Financial Risk Management

Risk management, as it is understood today, largely emerged during the early 1990s, but the term “risk management” was used long before this. Since the 1960s, it has been – and frequently still is – used to describe techniques for addressing insurable risks.

This form of “risk management” encompasses:

• risk reduction through safety, quality control and hazard education,
• alternative risk financing, including self-insurance and captive insurance, and
• the purchase of traditional insurance products, as suitable.

More recently, derivative dealers have promoted “risk management” as the use of derivatives to hedge or customize market-risk exposures. For this reason, derivative instruments are sometimes called “risk management products.”

The new “risk management” that evolved during the 1990s is different from either of the earlier forms. Often called “financial risk management,” it treats derivatives as a problem as much as a solution. It focuses on reporting, oversight and segregation of duties within organizations.

Origins

Gerald Corrigan (1992), then President of the New York Federal Reserve, set a tone for the new financial risk management in an addressed the New York Bankers Association:

… the interest rate swap market now totals several trillion dollars. Given the sheer size of the market, I have to ask myself how it is possible that so many holders of fixed or variable rate obligations want to shift those obligations from one form to the other. Since I have a great deal of difficulty in answering that question, I then have to ask myself whether some of the specific purposes for which swaps are now being used may be quite at odds with an appropriately conservative view of the purpose of a swap, thereby introducing new elements of risk or distortion into the marketplace – including possible distortions to the balance sheets and income statements of financial and nonfinancial institutions alike.

I hope this sounds like a warning because it is. Off-balance sheet activities have a role, but they must be managed and controlled carefully, and they must be understood by top management as well as by traders and rocket scientists.

Responding to spreading concerns about OTC derivatives, in July 1993, the Group of 30 published a 68-page report entitled Derivatives: Practices and Principles. It has come to be known as the G-30 Report. It describes then-current derivatives use by dealers and end-users. The heart of the study is 20 recommendations to help dealers and end-users manage their derivatives activities.

Topics addressed include:

• the role of boards and senior management,
• the implementation of independent financial risk management functions, and
• the various risks that derivatives transactions entail.

With regard to the market risk faced by derivatives dealers, the report recommends that portfolios be marked-to-market daily, and that market risk be assessed with both value-at-risk and stress testing. It recommends that end-users of derivatives adopt similar practices as appropriate for their own needs.

Although the G-30 Report focuses on derivatives, most of its recommendations are applicable to the risks associated with other traded instruments. For this reason, the report largely came to define the new financial risk management of the 1990s.

In October 1994, following closely on the heels of the G-30 Report, JP Morgan launched its free RiskMetrics service. A public relations firm placed ads and articles in the financial press. Representatives of JP Morgan went on a multi-city tour to promote the service. Software vendors, who had received advance notice, started promoting compatible software. RiskMetrics got treasury professionals at non-financial firms talking about value-at-risk specifically and the new financial risk management generally.

RiskMetrics was released during a period of publicized financial losses, including:

• Metallgesellschaft (December 1993). MG Refining and Marketing, a US subsidiary of Germany’s Metallgesellschaft AG, had a program of selling long-dated fuel and oil supply commitments to end-users. These had embedded options designed to mimic for clients the optionality of holding physical supplies. MG used a “stack and roll” hedging program to hedge the long-term obligations with short-term futures. When oil prices dropped in the Fall of 1993, large variation margin calls on the futures caused liquidity problems. The firm turned to its banks for hundreds of millions of dollars in financing. Alarmed by the situation, Metallgesellschaft’s supervisory board intervened, replacing the CEOs of both Metallgesellschaft and MG. They unwound outstanding positions at a USD 1300MM loss. In retrospect, it is clear that the firm’s “stack and roll” hedges were unsound from a liquidity standpoint. What is less clear is the extent to which the final loss was due to overreaction of the supervisory board, which unwound positions at fire-sale prices.
• Orange County (November 1994): Orange County, California has an investment pool that supports various pension liabilities. The pool lost USD 1700 MM from structured notes and leveraged repo positions. The treasurer, Robert Citron, took the positions with oversight from the county’s five-person board of supervisors. The riskiness of the pool’s investments was publicly discussed when Citron ran for and won, reelection in 1994. Members of the board of supervisors claim that they did not receive critical information which would have indicated the risks that Citron was taking.
• Barings Bank (February 1995): Barings Plc lost GBP 827MM because a Singapore-based trader, Nick Leeson, took unauthorized futures and options positions linked to the Nikkei 225 and Japanese government bonds (JGBs). At the height of his activities, Leeson controlled 49% of open interest in the Nikkei 225 March 95 contract. Despite having to finance margin calls as the bank lost money, the Barings’ board and management claim to have been unaware of Leeson’s activities.
• Daiwa Bank (September 1995): One of Daiwa Bank’s US-based bond traders, Toshihide Iguchi, concealed USD 1100MM in bond losses over a ten year period. When management learned of the losses, they attempted to hide them from US regulators. Ultimately, Daiwa was forced to cease its US operations and was fined $340MM in a plea agreement with US prosecutors.
• Sumitomo Corp. (June 1996): Sumitomo’s head copper trader, Yasuo Hamanaka, disguised losses totalling USD 1800MM over a ten year period. During that time, Hamanaka performed as much as USD 20 billion of unauthorized trades a year. He was able to hide his activities because he headed his section and had trade confirmations sent directly to himself, bypassing the back office.

