy trading losses go, the result has been a disaster. Post-mortem financial analysts, who looked into this case of conflicting duties, also said that Bank Gamma already had a first-class risk management organization, and the creation of another risk control function, under trading, diluted rather then strengthened the bank’s central risk management system.
Compared to the functions of this rubber stamp ‘risk council’, the risk manage- ment responsibilities of the board should be a meta-layer using not only the bank’s existing risk management organization and internal audit functions, but also independent advice from consultancies to form an independent opinion.
The results contained in reports submitted to the board on exposure should be the subject of both normal testing and stress testing (see Chapter 16), with met- rics that help in providing perspective, like demodulating all derivatives con- tracts to establish credit equivalence.3This is tantamount to knowing what is the capital at risk. Every board member can understand the notion of capital at risk, and the torrent of red ink which may result from adverse conditions.
Equally important is that the board appreciates the notion of confidence intervals.
People are usually trained to think that mean value is all that is needed to describe a distribution. This is not true. The mean is only a central tendency;
around it exists a variance of values which has to be measured and brought into perspective.
Confidence intervals can be derived in a parametric context within a portfolio structure with distributed returns. They are usually set at a given level of signif- icance which indicates to what extent events in this distribution are excluded from the risk being measured. An example is given in Figure 17.5, which maps spillover of yield volatility from the American debt securities market to the German market (courtesy of Deutsche Bundesbank):
● The thick line shows the mean value over seven years.
● The grey areas are the confidence intervals at 95% level of significance (α= 0.05).
Following the 1996 Market Risk Amendment, the regulators want to have a daily report on VAR at the 99% level of significance. The area corresponding to this level will be way outside the grey area in Figure 17.5. This, however, still leaves 1% of cases not accounted for; and there may be catastrophic spikes in this 1%.
On the credit risk side, rating agencies want to see economic capital at the 99.97% level of significance for AA rating. This would mean only 0.03 of cases left outside. Still there may be outliers, but 0.03% is a great deal better than 1%, and 1% is better than 5%. The notion of a confidence interval is central to any appreciation of the amount of assumed risk.
Every step described in this section should be audited, like any other activity in the enterprise: from major organizational failures, like that of Bank Gamma; to double books kept to hide losses, as in the case of Barings; and miscalculation of capital at risk, because of forgetting about confidence intervals, or any other opportunities for ‘creative solutions’ which will eventually be paid for very dearly by the stakeholders.
1990 1991 1992 1993 1994 1995 1996 +0.4
-0.2 +0.1 +0.3
0 -0.1 +0.2 +0.8
+0.5 +0.7 +0.6
95% CONFIDENCE INTERVAL
CORRELATION COEFFICIENT MONTHLY AVERAGES IN PERCENT
Figure 17.5 Spillover of yield volatility from the American debt securities market to the German market. (Source:Deutsche Bundesbank)