Risk has two components namely uncertainty and exposure. If both are not present, there is no risk. If a man jumps out of an airplane with a parachute on his back, he may be uncertain as to whether or not the chute will open. He is taking risk because he is exposed to that uncertainty. If the chute fails to open, he will suffer personally. In this example, a typical spectator on the ground would not be taking risk. They may be equally uncertain as to whether the chute will open, but they have no personal exposure to that uncertainty. Exceptions might include: A spectator who is owed money by the man jumping from the plane. A spectator who is a member of the man’s family. Such spectators do face risk because they may suffer financially and/or emotionally should the man’s chute fail to open. They are exposed and uncertain.
CONCEPT OF RISK
A synonym for uncertainty is ignorance. We face risk because we are ignorant about the future. After all, if we were omniscient, there would be no risk. Because ignorance is a personal experience, risk is necessarily subjective. Consider another example: A person is heading to the airport to catch a flight. The weather is threatening and it is possible the flight has been cancelled. The individual is uncertain as to the status of the flight and faces exposure to that uncertainty. His travel plans will be disrupted if the flight is cancelled. Accordingly, he faces risk. Suppose another person is also heading to the airport to catch the same flight. This person has called ahead and confirmed that the flight is not cancelled. Accordingly, he has less uncertainty and faces lower risk. In this example, there are two individuals exposed to the same event. Because they have different levels of uncertainty, they face different levels of risk. Risk is subjective. Institutions can reduce some risks simply by researching them. A bank can reduce its credit risk by getting to know its borrowers. A brokerage firm can reduce market risk by being knowledgeable about the markets it operates in. Risk is a personal experience, not only because it is subjective, but because it is individuals who suffer the consequences of risk. Although we may speak of companies taking risk, in actuality, companies are merely conduits for risk. Ultimately, all risks which flow through an organization accrue to individuals stock holders, creditors, employees, customers, board members, etc.
TYPES OF RISK
Following are the types of risk
1. Credit risk
Credit risk is risk due to uncertainty in a counterparty’s (also called an obligor or credit’s) ability to meet its obligations. Because there are many types of counterparties— from individuals to sovereign governments— and many different types of obligations— from auto loans to derivatives transactions—credit risk takes many forms. Institutions manage it in different ways. In assessing credit risk from a single counterparty, an institution must consider three issues:
(a) Default probability: What is the likelihood that the counterparty will default on its obligation either over the life of the obligation or over some specified horizon, such as a year? Calculated for a one-year horizon, this may be called the expected default frequency.
(b) Credit exposure: In the event of a default, how large will the outstanding obligation be when the default occurs?
(c) Recovery rate: In the event of default, what fraction of the exposure may be recovered through bankruptcy proceedings or some other form of settlement?
When we speak of the credit quality of an obligation, this refers generally to the counterparty’s ability to perform on that obligation. This encompasses both the obligation’s default probability and anticipated recovery rate. To place credit exposure and credit quality in perspective, recall that every risk comprises two elements: exposure and uncertainty. For credit risk, credit exposure represents the former, and credit quality represents the latter.
For loans to individuals or small businesses, credit quality is typically assessed through a process of credit scoring. Prior to extending credit, a bank or other lender will obtain information about the party requesting a loan. In the case of a bank issuing credits cards, this might include the party’s annual income, existing debts, whether they rent or own a home, etc. A standard formula is applied to the information to produce a number, which is called a credit score. Based upon the credit score, the lending institution will decide whether or not to extend credit. The process is formulaic and highly standardized.
Many forms of credit risk— especially those associated with larger institutional counterparties are complicated, unique or are of such a nature that it is worth assessing them in a less formulaic manner. The term credit analysis is used to describe any process for assessing the credit quality of counterparty. While the term can encompass credit scoring, it is more commonly used to refer to processes that entail human judgement. One or more people, called credit analysts, will review information about the counterparty. This might include its balance sheet, income statement, recent trends in its industry, the current economic environment, etc. They may also assess the exact nature of an obligation. For example, secured debt generally has higher credit quality than does subordinated debt of the same issuer. Based upon their analysis, they assign the counterparty (or the specific obligation) a credit rating, which can be used for making credit decisions.
Many banks, investment managers and insurance companies hire their own credit analysts who prepare credit ratings for internal use. Other firms— including Standard and Poor’s, Moody’s and Fitch— are in the business of developing credit ratings for use by investors or other third parties. Institutions that have publicly traded debt hire one or more of them to prepare credit ratings for their debt. Those credit ratings are then distributed for little or no charge to investors. Some regulators also develop credit ratings. In the United States, the National Association of Insurance Commissioners publishes credit ratings that are used for calculating capital charges for bond portfolios held by insurance companies.