By the mid-1990s, regulatory initiatives, concerns about OTC derivatives, the release or RiskMetrics, and publicized losses had created a flurry of interest in the new financial risk management and related techniques.

Definition

So what is this risk management? Risk management – or financial risk management, should we want to distinguish it from other uses of the word – can be defined as:

Practices by which a firm optimizes the manner in which it takes financial risk.

It includes monitoring of risk-taking activities, upholding relevant policies and procedures, and distributing risk-related reports.

Note that financial risk management is not about optimizing risk in some sense. That is the province of the board of directors and senior management, perhaps working with more tactical risk-takers such as traders or portfolio managers. No, financial risk management is about optimizing the manner in which risk is taken. Accordingly, financial risk management isn’t about managing anything. It is really about facilitating.

A related concept is enterprise risk management, which is the extension of financial risk management, in some sense, to non-financial contingencies. It is a somewhat elusive concept that means different things to different people. Firms have experimented with the concept, combining financial risk management, insurance purchasing, and contingency planning into a single business unit. A challenge has been the culture clash between the worlds of finance and insurance. Few professionals are expert in both.

Organizationally, financial risk management is implemented in different ways. There may be, within the board of directors, a risk committee. Usually, there is some sort of risk oversight committee, comprising senior managers. In practice, various names are given to these two committees. A senior manager, called the head of risk management or chief risk officer (CRO), reports to the risk oversight committee. This head of risk management may oversee a single department called the risk management department. Professionals working within that department, called risk managers, are responsible for facilitating the taking of applicable financial risks – market risks, credit risks and operational risks – by other departments within the firm. In larger organizations, there may be more specialization.

The head of risk management might oversee three professionals:

• A head of market risk management,
• A head of credit risk management, and
• A head of operational risk management.

Each would oversee a respective department. Other arrangements are also possible.

Functionally, there are four aspects of financial risk management.

Success depends upon:

• A positive corporate culture,
• Actively observed policies and procedures,
• Effective use of technology,
• Independence or risk management professionals.

Culture

It is a fact that an organization will only manage risk if its members want to manage risk. Regulators struggle with this every day. They can force a bank to implement a multi-million dollar value-at-risk system. They can require an insurance company to implement hundreds of pages of procedures. But they cannot force an institution to effectively manage risk.

It is individuals who decide whether or not they are going to manage organizational risk. Unfortunately, there is a big incentive for them to choose not to. The very sorts of behaviour which reduce organizational risk entail significant personal risk.

For example:

• A clerk who blows the whistle on a trader may get the problem resolved, or he may end up without a job.
• A board member who wishes to expand the use of financial risk management must stick her neck out. At the risk of appearing alarmist, she must suggest that potentially significant problems are not currently being addressed.
• A trader – whose compensation depends primarily upon his reputation in the organization – can only manage risk if he first acknowledges that he is capable of making mistakes.
• An executive who wishes to address the risk of employee fraud may risk alienating his own colleagues.

Risk management is about rocking the boat, asking questions and challenging the establishment. No one can manage risk if they are not prepared to take risk.

While individual initiative is critical, it is corporate culture which facilitates the process. Corporate culture defines what behaviour the members of an organization will condone – and what behaviour they will shun. Corporate culture plays a critical role in financial risk management because it defines the risks which an individual must personally take if they are going to help to manage organizational risks.

A positive risk culture is one which promotes individual responsibility and is supportive of risk-taking.

Characteristics include:

• Individuals making decisions: Group decision making can be ineffective if no one is personally accountable. When a single person makes a decision – possibly with the help or approval of others—that individual is accountable. His reputation is on the line, so he will carefully analyze the issues before proposing a course of action.
• Questioning: In a positive risk culture, people question everything. Not only does this identify better ways to do things. It also ensures that people understand and appreciate procedures.
• Admissions of ignorance: Mark Twain once said “I was gratified to be able to answer promptly. I said I don’t know.” Admitting that we don’t know entails significant personal risk. A positive risk culture supports such honesty at every level of an organization.

