ey overview market-risk-management en 1

Market Risk Management

Putting the key components together

Contents

Introduction....................................................................1

Board oversight...............................................................3

Policies, procedures and limits.........................................6

Systems and processes....................................................8

Internal controls, audits and compliance.........................15

List of references..........................................................18

Contact us....................................................................19

Putting the key components together 1Ernst & Young

Background

Risk-taking is an integral part of the banking business. It is important for banks to find a balance between the risk a bank is willing to take and the returns it is expecting to achieve, while at the same time maintaining the sound financial position of the bank. Risk management seeks to address this. The risk management system established should be commensurate with the size and complexity of a bank’s business operations to ensure the bank’s risks are able to be managed according to the bank’s risk strategy and appetite.

Banking supervisors generally require banks to put in place risk management functions and processes that are capable of identifying, measuring, monitoring and controlling or mitigating material risks, based on the guidance in “Core Principles for Effective Banking Supervision” issued by the Basel Committee in October 2006. The Basel Committee also revised its guidance and issued “Principles for Enhancing Corporate Governance” in October 2010.

Scope and overview

Risk management in the banking industry is a big topic that may be related to a wide spectrum of banking operation units and activities. The banking industry participants may use different categories of risks and at different granularity. For example, some banking supervisors consider eight inherent

About this publicationMarket Risk Management

Putting the key components together focuses on the market risk management for banks planning to set up a dedicated market risk management function or invest in the required tools. It provides a high-level summary of how each component can be put together for a risk management system, as well as how market risk management fits in. It is important to note that the summary is not intended to be prescriptive but is indicative only.

Introduction

risks banks are exposed to, which are identified as credit, market, interest rate, liquidity, operational, reputational, legal and strategic risks.

Banks usually are encouraged by their banking supervisors to adopt an integrated firm-wide risk management framework. This is especially true after the financial crisis where risk management and control units are expected to work in a more integrated fashion but not in a silo. Although sophistication and complexity of risk management systems vary among banks, due to their size, organizational structure, business focus or supervisory guidance, in general, the following components can be found:

• Board and senior management oversight

• Internal documentation such as organizational policies and procedures

• Risk measurement, monitoring and reporting systems and processes

• Internal controls, internal audits and compliance checkpoints

Market Risk Management2 Ernst & Young

Regulators and investors are demanding greater transparency and increased accountability when it comes to the risk measures, risk management processes and their underlying systems.


Board and senior management’s role and governance related to market risk management

Bank supervisors from different jurisdictions may have different requirements in the setting or structure of the board of directors. However, it is a common understanding that the board is ultimately responsible and accountable for the decisions and actions taken by the bank because it reviews and approves business strategies and significant policies of the bank. These business strategies and policies include the set up and effective maintenance of systems of risk management and internal controls, as well as how senior management monitors the effectiveness of these systems.

Senior managements are generally responsible for the daily management of the bank. This may include the implementation and monitoring of structures, processes, information and oversight arrangements used in managing the bank. Thus the board and the senior management, whose authority is delegated from the board, have the primary responsibility to understand the risks faced by the bank and ensure that these risks are properly managed.

In order for the board and the senior management to fulfill their responsibilities in risk taken and risk management, they should, among other thing:

• Have sufficient knowledge and expertise to comprehend the material risks exposed to the bank, both under normal and stressed market conditions

• Be involved in setting of risk appetite based on the bank’s strategy and goal, and monitor how the risk appetite has been followed

• Foster a strong risk management culture

• Dedicate sufficient time, effort and resources to overseeing and participating in the bank’s risk management process

• Be aware of the bank’s business and risk profile in the ever-changing business environment and financial markets

• Ensure the proper development and maintenance of necessary risk and information infrastructure, systems and controls for effective risk management and governance

“The most critical need is for an environment in which effective challenge of the executive is expected and achieved in the boardroom before decisions are taken on major risk and strategic issues.”

Sir David Walker A Review of Corporate Governance in UK Banks and Other Financial Industry Entities, July 2009, page 12.

Board oversight


• Set up an organization structure that provides the necessary internal controls, segregation of duties and accountability. This includes creating an independent risk management function to monitor, control and coordinate risk management efforts across the entire bank

Risk governance arrangements such as responsibilities, authority, structures and risk appetite should be documented in sufficient detail, periodically reviewed and timely updated. Staff relevant to the risk-taking business units and the risk management function should understand the risk governance arrangements of the bank as well as their roles in the risk management processes and systems.

It is important that the board and senior management maintain a regular and open communication within the bank and especially among the members of the board and senior management, risk-taking business units, risk management and control function. Some banks achieve this through the establishment of a formal risk committee.

The governance of the bank should be adequately transparent to its shareholders, depositors, other relevant stakeholders and market participants.

Setting of risk strategy and appetite

Banks usually have a vision of what type of bank and organization they want to be. Based on the vision and mission, a strategy is formulated by the board for the bank to achieve its vision. A bank is constrained by its financial capacity and regulations set out by the supervisor (i.e., the risk capacity). There is a limitation for the level of risk a bank is willing to take, which is described by the risk appetite of a bank. Using the risk appetite framework to frame decisions, banks can establish a common language for assessing the risk, budgetary and strategic implications of a business opportunity or external events affecting the bank’s risk profile.