The manner in which credit exposure is assessed is highly dependent on the nature of the obligation. If a bank has loaned money to a firm, the bank might calculate its credit exposure as the outstanding balance on the loan. Suppose instead that the bank has extended a line of credit to a firm, but none of the line has yet been drawn down. The immediate credit exposure is zero, but this doesn’t reflect the fact that the firm has the : 5 :
right to draw on the line of credit. Indeed, if the firm gets into financial distress, it can be expected to draw down on the credit line prior to any bankruptcy. A simple solution is for the bank to consider its credit exposure to be equal to the total line of credit. However, this may overstates the credit exposure. Another approach would be to calculate the credit exposure as being some fraction of the total line of credit, with the fraction determined based upon an analysis of prior experience with similar credits.
Derivative instruments represent contingent obligations, so they entail credit risk. While it is possible to measure the mark-to-market credit exposure of derivatives based upon their current market values, this metric provides an incomplete picture. For example, many derivatives, such as forwards or swaps, have a market value of zero when they are first entered into. Mark-to-market exposure— which is based only on current market values— does not capture the potential for market values to increase over time. For that purposes some probabilistic metric of potential credit exposure must be used.
There are many ways that credit risk can be managed or mitigated. The first line of defense is the use of credit scoring or credit analysis to avoid extending credit to parties that entail excessive credit risk. Credit risk limits are widely used. These generally specify the maximum exposure a firm is willing to take to counterparty. Industry limits or country limits may also be established to limit the sum credit exposure a firm is willing to take to counterparties in a particular industry or country. Calculation of exposure under such limits requires some form of credit risk modelling. Transactions may be structured to include collateralization or various credit enhancements. Credit risks can be hedged with credit derivatives. Finally, firms can hold capital against outstanding credit exposures.
2. Legal risk
Legal risk is risk from uncertainty due to legal actions or uncertainty in the applicability or interpretation of contracts, laws or regulations. Depending on an institution’s circumstances, legal risk may entail such issues as:
(a) Contract formation: What constitutes a legitimate contract? Is an oral agreement sufficient, or must there be a legal document?
(b) Capacity: Does a counterparty have the capacity to enter into a transaction? For example, in 1992, the United Kingdom’s House of Lords determined that the London Borough of Hammersmith and Fulham lacked capacity to transact in derivatives linked to interest rates. Not only were contracts dating back to the mid-1980s with the borough declared void, but contracts with over 130 other councils were effectively invalidated. A number of derivatives dealers suffered losses.
(c) Legality of derivatives transactions: In some jurisdictions there are issues relating to whether certain derivatives could be deemed gambling contracts and thus made unenforceable. This was a significant concern during the early days of OTC derivatives markets.
(d) Perfection of an interest in collateral: A claim is perfected if it is senior to any existing or future third-party claims in the event of bankruptcy. A perfected interest represents a lien on collateral. Requirements to perfect a claim can be complex and vary by both jurisdiction and the nature of the collateral.
(e) Netting agreements: Under what circumstances will a closeout netting agreement be enforceable?
(f) Contract frustration: Might unforeseen circumstances in validate a contract? For example, if a contract is linked to an index or currency that ceases to exist, will the contract become invalid?
Legal risk can be a particular problem for institutions who transact business across borders. Not only are they exposed to uncertainty relating to the laws of multiple jurisdictions, but they also face uncertainty as to which jurisdiction will have authority over any particular legal issue. : 7 :
3. Liquidity risk
Liquidity risk is a financial risk due to uncertain liquidity. An institution might lose liquidity if its credit rating falls, it experiences sudden, unexpected cash outflows, or some other event causes counterparties to avoid trading with or lending to the institution. A firm is also exposed to liquidity risk if markets on which it depends are subject to loss of liquidity.
Liquidity risk tends to compound other risks. If a trading organization has position in an illiquid asset, its limited ability to liquidate that position at short notice will compound its market risk. Suppose a firm has offsetting cash flows with two different counterparties on a given day. If the counterparty that owes it a payment defaults the firm will have to raise cash from other sources to make its payment. Should it be unable to do so, it too is default. Here, liquidity risk is compounding credit risk.
Obviously, a position can be hedged against market risk but still entail liquidity risk. This is true in the above credit risk example— the two payments are offsetting, so they entail credit risk but not market risk. Another example is the 1993 Metallgesellschaft Debacle. Futures were used to hedge an OTC obligation. It is debatable whether the hedge was effective from a market risk standpoint, but it was the liquidity crisis caused by staggering margin calls on the futures that forced Metallgescellschaft to unwind the positions.