No risk culture is perfect. Fortunately, few are beyond repair. The challenge of financial risk management is to honestly assess an organization’s culture, and then work to improve it.

Policies & Procedures

When you mention policies and procedures, people are likely to roll their eyes, as thoughts of red tape and bureaucracy flood their thoughts. This is unfortunate. Used correctly, procedures are a powerful tool of financial risk management.

The purpose of policies and procedures is to empower people. They specify how people can accomplish what needs to be done. It is only when policies and procedures are neglected or abused that they become an impediment.

The success of policies and procedures depends critically upon a positive risk culture. Hundreds of pages of procedures, neatly printed and sitting on a shelf, are useless if no one uses them. However, even a simple set of procedures can make an enormous difference for an organization if people believe in them and take personal responsibility for upholding them.

Procedures systematize the process of financial risk management. Consider market risk limits. These are a form of procedure which systematize oversight of market risk. They make explicit how much risk is too much risk for any given segment of a portfolio.

Without risk limits, someone would have to track the risks being taken by individual traders and apply their own subjective judgment as to how much is too much. Should they decide to act on their subjective judgment that a trader is taking too much risk, the affected trader may reasonably feel that the decision is arbitrary or unfair – she might ask: “what about the market opportunity I was pursuing or the client whose needs I was trying to meet?”

Whenever procedures do not exist, there is increased potential for disagreement, misunderstanding and conflict. A lack of procedures increases the personal risk that individuals must take if they are going to manage organizational risk. Accordingly, a lack of procedures tends to promote inaction.

Effective procedures, on the other hand, empower people. They layout specifically what people should do – and what they should not do – in a given situation. By reducing uncertainty – individual risk—they promote action.

Examples of procedures include:

• Board procedures: Every board of directors or governing body should operate under a set of procedures which address conflicts of interest, clarify personal responsibility and facilitate the discussion and resolution of difficult or contentious issues.
• Lines of reporting: Everyone in an organization should report to a single person. The line of reporting should be explicit. A worthwhile illustration for this is the Bank of England’s report on the Barings collapse. That report identifies four different people who may have had oversight responsibility for Nick Leeson.
• Trading authority: Whenever an organization engages in a new form of market activity – such as the use of a new form of transaction, a new hedging strategy or proprietary trading – there should first be a formal review and approval process. A streamlined procedure should apply for granting new responsibility to any trader.
• Risk limits: Market and credit risk limits represent procedures for managing risk. There should also be procedures for establishing and reviewing such limits in order to assure that the system of limits remains effective.

An organization should have formal procedures for changing policies or procedures. Experienced risk managers know that proposals for an informal or hasty change to procedures sometimes indicate an effort to cover up something that existing procedures would otherwise highlight. Also, because procedures become outdated over time, it is easy for organizations to change how they operate without formally recognizing that the change is taking place. Informal practices evolve out of habit, instead of by a deliberate process. Because they may be adopted out of necessity or convenience – without considering how they impact organizational risk – they, too, are a source of risk.

Often, periods of change are a time of increased risk for an organization. Procedures for changing policies or procedures are an excellent mechanism that encourages people to recognize changes as they are taking place and formally address the risks that they pose.

Technology

The primary role technology plays in financial risk management is risk assessment and communication. Technology is employed to quantify or otherwise summarize risks as they are being taken. It then communicates this information to decision-makers, as appropriate. Technology might include a VaR system or portfolio credit risk system. It can include financial engineering technology for independently marking to market positions. It may include an interactive risk report that is electronically circulated to managers every day.

For many institutions, such as banks or securities firms, technology is a critical component of financial risk management. For other organizations, including some non-financial corporations or pension plans, technology plays a lesser role.

For institutions which rely heavily on technology, there is always a risk of the cart being placed before the horse, with technology becoming the focus of financial risk management. If an organization launches a risk management initiatives by first allocating money to the project and then issuing a request for proposal, that can be a warning sign.

A more staged approach starts off by recognizing that financial risk management is primarily about people – how they think and how they interact with one another. Technology is just a tool. In the wrong hands, it is worse than useless, but applied appropriately, it can transform an organization.

A good approach to implementing an enterprise risk management initiative is:

• Initially allocate minimal funding for the initiative, but ensure that board members, senior management or other supervisors are involved in the process.
• Start by planning a financial risk management strategy that involves no technology at all. This can be an empowering exercise. It focuses participants on the procedural and cultural issues of financial risk management. Ultimately, it is these which determine the success of an initiative.
• Once you have decided on a strategy for managing risk, then determine where technology needs to be incorporated or where it can enhance the strategy.