Usually it is the board’s responsibility to set the overall risk appetite of a bank and approve its risk appetite statements. Although, there is no common practice in how risk appetite should be expressed, risk appetite statements are usually expected to be comprehensive, include appropriate and consistent risk targets, reflect some suitable risk measures/metrics to facilitate effective monitoring and provide actionable responses to a variety of adverse contingent events. Risk appetite should be expressed in a way that is suitable to the size and complexity of the bank’s operations. Reasons and justification for the changes to the risk appetite should be well documented.

The board should ensure all relevant risks of a bank are included in the consideration when the risk appetite is set. This includes risks that are both quantifiable and less quantifiable, and risks originated from both on and off balance sheet transactions. The board should be satisfied that robust procedures and controls are in place for the setting and on-going monitoring of the adherence to the bank’s risk appetite. Also, sufficient and updated information should be made available to facilitate the board and senior management to assess the risk appetite on a regular basis. Since it is difficult to forecast with any certainty market conditions over time, the more developed risk appetite are flexible and responsive to environmental changes. However, risk appetite must also be definitive and consistent enough to contain strategic drift.

According to the observations discussed in report issued by the Senior Supervisors Group in December 2010, the implementation of a risk appetite framework requires strong internal relationships within the bank. It is also suggested that the board should ensure that senior management establishes strong accountability structures to translate the risk appetite into clear incentives and constraints for business lines.

A practical approach to defining a risk appetite.

Adapted from Recover, Adapt, Advance: Back to Business in an Uncertain World, Ernst & Young, 2010

Confirming risk monitoring reporting and processes

Confirming risk appetite statement and calibrate operating parameters

Connect risk appetite statement with risk profile

Draft risk appetite statement

Assess current risk profile, exposures and limits

Identify strategic objective

Inventory risk management tools

Top-down approach

Bottom-up approach

Draft risk appetite statement and assess current risk profile

Assess completeness of risk appetite

Establish consistency between risk appetite and operating limits

Update risk monitoring and reporting to align with risk appetite

A practical approach to defining a risk appetite.

Adapted from Recover, Adapt, Advance: Back to Business in an Uncertain World, Ernst & Young, 2010

Board oversight


Specialized management committees► Responsible for overseeing day-

to-day risk management

Specialized board committees► Responsible for overseeing risk

Individual business units Compliance unit

Board of directors

►Ultimately responsible for risk management

Risk management unit

Risk committees Audit committee

► Responsible for compliance with policies, procedures and limits► Credit risk► Market risk► Interest rate risk► Liquidity risk► Operational risk► Other risks

► Responsible for legal and regulatory compliance

► Responsible for daily risk management► Risk measurement► Risk assessment► Limit monitoring► Risk control► Risk reporting

Internal audit

► Responsible for independent checking

Senior management

Elements of a risk management system.

Partially adopted from Supervisory Policy Manual Module IC-1: General Risk Management Controls, Hong Kong Monetary Authority, December 2010

Board and senior management oversight in market risk management

The board and senior management (or specialized committees formed) have to ensure that an effective risk management framework is in place. The risk management framework should allow the board and senior management to identify and manage material risks inherent in the bank’s business operations.

While there is an array of responsibilities of the board and senior management in relation to the oversight and management of firm-wide risks, there are some oversight responsibilities relevant to the market risk management, according to the Basel Committee’s guidance issued in October 2010. The board and the senior management of a bank are expected to

be actively involved in the market risk management process and to regard market risk management as an essential aspect of the business to which significant resources need to be devoted. In particular, they should:

• Approve all the key elements of, and any material changes to, the bank’s market risk management system

• Possess an understanding of the design and operation of, and the management reports generated by, the bank’s market risk management system adequate for them to perform their functions

• Exercise oversight of the bank’s market risk management system sufficient to ensure that the system complies the requirements set out by local bank supervisor

• Ensure that there is a reporting system within the bank to provide sufficient information to them regularly as will enable them to exercise sufficient oversight and make informed decisions relating to the bank’s market risk exposure (e.g., in terms of formulating trading strategies or setting trading limits)

Partially adopted from Supervisory Policy Manual Module IC-1: General Risk Management Controls, Hong Kong Monetary Authority, December 2010

Asset/liability

comm

ittee

Credit comm

ittee

Operational risk

comm

ittee

Market risk

comm

ittee

Elements of a risk management system. Board oversight


Common practice

Clear and detailed documentation of risk management policies and procedures are integral to a sound risk management system. Risk management policies and procedures should, as a minimum, set out the following:

• Objective and consistent risk identification and measurement approach

• Comprehensive and rigorous risk assessment and reporting systems

• Sound valuation and stress-testing practices

• Effective risk monitoring measures and controls

• Use of risk mitigating techniques, their potential effect and appropriate measures to assess their effectiveness and control their risks

• Accountability and the lines of authority for related business units

Risk management policies and procedures should be approved by the board or designated specialized committee authorized by the board. These policies and procedures should be regularly reviewed. Any update or amendment based on the review result should be further ratified by the board for adoption.