Accordingly, liquidity risk has to be managed in addition to market, credit and other risks. Because of its tendency to compound other risks, it is difficult or impossible to isolate liquidity risk. In all but the most simple of circumstances, comprehensive metrics of liquidity risk don’t exist. Certain techniques of asset-liability management can be applied to assessing liquidity risk. A simple test for liquidity risk is to look at future net cash flows on a day-by-day basis. Any day that has a sizeable negative net cash flow is of concern. Such an analysis can be supplemented with stress testing. Look at net cash flows on a day-to-day basis assuming that an important counterparty defaults. Obviously, such analyses cannot take into account contingent cash flows, such as cash flows from derivatives or mortgage-backed securities. If an organization’s cash flows are largely contingent, liquidity risk may be assessed using some form of scenario analysis. Construct multiple scenarios for market movements and defaults over a given period of time. Assess day-to-day cash flows under each scenario. Because balance sheets differed so significantly from one organization to the next. There is little standardization in how such analyses are implemented. Regulators are primarily concerned about systemic implications of liquidity risk.
4. Market risk
Business activities entail a variety of risk. For convenience, we distinguish between different categories of risk: market risk, credit risk, liquidity risk, etc. Although such categorization is convenient, it is only informal. Usage and definitions vary. Boundaries between categories are blurred. A loss due to widening credit spreads may reasonably be called a market loss or a credit loss, so market risk and credit risk overlap. Liquidity risk compounds other risks, such as market risk and credit risk. It cannot be divorced from the risks it compounds.
An important but somewhat ambiguous distinguish is that between market risk and business risk. Market risk is exposure to the uncertain market value of a portfolio. A trader holds a portfolio of commodity forwards. She knows what its market value is today, but she is uncertain as to its market value a week form today. She faces market risk. Business risk is exposure to uncertainty in economic value that cannot be market risk. Business risk is exposure to uncertainty in economic value that cannot be market-to-market. The distinction between market risk and busuiness risk parallels the distinction between market-value accounting and book-value accounting. Suppose a New England electricity wholesaler is long a forward contract for on-peak electricity delivered over the next 3 months. There is an active forward market for such electricity, so the contract can be marked to market daily. Daily profits and losses on the contract reflect market risk. Suppose the firm also owns a power plant with an expected useful life of 30 years. Power plants change hands infrequently, and electricity forward curves don’t exist out to 30 years. The plant cannot be marked to market on a regular basis. In the absence of market values, market risk is not a meaningful notion. Uncertainty in the economic value of the power plant represents business risk.
The distinction between market risk and business risk is ambiguous because there is a vast ‘gray zone’ between the two. There are many instruments for which markets exist, but the markets are illiquid. Mark-to-market values are not usually available, but mark-to-model values provide a more-or-less accurate reflection of fair value. Do these instruments pose business risk or market risk? The decision is important because firms employ fundamentally different techniques for managing the two risks.
Business risk is managed with a long-term focus. Techniques include the careful development of business plans and appropriate management oversight. Book-value accounting is generally used, so the issue of day-to-day performance is not material. The focus is on achieving a good return on investment over an extended horizon.
Market risk is managed with a short-term focus. Long-term losses are avoided by avoiding losses from one day to the next. On a tactical level, traders and portfolio managers employ a variety of risk metrics— duration and convexity, the Greeks, beta etc.— to assess their exposures. These allow them to identify and reduce any exposures they might consider excessive. On a more strategic level, organizations manage market risk by applying risk limits to traders’ or portfolio managers’ activities. Increasingly, value-at-risk is being used to define and monitor these limits. Some organizations also apply stress testing to their portfolios.
5. Operational risk
During the 1990s, financial firms and other corporations focused increasing attention on the emerging field of financial risk management. This was motivated by concerns about the risks posed by the rapidly growing OTC derivatives markets; a spat of publicized financial losses, including those of Barings Bank, Orange Country and Metallgesellschaft; regulatory initiatives, especially the Basle Accord.
During the early part of the decade, much of the focus was on techniques for measuring and managing market risk. As the decade progressed, this shifted to techniques of measuring and managing portfolio credit risk. By the end of the decade, firms and regulators were increasingly focusing on risks “other than market and credit risk.” These came to be collectively called operational risks. This catch-all category of risks was understood to include, employee errors, systems failures, fire, floods or other losses to physical assets, fraud or other criminal activity. Firms had always managed these risks in various ways. The new goal was to do so in a more systematic manner. The approach would parallel— and be integrated with— those that were proving effective with market risk and credit risk.
The task appeared daunting. Financial institutions and regulators had to dedicate considerable resources to managing market risk and credit risk, and those were well-known, narrowly-defined risks. Operational risk was anything but well defined. People disagreed about the specific contingencies that should be considered operational risks— should legal risks, tax risks, management incompetence or reputational risks be included? The debate was more than academic. It would shape the scope of initiatives to manage operational risk.
Another problem was that operational contingencies don’t always fall into near categories. Losses can result from a complex confluence of events, which makes it difficult to predict or model contingencies. In 1996, the Credit Lyonnais trading floor was destroyed by fire. This might be categorized as a loss due to fire. It might also be categorized as a loss due to fraud— investigators suspect employees deliberately set the fire in order to destroy evidence of fraud.
