Читать книгу Risk Management in Banking - Bessis Joël - Страница 12

Risk management requires that the risks of a financial institution be identified, assessed and controlled. Enterprise risk management addresses a combination of credit risk, market risk, interest rate risk, liquidity risk and operational risk. Sound risk practices define who should be accountable for these risks and how the risk processes should be implemented.

1.5.1 Motivations

There are strong reasons motivating the sound assessment and management of risks in decision-making processes, other than compliance with risk regulations.

Risk and return are two sides of the same coin. It is always easy to lend, and to obtain attractive revenues from risky borrowers. The price to pay is a higher risk than the prudent bank and higher potential losses. The prudent bank limits risks by restricting business volume and screening out risky borrowers. It saves potential losses but might suffer from lower market shares and lower revenues. However, after a while, careless risk takers find out that higher losses materialize, and could end up with a lower performance than the prudent lender.

Banks that do not differentiate risks of their customers would suffer from adverse economics. Overpricing good risks would discourage good customers. Underpricing bad risks would attract bad customers. Discouraging the relatively good clients and attracting the relatively bad ones would result in adverse selection.

1.5.2 The Risk Processes

Risk processes include the identification, monitoring and control of risks. Risk models serve for measuring and quantifying risk, and provide the inputs for the management processes and decisions. To be effective, they should be implemented within a dedicated organizational framework that should be enterprise-wide.

All risk processes imply that risk policies be properly defined and that the risk appetite of the firm be well defined. Within this framework, the common process for controlling risks is based on risk limits and risk delegations. Limits impose upper bounds to the potential loss of transactions, or of portfolios of transactions. Delegations serve for decentralizing the risk decisions, within limits.

Limits aim at avoiding that adverse events, affecting a transaction or a portfolio of transactions, impair the credit standing of the firm. Banks need to segment their activities into meaningful portfolios, for example by business unit, product or type of clients. Limits of exposure are set for each segment and down to transactions, forming a hierarchy of limits and sublimits. For credit risk, limits are set by segment, then by counterparty and then by individual transaction. For market risk, limits can be set for specific books of trades, then desks and then trades.

Delegations are authorizations to act and take risks on behalf of the organization. Delegations decentralize and simplify the risk process by allowing local managers to make decisions without referring to the upper levels of the organization, within the scope of their delegations. For example, they simplify the risk process for transactions that are small enough to be dealt with by local procedures.

1.5.2.1 Credit Risk Limits and Delegations

Any limit system requires one or several measures of risk used for determining whether or not a transaction, or a portfolio of transactions, complies with limits. Various risk metrics are used for setting limits for credit risk. The amount at risk, or exposure, is a simple measure of the amount that could be lost in the event of a default of the borrower. Other metrics capture other dimensions of credit risk. For example, trades might be allowed only for eligible borrowers based on their credit quality. Or limits can apply to regulatory capital for credit risk, which combines various components of credit risk, exposure, loss after recoveries and credit quality.

Credit limit systems are based on common criteria, for example:

• Diversify the commitments across various dimensions such as customers, industries and regions.

• Avoid lending to any borrower an amount that would increase its debt beyond its borrowing capacity. The equity of the borrower sets up some reasonable limit to its debt given acceptable levels of debt/equity ratios and repayment ability.

• Set up a maximum risk level, for example defined by the credit standing of borrowers, above which lending is prohibited.

• Ensure a minimum diversification across counterparties and avoid concentrations of risk on a single borrower, an industry or a region.

For being comprehensive and consistent, the limit system has to be bank-wide. Global limit systems aggregate all risks on any single counterparty, no matter which business unit initiates the risk, across all transactions with the bank. Global limits are broken down into sublimits. Sublimits might exist even at the level of a single client. The total usage of sublimits should not exceed the global limit assigned to each counterparty or portfolio of transactions. Limit systems allow sublimits to sum up to more than the global limit because not all sublimits are fully used simultaneously, but the aggregated risk should comply with the global limit. For example, multiple currency facilities are convenient for clients because they allow raising funds in several currencies and as needed, but a client should not use more than its global limit. Utilizations are bounded by either sublimits or global limits, whichever is hit first.