Major considerations

In developing market risk management policies and procedures, banks should consider:

• The overall business strategy and the business strategy and activities that expose the bank to market risk

• The size, nature and complexity of the bank’s business activities that results in market risk

• The risk appetite of the bank and particularly regarding to market risk

• The level of sophistication of the bank’s market risk monitoring capability, market risk management systems and processes

• The size of the bank’s market risk exposures and their impact

• The results of risk analysis, such as sensitivity analysis and stress tests

• The bank’s past experience and performance as well as anticipation of any potential internal organizational change or external changes in market conditions

• Regulatory requirements, market best practices and their trends

“When a system of regulation fails so spectacularly people are going to ask what replaces it. When the failure of certain banks have cost… so much, people are rightly going to ask how to stop it happening again.”

George Osborne UK Chancellor of the Exchequer Speech at the lord mayor’s dinner for bankers and merchants of the City of London, 16 June 2010

Policies, procedures and limits


Risk limits

Risk limits serve to control a bank’s exposure to various quantifiable risks associated with the risk-taking activities (e.g., market risk, credit risk, interest rate risk, liquidity risk, concentration risk). The setting of risk limits should be:

• Documented and approved by the board or its designated specialized committee regularly (e.g., annually as part of the annual budget approval process)

• Regularly reviewed and reassessed by taking into account the latest market conditions and business strategies

• In line with the bank’s risk appetite and consistent with the business strategies

• Compatible to the size and complexity of the bank’s business activities, the sophistication of its risk management systems, complexity and liquidity of the products, as well as the experience and expertise of the risk-taking units and their personnel

• Allocated at various levels (e.g., the business units, product types, individuals and the bank as a whole) with clear documentation of the methodology of the allocation of the overall risk limits across each level

• Clearly communicated with the relevant units and staff engaged in risk-taking, risk management and control units

• Providing the exception or excess management mechanism, this should include who has the responsibility to handle exceptions and the potential actions that should be taken

The utilization of the risk limits should be closely and timely monitored. Any excesses or exceptions should be reported promptly to senior management according to the documentation. Events such as excessively large limits with low utilization, excessive limit utilization or significant exceptions should trigger detailed examination or investigation by the risk management and control unit.

There are various types of limits used simultaneously in market risk management because they complement each other. Some of them include:

Value-at-risk limits – A type of sensitivity limit designed to restrict potential loss to an amount equal to a board-approved percentage of projected earnings or capital.

Loss control limits – A type of limit that requires specific management action if they are approached or breached. The limits setting documentation should require closing out of position or special approval from designated management or committee in order to maintain the exposures. They are usually used to foster communication, rather than limit the risk-taking unit’s ability to maintain a position.

Tenor or gap limits – A type of limit designed to reduce price risk by limiting the maturity and/or controlling the volume of transactions that matures or reprices in a given time period. Such limits can be used to reduce the volatility of derivative revenue or expenses by staggering the maturity and/or repricing, thereby smoothing the effect of changes in market factors affecting price.

Notional or volume limits – A type of limit that is effective for controlling operational capacity and, in some cases, liquidity risk. Specifically, in the case of exchange-traded

futures and options, volume limits on open interest may be advisable in less liquid contracts. Limits on concentrations by strike price and expiration date can facilitate portfolio diversification in large books. In the case of OTC options, these limits should be set in the context of the bank’s ability to settle a large number of trades if the options are exercised.

Options limits – A type of limit specific to option exposure for banks with sizable option positions. Such limits should consider the sensitivity of positions to changes in delta, gamma, vega, theta, and rho. Generally, this type of analysis requires modeling capabilities.

Product concentration limits – A type of limit useful to ensure that a concentration in any one product does not significantly increase the price risk of the portfolio as a whole.

Policies, procedures and limits


Market risk management function

The board and senior management should set up a dedicated market risk management function to coordinate and perform daily risk management activities. An effective market risk management function should:

• Have clearly defined responsibilities and authorities

• Have a direct reporting line to the relevant senior management or specialized committee set up by the board

• Be independent from the risk-taking and operational units (e.g., trading unit and settlement unit) that it reviews

• Have direct access to information from risk-taking and operational units in order for it to carry out the market risk management and control function

• Be supported by an effective risk management information system

• Be provided adequate resources and competent personnel to perform its duties

The market risk management function should generally be responsible for:

• Ensuring that all relevant market risks of the bank are identified, well understood, and adequately measured and assessed

• The design or selection of the bank’s market risk management system

• The testing and implementation of the bank’s market risk management system

• The oversight of the effectiveness of the bank’s market risk management system

• The on-going review of, and changes to, the bank’s market risk management system

• The monitoring of the use of risk limits and ensuring that quantifiable risks are within the structure of approved limits

• The production and analysis of daily management reports based on the output of the bank’s internal market risk models used in risk measurement and assessment, which includes the evaluation of the relationship between measures of market risk exposures (e.g., value-at-risk, stress tests) and trading limits

“The recent financial crisis has resulted in a wave of regulation that will transform the risk management landscape. Increasingly complex requirements emerging from Dodd-Frank Act, Basel III and other global regulatory and legislative mandates will render traditional retrospective and siloed risk management and reporting practices obsolete. To prepare for more comprehensive reporting, financial company will need to rethink risk management.”