There was considerable debate about the extent to which opertional risks should be assessed with qualitative or quantitative means. Market risks are generally assessed quantitatively with tools such as value-at-risk. Credit risk is assessed with a combination of quantitative and qualitative means. Quantitative models are employed for such things as projecting potential credit exposure, assessing portfolio credit risk or assigning credit scores. Still, the process of assessing corporate credit quality retains qualitative elements. For operational risk, certain contingencies are particularly amenable to quantitative techniques. For example, settlement errors in a trading operation’s back office happen with sufficient regularity that they can be modelled statistically. Other contingencies affect financial institutions infrequently and are of a non-uniform nature which makes modelling difficult. Examples include acts of terrorism, natural disasters and trader fraud.
Working to define the Basle II accord, regulators made considerable progress in designing a framework for managing operational risk. This was reported in a consultative document (2001). Researchers and financial institutions pursued initiatives. Techniques were borrowed from fields such as actuarial science and engineering reliability analysis. By 2002, a general framework for assessing and managing operational risk was emerging. Much work remains to be done, and operational risk management will never be standardized to the extent to which market risk and credit risk management are— if only because of the differences between financial institutions. However, general conclusions can be drawn.
The Basle Committee defines operational risk as the risk of direct or indirect loss resulting from inadequate or failed internal processes, people and systems or from external events. This definition has been widely adopted in the literature, either precisely or with slightly different wording. Each institution must interpret the definition in light of its own business lines, procedures and systems. Each institution must identify the specific operational contingencies it is exposed to.
Most operational risk are best managed within the departments in which they arise. Information technology professionals are best suited for addressing systems-related risks. Back office staff are best suited to address settlement risks, etc. However, overall planning, coordination, and monitoring should be provided by a centralized operational risk management department. This should closely coordinate with market risk and credit risk management departments within an overall enterprise risk management framework. Contingencies broadly fall into two categories: (a) those that occur frequently and entail modest losses; and (b) those that occur infrequently but may entail substantial losses. Both can and should be assessed using qualitative techniques such as management oversight, employee questionnaires, exit interviews, management self-assessment, and internal audit. Both can also be assessed using quantitative techniques. Contingencies of an infrequent but potentially catastrophic nature can, to some extent, be modelled using techniques developed for property and casualty insurance. However, contingencies that arise more frequently are more amendable to statistical analysis.
Statistical modelling requires data. For operational contingencies, two forms of data are useful: data on historical loss events, and data on risk indicators. Loss events run the gamut— settlement errors, systems failures, petty fraud, customer lawsuits, etc. Losses may be direct (as in the case of theft) or indirect (as in the case of damage to the institution’s reputation). There are three ways data on loss events can be categorized: cause, event and consequence. For example, an event might be a mis-entered trade. The cause might be inadequate training, a systems problem or employee fatigue. Consequences might include a market loss, fees paid to a counterparty, a lawsuit or damage to the firm’s reputation. Any event may have multiple causes or consequences. Tracking all three dimensions of loss events facilitates the construction of event matrices, identifying the frequency with which certain causes are associated with specific events and consequences. Even with no further analysis, such matrices can identify for management areas for improvement in procedures, training, staffing, etc.
Risk indicators differ from loss events. They are not associated with specific losses, but indicate the general level of operational risk. Examples of risk indicators a firm might tract are: amount of overtime being performed by back-office staff, staffing levels, daily transaction volumes, employee turnover rates, and systems downtime. From a modelling standpoint, the goal is to find relationships between specific risk indicators and corresponding rates of loss events. If such relationships can be identified, then risk indicators can be used to identify periods of elevated operational risk.
Once operational risks have been— qualitatively or quantitatively— assessed, the next steps to somehow manage them. Solutions may attempt to avoid certain risks, accept others, but attempt to mitigate their consequences, or simply accept some risks. Specific techniques might include: employee training, close managements oversight, segregation of duties, purchase of insurance, employee background checks, exiting certain businesses, etc. Choice of techniques will depend upon a cost-benefit analysis.
Inevitably, some risks are unavoidable or, from a cost-benefit standpoint, are worth taking. These should be capitalized, so another step in operational risk management is the calculation of reasonable capital charges. Many financial institutions are incorporating operational risk capital charges into their capital allocation systems.
6. Model risk
Because institutions rely heavily on models for pricing financial transactions or monitoring risks, they are exposed to model risk. This is the risk that models are applied to tasks for which they are inappropriate or are otherwise implemented incorrectly. Examples of model risk include: A bank uses a value at risk (VAR) to monitor market risk. When the VAR measure was implemented, the bank’s traders took little spread risk. It was coded with a fixed spread assumption. Since that time, the traders have started taking significant spread risk but do not realize that the model is failing to capture it. Option pricing models incorporate a risk-neutral assumption. Such models may produce erroneous results if used to measure risk or other quantities that depend upon investor risk preferences. A brokerage firm is expanding its derivatives operation into South America. They fail to modify their pricing models to reflect the lack of liquidity in certain markets. Consequently, they underestimate the cost of hedging their positions. Model risks generally categorized as a form of operational risk.