Any excess limit has to be corrected by not entering into a new transaction or mitigating the risk with guarantees. Some limits might be hit while others are not. Banks' systems address the issue with excess limit reports showing which transaction hits which limit.

Credit approval processes vary across banks and across types of transaction. In retail banking, the process relies on procedures that need to accommodate a large volume of transactions. Time-consuming processes are not applicable for the retail portfolio because of the high number of transactions. Instead credit scoring mechanisms and delegations are used, within the guidelines of the credit policy. In normal circumstances, the credit officer in charge of the clients of a branch is authorized to make decisions as long as they comply with the guidelines.

For large transactions, the process involves credit committees. Credit committees bring together the business line, the risk managers and the general management. The business line proposes new transactions, together with a risk analysis, and the committee reviews the deal. Committees need to reach a minimal agreement between members before authorizing a credit decision by examining in detail significant credit applications. The committee makes a yes/no decision, or might issue recommendations for altering the proposed transaction until it complies with risk standards. Collateral, third-party guarantees or contractual clauses, mitigate the risk. The alternate process is through “signatures” whereby the transaction proposal is circulated and approval requires agreement between all credit officers. Whether signatures or committees are used for approval, risk officers remain accountable for the risk decisions and decisions are recorded, eventually with comments and recommendations of participating executives.

1.5.2.2 Market Risk and Trading Activities

For market risk, a common risk metric is the sensitivity of a position or of a portfolio of positions. Sensitivities measure the variations of values due to standard shocks on market parameters such as interest rates, foreign exchange rates or equity indexes. There is a variety of sensitivities depending on the type of products and on the risk factors that influence their values. Other risk metrics involve the capital charge for market risk, which embeds other elements of market risk, such as the market volatility and an assessment of the likelihood of losses of various magnitudes.

As the gains and losses in trading are market driven, a risk tolerance has to be defined for the business lines, the desks and the traders. A risk tolerance is an assessment of the maximum loss, for the business line or for desks, considered as acceptable, but which should not be exceeded.

The policies for trading should be comprehensively documented. Limits depend on expectations about market conditions, as formulated in market committees. Market instability might require tighter limits because the chances of large fluctuations are higher. A daily market committee formalizes the current market conditions. Trading desks operate within their limits. Limits are set for the various desks consistently with aggregate market risk. Traders comply with limits by hedging their risks, or unwinding their positions, eventually at a loss.

1.5.3 Risk Management Organization and Roles

As risk regulations developed and standard practices for risk management spread across the industry, some common views on the organization of the risk management process emerged.

1.5.3.1 The Risk Department and the “Three Lines of Defense” Model

The three lines of defense model is a convenient scheme used for structuring the roles, responsibilities and accountabilities with respect to decision making, risk controlling and for achieving an effective risk governance bank-wide. It illustrates how controls, processes and methods are aligned throughout large organizations. The three lines of defense are:

• The lines of business.

• The central risk function.

• The corporate audit and compliance functions.

The business lines, or front office, make up the first line of defense and are responsible for identifying, measuring and managing all risks within their scope of business. Business lines have the primary responsibility for day-to-day risk management. As the management of the business line is close to the changing nature of risks, it is best able to take actions to manage and mitigate those risks. Lines of business prepare periodic self-assessment reports to identify the status of risk issues, including mitigation plans, if appropriate.

These reports roll up to the executive management and to a central risk department, which enforces the risk discipline. Standard practices impose that the risk management should be centralized and that a “clean break” exists between risk-taking business lines and risk supervising units. The risk department ensures an assessment and a control of risks independent of the business lines. The department is responsible for the guidance and implementation of risk policies, for monitoring their proper execution complying with documented risk processes. It defines, with the top management, the risk policy of the bank. The chief risk officer reports to the senior executive committee, who ultimately provides the risk department with the power of enforcing risk policies.

Given their roles, the perceptions of the same risk reality by the business lines and the risk department might differ. This difference in perspectives is what adds value to the enterprise as a whole and to the risk management process. However, the effectiveness of the risk process can be questioned when there are compelling business reasons to proceed with a transaction. Enforcing the power of a credit committee requires some arbitration process when conflicts arise. The arbitrage between conflicting parties is handled by more senior levels when the process is not conclusive. Moving up in the hierarchy of the bank guarantees that a conclusion will be reached and that the credit proposal is thoroughly examined at each stage.