Bob Reinhold Principal, Financial Services, US

Systems and processes


• The prompt reporting of market risk exposures to the senior management and specialized committees, as well as alerting the board and the senior management to any other matters that may have a significant impact on the bank’s financial position and risk profile

• The conduct of regular back-testing to verify the accuracy and reliability of the bank’s internal models

• The creation and maintenance of a set of comprehensive and clear documentation of the bank’s internal models (e.g., theories, methodologies, techniques) and the internal policies, controls and procedures relating to the operation of the internal models and market risk management system

• Ensuring that the bank’s market risk management framework, and all related policies and control procedures, are adequately implemented and complied with

• The active involvement at an early stage, in the bank’s decision-making on business strategies and development of new products that may have implication for market risk management

Market risk management information system

For banks to make effective business and risk management decisions, it is critical that they be able to aggregate timely and accurate data for reporting on a variety of risk types. As the financial and regulatory environment becomes increasingly complex, this capability within the banks is important to senior decision makers. They need the proper information to make judgments about the strategic direction of their banks, to help set risk appetite and to manage risk according to rapidly changing economic or market conditions.

Banks should establish and maintain a market risk management information system with adequate technological support and processing capacity to effectively measure and report the market risk exposed to the bank. The market risk management system should be operated in a prudent and consistently effective manner.

An effective market risk management information system should have the capability to produce timely, accurate and reliable reports for the board, senior management, specialized committees, risk-taking units and risk management and control units. These reports should be used to support decision-making at different levels (e.g., strategy formulation and risk budgeting), and to enable early

identification of emerging market risk.

Inadequate information systems may hinder the ability of banks to manage broad financial risks as market events unfold rapidly and intensely.

The level of sophistication of the market risk management system should depend on the nature, characteristics, scale and complexity of the bank’s business activities that expose the bank to market risk. Generally it should be capable of:

• Measuring the market risks of a product or transaction in accordance with the measurement methods or models approved to be adopted by the bank

• Aggregating data on a product, trading venue, counterparty, portfolio, trading unit and sub-unit, currency, etc.

• Supporting customized identification and aggregation of risk concentrations within the bank

• Incorporating hedging and other risk mitigating actions to be carried out while taking into account related basis risks embedded

• Reporting excesses in limits and policy exceptions, and alerting management of risk exposures approaching pre-set limits

• Producing information and reports at appropriate intervals, or on an ad-hoc basis in time of stress

A common question for banks implementing market risk information systems: Buy or build?

CostEffectiveness

Compatibilityto other

IT systems

Internalresource

Modeltransparency

BuyBuild

Changemanagement

Adequacy ofdocumentation

Flexibilityin modelchoices

Technicalsupport

Implementationtimeline



• Providing adequate system support for fair valuing exposure and relating reserve adjustments

• Providing transparent and accessible data flows and processes and allowing easy access to the model specifications and parameters used

• Conducting sensitivity analysis, back- testing of risk measurement, stress- testing or other market risk analysis required to be performed by the market risk management function

The market risk management information system may be developed internally by the bank or purchased from a third-party vendor. It is the board and the senior management’s responsibility to approve all the key elements of, and any material changes to, the bank’s market risk management system. They should also exercise oversight of the bank’s market risk management system sufficient to ensure that it is suitable for its purposes, operated in a prudent and effective manner and documentation is maintained. When the information system is purchased from a third-party vendor, there should be adequate procedures in place to ensure the information system and the models used are subject to initial and ongoing validation.

Similar to other information systems used by the banks in their business activities, information technology risks should be considered. These may include:

• Information technology governance

• Security management with robust authentication and access control security

• System changes being well documented and adequately controlled

• Performance monitoring process

• Management of technology service providers if a third-party vendor system is involved

• Occurrence of technology audit or review

Strategic planning processes should include an assessment of risk data requirements and system gaps. While many banks have devoted significant resources to infrastructure, very few are able to quickly aggregate risk data without a substantial amount of manual intervention. According to the report issued by the Senior Supervisors Group in December 2010, many banks have begun substantial projects to address the aggregation of risk data. As surveyed by the bank supervisors, it is a good practice to have data aggregation processes covering all relevant transactional and accounting systems and data repositories to maintain comprehensive coverage of reporting. It is also a leading practice to include periodic reconciliation between risk and financial data.

It is also suggested by the Senior Supervisors Group that banks with highly developed information technology infrastructures

are more capable to clearly articulate, document, and communicate internal risk reporting requirements, including specific metrics, data-accuracy expectation, element definitions, and timeframes.

Market risk management reporting

The bank’s risk exposures and strategy should be communicated throughout the bank with sufficient frequency. Effective communication, both horizontally across the bank and vertically up the management chain, facilitates effective decision-making that fosters safe and sound banking and helps prevent decisions that may result in amplifying risk exposures.

The formality and frequency of reporting should be directly related to the level of risk-taking activities and risk exposures. The recipients of these reports may also vary depending on the bank organizational structure.

Board and senior management – Information should be communicated to the board and senior management in a timely, complete, understandable and accurate manner so that they are equipped to make informed decisions. This is particularly important when a bank is facing financial or other difficulties and may need to make prompt, critical decisions. If the board and

An example of the how various components of market risk management information systems are related.