CONCEPT OF RISK
A synonym for uncertainty is ignorance. We face risk because we are ignorant about the future. After all, if we were omniscient, there would be no risk. Because ignorance is a personal experience, risk is necessarily subjective. Consider another example: A person is heading to the airport to catch a flight. The weather is threatening and it is possible the flight has been cancelled. The individual is uncertain as to the status of the flight and faces exposure to that uncertainty. His travel plans will be disrupted if the flight is cancelled. Accordingly, he faces risk. Suppose another person is also heading to the airport to catch the same flight. This person has called ahead and confirmed that the flight is not cancelled. Accordingly, he has less uncertainty and faces lower risk. In this example, there are two individuals exposed to the same event. Because they have different levels of uncertainty, they face different levels of risk. Risk is subjective. Institutions can reduce some risks simply by researching them. A bank can reduce its credit risk by getting to know its borrowers. A brokerage firm can reduce market risk by being knowledgeable about the markets it operates in. Risk is a personal experience, not only because it is subjective, but because it is individuals who suffer the consequences of risk. Although we may speak of companies taking risk, in actuality, companies are merely conduits for risk. Ultimately, all risks which flow through an organization accrue to individuals stock holders, creditors, employees, customers, board members, etc.
TYPES OF RISK
Following are the types of risk
1. Credit risk
Credit risk is risk due to uncertainty in a counterparty’s (also called an obligor or credit’s) ability to meet its obligations. Because there are many types of counterparties— from individuals to sovereign governments— and many different types of obligations— from auto loans to derivatives transactions—credit risk takes many forms. Institutions manage it in different ways. In assessing credit risk from a single counterparty, an institution must consider three issues:
(a) Default probability: What is the likelihood that the counterparty will default on its obligation either over the life of the obligation or over some specified horizon, such as a year? Calculated for a one-year horizon, this may be called the expected default frequency.
(b) Credit exposure: In the event of a default, how large will the outstanding obligation be when the default occurs?
(c) Recovery rate: In the event of default, what fraction of the exposure may be recovered through bankruptcy proceedings or some other form of settlement?
When we speak of the credit quality of an obligation, this refers generally to the counterparty’s ability to perform on that obligation. This encompasses both the obligation’s default probability and anticipated recovery rate. To place credit exposure and credit quality in perspective, recall that every risk comprises two elements: exposure and uncertainty. For credit risk, credit exposure represents the former, and credit quality represents the latter.
For loans to individuals or small businesses, credit quality is typically assessed through a process of credit scoring. Prior to extending credit, a bank or other lender will obtain information about the party requesting a loan. In the case of a bank issuing credits cards, this might include the party’s annual income, existing debts, whether they rent or own a home, etc. A standard formula is applied to the information to produce a number, which is called a credit score. Based upon the credit score, the lending institution will decide whether or not to extend credit. The process is formulaic and highly standardized.
Many forms of credit risk— especially those associated with larger institutional counterparties are complicated, unique or are of such a nature that it is worth assessing them in a less formulaic manner. The term credit analysis is used to describe any process for assessing the credit quality of counterparty. While the term can encompass credit scoring, it is more commonly used to refer to processes that entail human judgement. One or more people, called credit analysts, will review information about the counterparty. This might include its balance sheet, income statement, recent trends in its industry, the current economic environment, etc. They may also assess the exact nature of an obligation. For example, secured debt generally has higher credit quality than does subordinated debt of the same issuer. Based upon their analysis, they assign the counterparty (or the specific obligation) a credit rating, which can be used for making credit decisions.
Many banks, investment managers and insurance companies hire their own credit analysts who prepare credit ratings for internal use. Other firms— including Standard and Poor’s, Moody’s and Fitch— are in the business of developing credit ratings for use by investors or other third parties. Institutions that have publicly traded debt hire one or more of them to prepare credit ratings for their debt. Those credit ratings are then distributed for little or no charge to investors. Some regulators also develop credit ratings. In the United States, the National Association of Insurance Commissioners publishes credit ratings that are used for calculating capital charges for bond portfolios held by insurance companies.
The manner in which credit exposure is assessed is highly dependent on the nature of the obligation. If a bank has loaned money to a firm, the bank might calculate its credit exposure as the outstanding balance on the loan. Suppose instead that the bank has extended a line of credit to a firm, but none of the line has yet been drawn down. The immediate credit exposure is zero, but this doesn’t reflect the fact that the firm has the : 5 :
right to draw on the line of credit. Indeed, if the firm gets into financial distress, it can be expected to draw down on the credit line prior to any bankruptcy. A simple solution is for the bank to consider its credit exposure to be equal to the total line of credit. However, this may overstates the credit exposure. Another approach would be to calculate the credit exposure as being some fraction of the total line of credit, with the fraction determined based upon an analysis of prior experience with similar credits.