The existence of a risk department does not suffice to enforce sound risk practices. Both the first line and the second line are accountable for risk assessment and control. Making the risk department the unique function accountable for risks would relieve the business lines from their risk responsibilities. A centralized risk control unit would be overloaded by the number of risk issues raised by the front offices. In large banks, risk managers are “embedded” within the business lines, but report both to the business lines and to the central risk department. They provide the local risk control within the “first line of defense”.

The third line of defense is that of internal and external auditors who report independently to the senior committee representing the enterprise's stakeholders. The internal auditors' role is to provide an independent review of the effectiveness and compliance to risk policies of the risk processes. Corporate audit activities are designed to provide reasonable assurance that significant financial, managerial and operating information is materially complete, accurate and reliable; and that employees' actions comply with corporate policies, standards, procedures and applicable laws and regulations. The auditors have the capacity to make recommendations and to supervise their execution.

1.5.3.2 The Asset and Liability Management Department

The ALM – asset-liability management – department is in charge of managing the funding and the balance sheet of the bank, and of controlling liquidity and interest rate risks. The function of ALM is the finance function of banks and is often located within the finance department. The scope of ALM extends mainly to the banking portfolio, and less so to trading activities because they rely primarily on short-term financing. For controlling the liquidity risk and the interest rate risk, the ALM sets up limits to future funding requirements and manages the debt of the bank. The interest rate risk is measured by the volatility of target variables such as the net interest income of the bank, using interest rate derivatives.

The ALM committee meets at least monthly, or when needed in adverse conditions. It groups the senior management, the chief finance officer, the head of the ALM team and the executives in charge of business development and commercial policies. The senior management is involved because ALM policies have a strategic influence on the bank's financing profitability. ALM policies also have strong and direct interactions with the commercial policy. The bank exposure to interest rate risk and liquidity risk depends on the product mix in the banking book. ALM policies have also a direct effect on the pricing to clients, as it should absorb the cost of financing the banking book. Furthermore, the ALM unit is in charge of internal prices of funds, the cost of funds charged to lending units and the financial compensation of deposit collection by branches.

1.5.3.3 Enterprise-wide Risk Management (ERM)

Bank-wide management implies that metrics of income and risk at the global bank level be related to similar metrics at the business unit, book and transaction levels.

Policies set global limits and profit objectives at the enterprise level, which are allocated to business units. This top-down process requires that aggregate profit and limits be allocated at lower levels of the hierarchy in a consistent manner. The monitoring and the reporting of risks and performance is bottom-up oriented, starting from transactions, and ending up with aggregated risks and income. Both processes require a sound bank-wide allocation of earnings and of risks.

As funds are transferred to lending activities and from deposits collected, the earnings of business lines depend on internal, or transfer, prices. The transfer pricing system serves to allocate earnings across business lines and transactions and is required for reconciling aggregated earnings with the earnings of business lines, and down to the transaction level.

A similar system should be implemented for allocating a share of the bank's risk to business units. Global limit systems define the hierarchy of limits and sublimits within the organization. But limit systems are distinct from measures of risk.

A key factor for risk aggregation is risk diversification. Because of diversification, risks do not add up arithmetically. Loosely speaking, the sum of individual risks is less than the arithmetic summation of risks. This well-known property of risks being subadditive is the source of the challenging problem of risk allocation. For risks to be aggregated bottom-up, and allocated top-down, a risk allocation mechanism is required. In general, the risk allocation issue is addressed by allocating the capital of the bank to portfolios and transactions and it involves an assessment of diversification effects.

Finally, earnings across transactions or portfolios are not comparable because they are in general exposed to different levels of risk. Performances need to be risk adjusted for being comparable across activities and comparable with the risk-adjusted profitability of the bank. The issue is resolved once earnings and risks are properly allocated, by adjusting earnings with the cost of risk based on the cost of capital backing the transactions.

This shows that three building blocks should be designed and assembled for addressing bank-wide risk management:

• Fund transfer pricing systems;

• Risk and capital allocation systems;

• Risk-adjusted performance measures.

These are the necessary components of risk systems for aligning the measures of earnings and risks,3 and the related management incentives, across all business lines of large organizations.