MarketRiskManagementSystem

Stakeholders► Market risk function► Risk-taking units ► IT management unit► Control function ► Senior management

Data collection► Market data

► Bloomberg► Reuters

► Position data► Trading systems► Portfolio master► Security master

► P&L data► Cleansed actual

P&L► Product listing

► Approved product► Limit master

Data storageand manipulation► Data cleansing

► Outliers detection► Missing data detection► Stale data detection

► Data storage► Data transformation

► Bootstrapping► Volatility surface► Dividends► Equity adjustments

► Risk factors mapping

Pre-calculation► Product decomposition► Position consolidation► Model mapping► Test scenarios setting► Parameter updates

Measurementengines► Risk calculation

► Model calibration► Fair value models► VaR models► Stressed VaR models

► Back-testing► Hypothetical P&L► Actual P&L

► Stress testing► Risk reserves

Reporting► Report configuration► Report templates► Report generation► Distribution list► Feedback


MarketRiskManagementSystem

Stakeholders► Market risk function► Risk-taking units ► IT management unit► Control function ► Senior management

Data collection► Market data

► Bloomberg► Reuters

► Position data► Trading systems► Portfolio master► Security master

► P&L data► Cleansed actual

P&L► Product listing

► Approved product► Limit master

Data storageand manipulation► Data cleansing

► Outliers detection► Missing data detection► Stale data detection

► Data storage► Data transformation

► Bootstrapping► Volatility surface► Dividends► Equity adjustments

► Risk factors mapping

Pre-calculation► Product decomposition► Position consolidation► Model mapping► Test scenarios setting► Parameter updates

Measurementengines► Risk calculation

► Model calibration► Fair value models► VaR models► Stressed VaR models

► Back-testing► Hypothetical P&L► Actual P&L

► Stress testing► Risk reserves

Reporting► Report configuration► Report templates► Report generation► Distribution list► Feedback

senior management have incomplete or inaccurate information, their decisions may magnify risks rather than mitigate them. Serious consideration should be given by the board to instituting periodic reviews of the amount and quality of information the board receives or should receive. The following reports could be suitable for the board:

• Trends in aggregate price risk

• Compliance with board-approved policies and risk limits

• Summary of performance relative to objectives that articulates risk-adjusted return

• Results of stress testing

• Summary of current risk measurement techniques and management practices (annually)

Senior management – The following reports could be suitable for the senior management or specialized committee responsible for the supervision of market risk:

• Trends in exposure to applicable price risk factors (e.g., interest rates, volatilities, etc.)

• Compliance with policies and aggregate limits by major business


• Major new product developments or business initiatives

• Results of stress testing including major assumptions

• Summary of current risk measurement techniques and management practices, including results of validation and back- testing exercises (annually)

Risk-taking units – The following reports could be suitable for the risk-taking units:

• Detailed profit and loss statement by sub-unit (e.g., desk), product or individual

• Summary of major exposures

• Compliance with policies and procedures, including limits, which should detail exception frequency and trends

• Aggregate exposure versus limits


• Valuation reserve summary

• Major new product developments or business initiatives

• Results of stress testing including major assumptions

• Periodic reports on market risk model development, which should include independent certifications and periodic validation and back-testing of models

Dealing rooms – The following reports could

be suitable for dealing rooms of the risk-taking units:

• Detailed profit and loss report, by desk

• Sensitivity modeling of significant exposures (e.g., position reports), which can be selected by management or the risk control group, and should include a sensitivity matrix indicating the vulnerability of the position to various changes in the variables affecting price

• Compliance with limits

• Summary of performance versus objectives that articulates risk-adjusted return

• New product developments or business initiatives

• Errors and omissions

Trading desk – The following reports could be suitable for the trading desk level of the risk-taking units:

• Detailed breakdown of all positions, including cash flows

• Detailed profit and loss report, by portfolio and trader

• Sensitivity modeling of all positions, which should include a sensitivity matrix indicating the vulnerability of the position to various changes in the variables affecting price

• Compliance with limits



Quality requirementsMarket data► Cleansing► Transformation► Risk factors mapping

Position data► Reconciliation► Portfolio mapping► Model mapping & decomposition

Risk measurement► Mark-to-market/model and

Greeks

► VaR (including incremental VaRand stressed VaR)

► Backtesting VaR model► Limit monitoring

Stress testing► Scenario analysis► Sensitivity analysis► Ad-hoc risk analysis

The integration of good quality data from different IT systems for the generation of risk measurements.

TradingSystem

DataWarehouse

• Errors and omissions

• Product specific detail, e.g., contracts maturing or expiring, pertinent concentration information, etc.

Ideally, management reports should be generated by risk management or control functions independent of the risk-taking units. When risk-takers provide information (e.g., valuations or volatilities on thinly traded derivative contracts) for management reports, senior management should be informed of possible weaknesses in the data, and these positions should be audited frequently.

Market risk measurement and assessment systems

Banks should put in place effective systems and tools for the measurement of various quantifiable market risks and for the assessment of less quantifiable market risks. These systems and tools should also be able to monitor the changes in market risk factors (e.g., rates and prices) and other market conditions on a daily or more frequent basis. The systems should, wherever feasible, be able to assess the probability of future losses. It should also enable the banks to identify promptly and take quick remedial action in response to adverse changes in market factors.

Banks should implement suitable measures for the market risks assumed. The monitoring of these measures should be integrated into

the daily market risk management process, with support by the market risk management information systems.