Derivative instruments represent contingent obligations, so they entail credit risk. While it is possible to measure the mark-to-market credit exposure of derivatives based upon their current market values, this metric provides an incomplete picture. For example, many derivatives, such as forwards or swaps, have a market value of zero when they are first entered into. Mark-to-market exposure— which is based only on current market values— does not capture the potential for market values to increase over time. For that purposes some probabilistic metric of potential credit exposure must be used.
There are many ways that credit risk can be managed or mitigated. The first line of defense is the use of credit scoring or credit analysis to avoid extending credit to parties that entail excessive credit risk. Credit risk limits are widely used. These generally specify the maximum exposure a firm is willing to take to counterparty. Industry limits or country limits may also be established to limit the sum credit exposure a firm is willing to take to counterparties in a particular industry or country. Calculation of exposure under such limits requires some form of credit risk modelling. Transactions may be structured to include collateralization or various credit enhancements. Credit risks can be hedged with credit derivatives. Finally, firms can hold capital against outstanding credit exposures.
2. Legal risk
Legal risk is risk from uncertainty due to legal actions or uncertainty in the applicability or interpretation of contracts, laws or regulations. Depending on an institution’s circumstances, legal risk may entail such issues as:
(a) Contract formation: What constitutes a legitimate contract? Is an oral agreement sufficient, or must there be a legal document?
(b) Capacity: Does a counterparty have the capacity to enter into a transaction? For example, in 1992, the United Kingdom’s House of Lords determined that the London Borough of Hammersmith and Fulham lacked capacity to transact in derivatives linked to interest rates. Not only were contracts dating back to the mid-1980s with the borough declared void, but contracts with over 130 other councils were effectively invalidated. A number of derivatives dealers suffered losses.
(c) Legality of derivatives transactions: In some jurisdictions there are issues relating to whether certain derivatives could be deemed gambling contracts and thus made unenforceable. This was a significant concern during the early days of OTC derivatives markets.
(d) Perfection of an interest in collateral: A claim is perfected if it is senior to any existing or future third-party claims in the event of bankruptcy. A perfected interest represents a lien on collateral. Requirements to perfect a claim can be complex and vary by both jurisdiction and the nature of the collateral.
(e) Netting agreements: Under what circumstances will a closeout netting agreement be enforceable?
(f) Contract frustration: Might unforeseen circumstances in validate a contract? For example, if a contract is linked to an index or currency that ceases to exist, will the contract become invalid?
Legal risk can be a particular problem for institutions who transact business across borders. Not only are they exposed to uncertainty relating to the laws of multiple jurisdictions, but they also face uncertainty as to which jurisdiction will have authority over any particular legal issue. : 7 :
3. Liquidity risk
Liquidity risk is a financial risk due to uncertain liquidity. An institution might lose liquidity if its credit rating falls, it experiences sudden, unexpected cash outflows, or some other event causes counterparties to avoid trading with or lending to the institution. A firm is also exposed to liquidity risk if markets on which it depends are subject to loss of liquidity.
Liquidity risk tends to compound other risks. If a trading organization has position in an illiquid asset, its limited ability to liquidate that position at short notice will compound its market risk. Suppose a firm has offsetting cash flows with two different counterparties on a given day. If the counterparty that owes it a payment defaults the firm will have to raise cash from other sources to make its payment. Should it be unable to do so, it too is default. Here, liquidity risk is compounding credit risk.
Obviously, a position can be hedged against market risk but still entail liquidity risk. This is true in the above credit risk example— the two payments are offsetting, so they entail credit risk but not market risk. Another example is the 1993 Metallgesellschaft Debacle. Futures were used to hedge an OTC obligation. It is debatable whether the hedge was effective from a market risk standpoint, but it was the liquidity crisis caused by staggering margin calls on the futures that forced Metallgescellschaft to unwind the positions.
Accordingly, liquidity risk has to be managed in addition to market, credit and other risks. Because of its tendency to compound other risks, it is difficult or impossible to isolate liquidity risk. In all but the most simple of circumstances, comprehensive metrics of liquidity risk don’t exist. Certain techniques of asset-liability management can be applied to assessing liquidity risk. A simple test for liquidity risk is to look at future net cash flows on a day-by-day basis. Any day that has a sizeable negative net cash flow is of concern. Such an analysis can be supplemented with stress testing. Look at net cash flows on a day-to-day basis assuming that an important counterparty defaults. Obviously, such analyses cannot take into account contingent cash flows, such as cash flows from derivatives or mortgage-backed securities. If an organization’s cash flows are largely contingent, liquidity risk may be assessed using some form of scenario analysis. Construct multiple scenarios for market movements and defaults over a given period of time. Assess day-to-day cash flows under each scenario. Because balance sheets differed so significantly from one organization to the next. There is little standardization in how such analyses are implemented. Regulators are primarily concerned about systemic implications of liquidity risk.