Independence

For financial risk management to succeed, risk managers must be independent of risk-taking functions within the organization.

Holton (2004) defines independence as comprising the following four criteria:

• Risk managers have reporting lines that are independent of those of risk-taking functions.
• Except at the highest levels, risk-takers have no input on the performance reviews, compensation or promotion of risk managers, and conversely.
• Employees cannot switch from one role to the other. Those hired into financial risk management stay in financial risk management; those hired as risk-takers stay as risk-takers.
• Risk managers do not take risks on the firm’s behalf. They do not advise on which risks to take. They express no opinions about the desirability of any particular risks.

The first three items are straightforward. The fourth is more subtle – or perhaps, controversial. It speaks to the very heart of what constitutes financial risk management. Let’s briefly address the first three items and then proceed to the question: what is the role of financial risk management, anyway?

Enron’s experience with financial risk management is instructive. The firm maintained a risk management function staffed with capable employees. Lines of reporting were reasonably independent in theory, but less so in practice. The group’s mark-to-market valuations were subject to adjustment by management. The group had few career risk managers. Enron maintained a fluid workforce. Employees were constantly on the lookout for their next internal transfer. Those who rotated through risk management were no different. A trader or structurer whose deal a risk manager scrutinized one day might be in a position to offer that risk manager a new position the next. Astute risk managers were careful to not burn bridges. Even worse, risk managers were subject to Enron’s “rank and yank” system of performance review. Under that system, anyone could contribute feedback on anyone, and the consequences of a bad review were draconian. Risk managers who blocked deals could expect to suffer in “rank and yank.”

Of the above four criteria for independence, Enron was weak on the first but utterly failed to satisfy the second two. Despite the sophistication of individual employees, financial risk management at Enron was hollow.

Proceeding now to the fourth criteria for independence, we want to distinguish between risk-taking and risk management. Within firms, there are strategic and tactical risk-takers. The CEO and other senior managers are strategic risk-takers. They formulate a strategy for the firm that entails taking certain risks. They communicate the strategy to tactical risk takers—including traders, structurers, and asset managers—whose job it is to implement that strategy. This is how businesses have operated for hundreds of years, so where do risk managers fit in? While not typically acknowledged, there are two competing models.

According to one model, strategic and tactical risk-takers need help taking a risk. Under this theory, super risk takers – risk managers – are required to intervene. They identify risks that should be avoided and, in doing so, risks that should be taken. In this manner, risk managers help the less qualified strategic and tactical risk-takers do their jobs.

There is much wrong with this model. First, it is redundant. If strategic or tactical risk-takers are not capable of doing their jobs, the answer is not to hire a super risk taker to do it for them. Rather, it is to replace them with strategic and tactical risk-takers who are up to the task. Second, it undermines accountability. If a trade turns sour, is the trader at fault, or is the risk manager who failed to block the deal? Third, it leads to conflict. While strategic risk-takers will never feel threatened that a super risk taker might usurp their prerogatives, tactical risk-takers often do. At some firms, the result has been a cold war between the front and middle offices. Finally, risk managers are positioned to be used as scapegoats. With corporate scandals fresh in memory, we can understand why some senior executives may be all too happy ascribing full responsibility for risk-taking to a chief risk officer. With this model, risk management can become a device for executives to manage career risk as opposed to a device for managing corporate risk.

The alternative model is that risk managers are facilitators. Strategic and tactical risk-takers are responsible for deciding what risks to take. Risk managers facilitate the process by ensuring effective communication between the two groups. They help strategic risk-takers communicate through policies, procedures and risk limits. They help tactical risk-takers communicate by preparing risk reports that describe the risks they are taking. To avoid the pitfalls of the risk-managers-as-super-risk-takers model, risk managers must have no authority to take risk on the firm’s behalf. They do not advise on risk-taking issues because, if their advice is routinely followed, they will become de facto risk-takers. To avoid the semblance of giving advice, they express no opinions about the desirability of taking any particular risks. It is one thing for a risk manager to measure risk. It is entirely another for the risk manager to express an opinion that the risk is too large or otherwise not worth taking. With risk managers not expressing opinions, tactical risk-takers don’t feel threatened … so there is no cold war. With risk managers not responsible for taking risks, there is little possibility of shifting blame to them when things go wrong.

In light of the merits of the risk-managers-as-facilitators model, the very term “risk manager” seems a misnomer. Perhaps it would be more appropriate to describe them as “risk facilitators.”

Cite Term

Definition Sources