Measurement of market risks usually starts with measuring the market risk exposures of transactions or portfolios as fair values. Banks should ensure that their valuation processes are robust and critically reviewed by parties that are independent of the risk-taking units (e.g., trading functions). Trading positions are generally marked-to-market so that the fair values reflect the latest market circumstances. Alternatively, marked-to-model is performed when there are insufficient market data to allow the use of marking-to-market. The market risk measurement systems should also provide information on the outstanding positions and their unrealized profit or loss as well as their attributions.

Banks should have the resources and technical competence to accommodate volume increases, new valuation methodologies and emergence of new products. Banks should also be able to value their positions, both vanilla and complex, in times of market stress, based on sound valuation practices. For exposures that represent material market risk, banks should have the capacity to produce valuations using alternative methods in the event that primary inputs and approaches become unreliable, unavailable or irrelevant due to market disruptions or illiquidity.

Different methods or models may be used

to assess or measure each type of risk. For example, a number of value-at-risk approaches such as historical simulation, variance-covariance method or Monte Carlo simulation can be used to estimate the exposure of a bank to various types of market risk. Recently there are additional market risk measurement requirements being developed to complement existing methodologies, for example, stressed value-at-risk.

When a bank determines the methods or models to be adopted for risk measurement or assessment, it may, among other things, consider the following factors:

• The nature, scales and complexity of the related business activities

• The business needs, the purpose of the risk measure and the implication

• The market practice such as how market participants in general price or value the position or measure the market risk of a position

• The availability of suitable market data to be used as inputs or to calibrate the models

• The sophistication of the market risk management information system, including its computational capacity

• The level of expertise and experience of the staff involved

The board or its designated specialized

The integration of good quality data from different IT systems for the generation of risk measurements.

Consistency

Independence

Timeliness

Reliability



committee and senior management should recognize the main assumptions and weaknesses embedded in the models or methodologies chosen in order to better assess the results generated. They should also be satisfied with the adequacy and appropriateness of the key assumptions, data sources and procedures used to measure or assess the risk.

Banks are usually required by their supervisor to calculate capital for market risk using either the “standardized approach” of the “internal models approach”. When a bank chooses to use the results of their internal models as the dominant market risk measures, they must be closely integrated into its daily risk management process. The outputs should be an integral part of the bank’s market risk management framework, which includes the planning, monitoring and controlling the bank’s market risk. When value-at-risk generated by internal models is used as a risk measure, it should be used in determining some of the bank’s trading limits. The relationship between a bank’s internal models and those limits should be maintained consistently over time and understood by the bank’s senior management and staff in the risk-taking units.

The accuracy and reliability of a risk measurement method or model (e.g., value-at-risk) used by the bank should be verified against the actual results through regular back-testing. On the other hand,

valuation models and methodologies used in measuring exposures should be tested against market transactions or quotations regularly to ensure that they are still reasonable and reflective of the economics of the traded financial instruments.

Models and methodologies used in risk measurement and stress tests should be appropriate, consistently applied, and have reasonable assumptions. They should be validated by parties that are independent from the development and implementation before deployment. The personnel involved in the validation process should be adequately qualified. Models and methodologies should be periodically reviewed to ascertain the completeness of position data, the accuracy, independence and reliability of risk factors and model parameters, as well as the reasonableness and applicability of model assumptions. More frequent reviews may be necessary if there are changes in models, methodologies, assumptions or when there are new developments in the market conditions that affect the applicability of the original models or assumptions. Reviews should also be triggered by exceptional profits and losses revealed by the periodic back-testing of the internal models.

A bank should have a sufficient number of staff who are qualified and trained to use the bank’s internal models in the bank’s business, risk management and control, audit, finance and back office functions so that they are able to work effectively in

identifying, measuring and controlling the bank’s market risk.

The bank should create and maintain a set of clear documentation of the internal models used in the risk measurement systems covering their theoretical background and limitations. It should also include the internal policies, controls and procedures relating to the operations of the models and a detailed description of the system of monitoring implemented to ensure compliance.

Sensitivity analysis and stress-testing

Banks should have adequate systems and capability to measure the sensitivity of valuation, profit and loss or other risk measurement against a change in one or a combination of risk factors (e.g., exchange rate and equity prices). Banks should also conduct stress tests to:

• Identify remote but plausible market events or changes that may be adverse to the overall risk profiles and financial positions of the banks

• Address existing and potential risk concentration

• Facilitate the development of risk management tools and risk mitigating measures or contingency plans across a range of stressed conditions

Sensitivity analyses and stress tests are usually required by the supervisors to be

Illustration of value-at-risk.



conducted regularly on firm-wide basis as well as on major business activities, including operations that expose the bank to market risk. Stress scenarios should be comprehensive and forward-looking, so there should be a robust process in developing and updating stress scenarios, which should be understood by the board and senior management for their approval. Stress scenarios should cover risk factors that can significantly affect the bank or the performance of its risk-taking units.

In market risk management, existence of a rigorous and comprehensive market risk stress-testing program is usually part of the minimum requirements for banks to adopt internal models to measure market risk for capital calculation. This is because internal models used in measuring exposures (e.g., fair values) usually reflect the current market situations by using the current market, while those used for risk measurement (e.g., value-at-risk) is backward looking and rely on historical market information. Thus sensitivity analyses and stress tests become important tools in supplementing the internal models by shedding light on the impact of some low probability events. For example, how badly the bank would be affected if the loss is more extreme than the value-at-risk can be captured at its stated confidence interval or calculation period.