4. Market risk
Business activities entail a variety of risk. For convenience, we distinguish between different categories of risk: market risk, credit risk, liquidity risk, etc. Although such categorization is convenient, it is only informal. Usage and definitions vary. Boundaries between categories are blurred. A loss due to widening credit spreads may reasonably be called a market loss or a credit loss, so market risk and credit risk overlap. Liquidity risk compounds other risks, such as market risk and credit risk. It cannot be divorced from the risks it compounds.
An important but somewhat ambiguous distinguish is that between market risk and business risk. Market risk is exposure to the uncertain market value of a portfolio. A trader holds a portfolio of commodity forwards. She knows what its market value is today, but she is uncertain as to its market value a week form today. She faces market risk. Business risk is exposure to uncertainty in economic value that cannot be market risk. Business risk is exposure to uncertainty in economic value that cannot be market-to-market. The distinction between market risk and busuiness risk parallels the distinction between market-value accounting and book-value accounting. Suppose a New England electricity wholesaler is long a forward contract for on-peak electricity delivered over the next 3 months. There is an active forward market for such electricity, so the contract can be marked to market daily. Daily profits and losses on the contract reflect market risk. Suppose the firm also owns a power plant with an expected useful life of 30 years. Power plants change hands infrequently, and electricity forward curves don’t exist out to 30 years. The plant cannot be marked to market on a regular basis. In the absence of market values, market risk is not a meaningful notion. Uncertainty in the economic value of the power plant represents business risk.
The distinction between market risk and business risk is ambiguous because there is a vast ‘gray zone’ between the two. There are many instruments for which markets exist, but the markets are illiquid. Mark-to-market values are not usually available, but mark-to-model values provide a more-or-less accurate reflection of fair value. Do these instruments pose business risk or market risk? The decision is important because firms employ fundamentally different techniques for managing the two risks.
Business risk is managed with a long-term focus. Techniques include the careful development of business plans and appropriate management oversight. Book-value accounting is generally used, so the issue of day-to-day performance is not material. The focus is on achieving a good return on investment over an extended horizon.
Market risk is managed with a short-term focus. Long-term losses are avoided by avoiding losses from one day to the next. On a tactical level, traders and portfolio managers employ a variety of risk metrics— duration and convexity, the Greeks, beta etc.— to assess their exposures. These allow them to identify and reduce any exposures they might consider excessive. On a more strategic level, organizations manage market risk by applying risk limits to traders’ or portfolio managers’ activities. Increasingly, value-at-risk is being used to define and monitor these limits. Some organizations also apply stress testing to their portfolios.
5. Operational risk
During the 1990s, financial firms and other corporations focused increasing attention on the emerging field of financial risk management. This was motivated by concerns about the risks posed by the rapidly growing OTC derivatives markets; a spat of publicized financial losses, including those of Barings Bank, Orange Country and Metallgesellschaft; regulatory initiatives, especially the Basle Accord.
During the early part of the decade, much of the focus was on techniques for measuring and managing market risk. As the decade progressed, this shifted to techniques of measuring and managing portfolio credit risk. By the end of the decade, firms and regulators were increasingly focusing on risks “other than market and credit risk.” These came to be collectively called operational risks. This catch-all category of risks was understood to include, employee errors, systems failures, fire, floods or other losses to physical assets, fraud or other criminal activity. Firms had always managed these risks in various ways. The new goal was to do so in a more systematic manner. The approach would parallel— and be integrated with— those that were proving effective with market risk and credit risk.
The task appeared daunting. Financial institutions and regulators had to dedicate considerable resources to managing market risk and credit risk, and those were well-known, narrowly-defined risks. Operational risk was anything but well defined. People disagreed about the specific contingencies that should be considered operational risks— should legal risks, tax risks, management incompetence or reputational risks be included? The debate was more than academic. It would shape the scope of initiatives to manage operational risk.
Another problem was that operational contingencies don’t always fall into near categories. Losses can result from a complex confluence of events, which makes it difficult to predict or model contingencies. In 1996, the Credit Lyonnais trading floor was destroyed by fire. This might be categorized as a loss due to fire. It might also be categorized as a loss due to fraud— investigators suspect employees deliberately set the fire in order to destroy evidence of fraud.
There was considerable debate about the extent to which opertional risks should be assessed with qualitative or quantitative means. Market risks are generally assessed quantitatively with tools such as value-at-risk. Credit risk is assessed with a combination of quantitative and qualitative means. Quantitative models are employed for such things as projecting potential credit exposure, assessing portfolio credit risk or assigning credit scores. Still, the process of assessing corporate credit quality retains qualitative elements. For operational risk, certain contingencies are particularly amenable to quantitative techniques. For example, settlement errors in a trading operation’s back office happen with sufficient regularity that they can be modelled statistically. Other contingencies affect financial institutions infrequently and are of a non-uniform nature which makes modelling difficult. Examples include acts of terrorism, natural disasters and trader fraud.
Working to define the Basle II accord, regulators made considerable progress in designing a framework for managing operational risk. This was reported in a consultative document (2001). Researchers and financial institutions pursued initiatives. Techniques were borrowed from fields such as actuarial science and engineering reliability analysis. By 2002, a general framework for assessing and managing operational risk was emerging. Much work remains to be done, and operational risk management will never be standardized to the extent to which market risk and credit risk management are— if only because of the differences between financial institutions. However, general conclusions can be drawn.
The Basle Committee defines operational risk as the risk of direct or indirect loss resulting from inadequate or failed internal processes, people and systems or from external events. This definition has been widely adopted in the literature, either precisely or with slightly different wording. Each institution must interpret the definition in light of its own business lines, procedures and systems. Each institution must identify the specific operational contingencies it is exposed to.
Most operational risk are best managed within the departments in which they arise. Information technology professionals are best suited for addressing systems-related risks. Back office staff are best suited to address settlement risks, etc. However, overall planning, coordination, and monitoring should be provided by a centralized operational risk management department. This should closely coordinate with market risk and credit risk management departments within an overall enterprise risk management framework. Contingencies broadly fall into two categories: (a) those that occur frequently and entail modest losses; and (b) those that occur infrequently but may entail substantial losses. Both can and should be assessed using qualitative techniques such as management oversight, employee questionnaires, exit interviews, management self-assessment, and internal audit. Both can also be assessed using quantitative techniques. Contingencies of an infrequent but potentially catastrophic nature can, to some extent, be modelled using techniques developed for property and casualty insurance. However, contingencies that arise more frequently are more amendable to statistical analysis.
Statistical modelling requires data. For operational contingencies, two forms of data are useful: data on historical loss events, and data on risk indicators. Loss events run the gamut— settlement errors, systems failures, petty fraud, customer lawsuits, etc. Losses may be direct (as in the case of theft) or indirect (as in the case of damage to the institution’s reputation). There are three ways data on loss events can be categorized: cause, event and consequence. For example, an event might be a mis-entered trade. The cause might be inadequate training, a systems problem or employee fatigue. Consequences might include a market loss, fees paid to a counterparty, a lawsuit or damage to the firm’s reputation. Any event may have multiple causes or consequences. Tracking all three dimensions of loss events facilitates the construction of event matrices, identifying the frequency with which certain causes are associated with specific events and consequences. Even with no further analysis, such matrices can identify for management areas for improvement in procedures, training, staffing, etc.
Risk indicators differ from loss events. They are not associated with specific losses, but indicate the general level of operational risk. Examples of risk indicators a firm might tract are: amount of overtime being performed by back-office staff, staffing levels, daily transaction volumes, employee turnover rates, and systems downtime. From a modelling standpoint, the goal is to find relationships between specific risk indicators and corresponding rates of loss events. If such relationships can be identified, then risk indicators can be used to identify periods of elevated operational risk.
Once operational risks have been— qualitatively or quantitatively— assessed, the next steps to somehow manage them. Solutions may attempt to avoid certain risks, accept others, but attempt to mitigate their consequences, or simply accept some risks. Specific techniques might include: employee training, close managements oversight, segregation of duties, purchase of insurance, employee background checks, exiting certain businesses, etc. Choice of techniques will depend upon a cost-benefit analysis.
Inevitably, some risks are unavoidable or, from a cost-benefit standpoint, are worth taking. These should be capitalized, so another step in operational risk management is the calculation of reasonable capital charges. Many financial institutions are incorporating operational risk capital charges into their capital allocation systems.
6. Model risk
Because institutions rely heavily on models for pricing financial transactions or monitoring risks, they are exposed to model risk. This is the risk that models are applied to tasks for which they are inappropriate or are otherwise implemented incorrectly. Examples of model risk include: A bank uses a value at risk (VAR) to monitor market risk. When the VAR measure was implemented, the bank’s traders took little spread risk. It was coded with a fixed spread assumption. Since that time, the traders have started taking significant spread risk but do not realize that the model is failing to capture it. Option pricing models incorporate a risk-neutral assumption. Such models may produce erroneous results if used to measure risk or other quantities that depend upon investor risk preferences. A brokerage firm is expanding its derivatives operation into South America. They fail to modify their pricing models to reflect the lack of liquidity in certain markets. Consequently, they underestimate the cost of hedging their positions. Model risks generally categorized as a form of operational risk.
No comments:
Post a Comment