When stress tests are implemented for

market risk management purposes, both market risk and liquidity aspect of market disturbances should be incorporated. For example, a bank may not be able to unwind some trading positions quickly enough during a stressed scenario for a prolonged period of time and the values of these positions may be very volatile when the bank is forced to keep these positions. Banks are usually required by their supervisors to use some supervisory stress scenarios as well as some internally developed stress scenarios to reflect the specific characteristics of the market risk and liquidity risk exposed by the bank due to the structure of its trading portfolios.

The involvement of the board and the senior management is important in setting stress-testing objectives, defining stress scenarios, discussing the results, assessing the potential remedial actions and making relevant decisions. The stress-testing outcomes should be taken into account in the setting of risk strategy and risk appetite, setting of risk management policies and market risk limits.

Bank supervisors usually expect the bank to demonstrate how it combines the value-at-risk measures generated from internal models and the results of the periodic stress tests to arrive at the overall internal capital for market risk. If a supervisor considers that a bank does not have sufficient internal capital to cover the results of the bank’s

An overview of the stress testing process for market risk.

stress tests, it may consider requiring the bank to reduce its market risk exposures or hold additional capital.


Stress tests► Sensitivity analysis► Historical scenario► Hypothetical scenario

Scenarios

Risk factors

Shock size

► Result interpretation► Internal reporting► Regulatory reporting► Strategy planning► Setting risk appetite► Contingency planning

An overview of the stress testing process for market risk.


Internal controls, audits and compliance

Internal control system

A sound internal control system is a critical component to support an effective risk management system. An appropriately structured internal control system should:

• Facilitate effective and efficient operations

• Provide reliable financial and other relevant information

• Safeguard assets of the bank

• Minimize the operational risk of losses resulting from irregularities, fraud and errors

• Ensure effective and reliable risk management systems

• Ensure compliance with relevant rules, regulations and internal policies

An effective internal control system requires a strong control environment and culture. It requires the full support of the board and senior management. The bank’s internal audit function should evaluate the performance of the internal control system on a regular basis. A bank’s internal control system should cover, among other things, the following:

High level controls – For example, delegation of authority, written policies and procedures, separation of critical functions (e.g., risk-taking units and risk management functions)

“We really try to inculcate that risk is everyone’s business, drive risk to the front line. It is our first line of defense. The second line is the CRO [chief risk officer], who sets up the frameworks [and] guidelines and monitors the first line. The third line is the auditors and consultants.”

A director spoke in 2010 Bank Directors Summit in London for 18 of the world’s largest and most complex banks. The Summit was co-hosted by Tapestry Networks and Ernst & Young.

Controls relating major functional areas – For example, segregation of duties within a function (e.g., the risk-taking units), authorization of approval, limit monitoring, physical access controls

Controls relating to financial accounting – For example, reconciliation of nostro accounts, reconciliation between the trading system and back-office system, review of suspense accounts, annual budgeting, management reporting, compilation of returns to supervisors

Controls relating to information technology – For example, security management, system development and change management, information processing, communications networks, management of technology service providers

Control relating to compliance with statutory and regulatory requirements The internal control system is particularly important for a bank to implement its market risk management system successfully since market risk is required to be managed across functions and systems so the existence of an effective internal control system ensure market risk management systems are being applied as designed. For example:

• A market risk management or control function to monitor the limits utilization of the risk-taking units


Internal controls are designed, among other things, to ensure that each key risk has a policy, process or other measure, as well as a control to ensure that such policy, process or other measure is being applied and works as intended.


• The valuation of risk exposures are measured by the risk management function and finance function for risk management and financial reporting purposes, respectively, which may require regular reconciliation

• The information of the market risk positions is initially captured in the information system used by the risk- taking units. The information is further transferred and used by the finance function for accounting purposes, by the back office control function for settlement purposes, by the risk management function for risk management purposes, etc. All of these require information systems and functions working together seamlessly and cross-checked for error detection

• Some information, such as market data, used in financial reporting or market risk management may be originated from the risk-taking units, which requires proper review for reasonableness

Internal audit function

Bank supervisors generally expect the internal audit function to perform independent periodic checking on whether the risk management framework approved by the board is properly implemented and the established policies and procedures are complied with. The scope and frequency of an audit may vary but they should be

increased if there are weaknesses in the internal controls, major changes to risk management systems or business situations or new products are introduced.

The internal audit function should be objective and avoid conflicts of interest in performing their duties. They should have the power to choose the business or operating units to be audited and have full access to the documents and records. They should also have access to the board or the specialized committee (e.g., audit committee) to ensure that their audit findings are communicated and ensure that senior management acts upon their recommendations. The internal audit function should have sufficient resources. They should have sufficiently qualified staff that possesses relevant expertise and experience with market risk management processes, systems and methodologies. This is usually challenging for the internal audit function of banks in emerging economies.

The internal audit function should employ a methodology that identifies the key risks in the bank’s risk management and allocates their resources accordingly. For market risk management, an internal audit may cover:

• The market risk positions and the market risk level

• The adequacy of written internal policies and procedures

• The organizational structure and governance relating to the market risk management, including the independence of the market risk management function, the sufficiency of resources at the market risk management function, etc.

• The proper coverage of different risk categories relating to market risk by the risk management function

• The compliance to the written internal policies and procedures relating to market risk management

• The reliability of data and the reasonableness of assumptions used in the market risk management systems

• The accuracy and completeness of position data and their internal controls, the consistency and timeliness of market data and their independence from the risk-taking units

• The appropriateness of market risk measurement methodology and the accuracy of the calculation results

• The effectiveness of the risk limit framework

• The appropriateness of the back-testing and stress test process and reporting process

• The market risk capital calculation and allocation

Internal controls are maintained across functions.

Internal controls, audits and compliance

Internal controls are maintained across functions.


List of references

Basel guidance

Enhancement是s to the Basel II Framework, Basel Committee on Banking Supervision, July 2009

Guidelines for Computing Capital for Incremental Risk in the Trading Book, Basel Committee on Banking Supervision, July 2009

Interpretive Issues with Respective to the Revisions to the Basel II Market Risk Framework, Basel Committee on Banking Supervision, 31 December 2010

Messages from the Academic Literature on Risk Measurement for the Trading Book, Basel Committee on Banking Supervision, 31 January 2011

Principles for Enhancing Corporate Governance, Basel Committee on Banking Supervision, October 2010

Principles for Sound Stress Testing Practices and Supervision, Basel Committee on Banking Supervision, May 2009

Revisions to the Basel II Market Risk Framework, Basel Committee on Banking Supervision, July 2009

Revisions to the Basel II Market Risk Framework, Basel Committee on Banking Supervision, December 2010

Others

A Review of Corporate Governance in UK Banks and Other Financial Industry Entities, David Walker, July 2009

Final Report of the IIF Committee on Market Best Practices: Principles of Conduct and Best Practice Recommendations, Institute of International Finance, July 2008

Guidelines on Market Risk, Volume 2: Standardized Approach Audit, Oesterreichische Nationalbank, Austria, September 1999

Guidelines on Market Risk, Volume 3: Evaluation of Value-at-Risk Models, Oesterreichische Nationalbank, Austria, September 1999

Guidelines on Market Risk, Volume 5: Stress Testing, Oesterreichische Nationalbank, Austria, September 1999

Guidelines on Risk Management Practices – Market Risk, Monetary Authority of Singapore, February 2006

Internal Control, Comptroller’s Handbook, Comptroller of the Currency Administrator of National Banks, US, January 2001

Model Validation, Bulletin 2000-16, Comptroller of the Currency Administrator of National Banks, US, May 2000

Observations on Developments in Risk Appetite Frameworks and IT Infrastructure, Senior Supervisors Group, December 2010

Prudential Practice Guide APG 116 – Market Risk, Australian Prudential Regulation Authority, January 2008

Prudential Standard APS 116 – Capital Adequacy: Market Risk, Australian Prudential Regulation Authority, November 2007

Risk Management Lessons from the Global Banking Crisis of 2008, Senior Supervisors Group, October 2009

Risk Management of Financial Derivatives, Comptroller’s Handbook, Comptroller of the Currency Administrator of National Banks, US, January 1997

Supervisory Policy Manual Module CA-G-3: Use of Internal Models Approach to Calculate Market Risk, Hong Kong Monetary Authority, July 2007

Supervisory Policy Manual Module IC-1: General Risk Management Controls, Hong Kong Monetary Authority, December 2010

《商业银行市场风险管理指引》, China Banking Regulatory Commission, December 2004


Contact us

Effie Xin

Partner and Greater China Leader

Financial Services Risk Management

[email protected]

Lawrence Luo

Executive Director


[email protected]

Sky So

Associate Director


[email protected]

About Ernst & Young

Ernst & Young is a global leader in assurance, tax, transaction and advisory services. Worldwide, our 152,000 people are united by our shared values and an unwavering commitment to quality. We make a difference by helping our people, our clients and our wider communities achieve their potential.

Ernst & Young refers to the global organization of member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit www.ey.com.

Ernst & Young is a leader in serving the global financial services marketplace

Nearly 35,000 Ernst & Young financial services professionals around the world provide integrated assurance, tax, transaction and advisory services to our asset management, banking, capital markets and insurance clients.

Ernst & Young professionals in our financial services practices worldwide align with key global industry groups, including Ernst & Young’s Global Asset Management Center, Global Banking & Capital Markets Center, Global Insurance Center and Global Private Equity Center, which act as hubs for sharing industry focused knowledge on current and emerging trends and regulations in order to help our clients address key issues. Our practitioners span many disciplines and provide a well-rounded understanding of business issues and challenges, as well as integrated services to our clients.

With a global presence and industry-focused advice, Ernst & Young’s financial services professionals provide high-quality assurance, tax, transaction and advisory services, including operations, process improvement, risk and technology, to financial services companies worldwide.

It’s how Ernst & Young makes a difference.

Assurance | Tax | Transactions | Advisory

Ernst & Young

© 2012 Ernst & Young , China. All Rights Reserved. FEA no. 00000051

This publication contains information in summary form and is therefore intended for general guidance only. It is not intended to be a substitute for detailed research or the exercise of professional judgment. Neither Ernst Young China practice nor any other member of the global Ernst & Young organization can accept any responsibility for loss occasioned to any person acting or refraining from action as a result of any material in this publication. On any specific matter, reference should be made to the appropriate advisor.

ey overview market-risk-management en 1

Documents