Analysis of the Status Quo of Risk Management in Chinese Securities Companies
Risk-Management Philosophy and Compliant Operation Awareness To
date, domestic securities companies have significantly improved their governance, established preliminary risk management control systems, and improved their risk management frameworks. However, the current compliance management systems of securities companies were formed passively in a rigorous external regulatory environment. Securities companies fall short in terms of identifying risks in their practice, voluntarily raising risk awareness, and establishing a risk-monitoring philosophy. Most securities companies still fail to improve their ability to innovate, while facing market risks in a proper way. Some compelling questions still remain: How do securities companies sense the necessity of a scientific corporate governance structure for the long-term stable development of the company? How do they find the necessity of risk monitoring in the survival and development of the company? How do they find the motivation to constantly improve internal risk monitoring?
Construction of Risk-Management Organizational Systems Currently, risk-management organizational systems of domestic securities companies are largely identical. They basically adopt a centralized, top-down management model consisting of various levels of risk-management units that are independent of the business system. These risk-management units usually include the board of directors (risk-management committee), board of supervisors, compliance director (risk-management director), internal review divisions, compliance management divisions, and risk-management divisions. Usually, the board of directors is ultimately responsible for risk management. Under the board of directors, a risk-control committee may be set up to take charge of specific risk-control issues in relation to the board of directors. An audit committee may be set up to take responsibility for the review and supervision of internal and external auditing. In practice, the control and prevention of various risks in operation are managed by the risk-management committee in some companies, and by the operation staff in others. The board of trustees supervises the exercise of duty by the financial division, directors of the company, managers, and other senior executives to ensure its legality and compliance with regulations. This safeguards the rights and interests of the company and its shareholders.
Since the adoption of the compliance management system, the CSRC requires each securities company to appoint a compliance director. The compliance director takes responsibility of compliance issues of the company. The director examines and monitors the legality and compliance of operational and managerial behaviors in the company according to the Provisions for Trial Implementation of the Compliance Management of Securities Companies, and has the right to report directly to the regulators. In some securities companies, the compliance director is also the risk-management director. In other companies, the position of risk-management director is taken by a separate person. An independent risk-management director is more focused on the aspect of business risk control and usually reports directly to the general manager. The board of directors, the board of supervisors, the operational staff, the compliance director, and the risk-management director together form the highest management tier of the risk-management system of a securities company.
The internal audit division is the earliest supervisory division to be set up by securities companies as a division independent of the business system. The division is usually directly under the leadership of the audit committee of the board of directors. The internal audit division is independent of various business divisions and branches of the company. Independently, it performs its duties of auditing, inspection, assessment, report, and advising in relation to the implementation of internal control systems. The risk-management division is set up by securities companies for the independent client margin deposit period as required by the regulators. It is responsible for monitoring financial indexes and the running of business through technical means and management systems.
Because the regulators have raised dynamic management system requirements, the current risk-management divisions of most securities companies mainly focus on the construction of dynamic risk-management systems and the real-time management of risk control indexes and warning systems. The compliance division helps the compliance director fulfill the duty of compliance management. Usually, it is responsible for establishing compliance systems and processes and also for conducting compliance reviews on systems, contracts, and new business, in addition to compliance supervision and inspections. The divisions that actually fulfill the duty of risk management are the internal audit division, the risk-management division, and the compliance-management division. Together they form the intermediate management tier of the risk-management system of a securities company. In order to extend risk management to the foreground business end effectively, some securities companies have set up risk-management positions within their business divisions. The heads of various business divisions and the divisional risk-management positions together form the front end of the risk-management system of a securities company.
The current risk-management architecture of securities companies is essentially complete in form; however, higher-level managing units in particular, such as the board of directors, the risk-management committee, and the audit committee, usually find it hard to play their roles. The reason has to do with the basic principle of the risk-management system's independence from the business system. From the perspective of institutional design, the operational staff is not fit to serve in the highest tier of the risk-management system. However, due to governance deficiency in securities companies, the operational layer and the decision-making layer are often controlled by the same person. Therefore, the risk-management system is actually inseparable from the business system. Although the risk-management divisions of most securities companies are able to fulfill their duties properly, these divisions can only address some specific and trivial issues. They can do little to influence risk-management strategies, principles, and other across-the-board deployments.
Whether a securities company is equipped with effective risk management is not determined by whether the organizational system is reasonable, or even the construction of the divisions performing specific risk-management duties. It is determined by whether the top-level units that manage risk-management policies, such as the risk-management committee, are able to effectively fulfill their duties.
Risk-Management System and Process
Client Fund Safeguard Systems Have Been Established Currently, most client transaction settlement funds are transferred upward from the operation outlet to the headquarters. Risk management through such means as stress tests and sensitivity tests can provide a preliminary protection for the safety of client funds. Through the realization of third-party deposits, securities companies have completely blocked the channels for client fund appropriation, sufficiently safeguarding client funds.
Relatively Standardized Brokerage Business and Operation Outlet Management Securities companies now have multilayer control over their operation outlets. In terms of organizational systems, the headquarters of the company directly appoints and vertically instructs the manager, financial director, and computer director. It establishes mechanisms for assessment, post shifting, furloughs, and resignation. The conduct of business reflects the separation of foreground and background services, approval and execution, execution and supervision. A double-responsible-persons-at-the-counter mechanism is adopted for key business in which one person conducts the business while the other reviews the process. In terms of the system of accounts, a collective account management system is designed and the third-party deposit mechanism is adopted for client funds. The account opening procedure is relatively well-established. Account standardization is essentially accomplished. A centralized transaction system is implemented, and measures for administration of transaction system authorization have been formulated. Through the centralized transaction system platform, centralized management and hierarchical authorization are applied for transaction authority. A system review mechanism is applied to key operation, and centralized storage and remote back up are implemented for transaction data.
Compliance Management System The compliance management system was preliminarily established in securities companies in late 2008. It mainly includes setting up the position of compliance director, setting up independent compliance divisions, independent fulfillment of compliance management duties, establishing basis compliance management systems, compliance assessment systems, and breach reporting systems.
Risk-Monitoring System In the aspect of risk monitoring, most securities companies currently conduct basic work such as monitoring risk control index thresholds through a monitoring system based on the Administrative Measures on Risk Control Indicators of Securities Companies. Domestic securities companies seldom engage in risky business and rarely use financial leverage. They therefore usually have a high capital adequacy ratio. Few of them have established a risky budget restriction mechanism. However, with the constant capacity expansion of the securities market and the gradual loosening up of qualifications for securities company business, the capital adequacy ratios of many securities companies will soon face challenges. In addition, the dramatic fluctuation of the stock market has brought great risk exposures to proprietary business. Therefore, it will be a foresighted measure for securities companies to establish a risk-restricting mechanism to control business scale. A lack of control over the total volume makes it impossible to get in-depth analysis of business risks. Attaching risk monitoring to the development of the company greatly undermines risk management in terms of the little importance attached to it.
Insufficient Coverage of Risk Management Complete risk monitoring requires coverage of all business, divisions, branches, and the entire staff. It should be able to reach every step of a process, from decision making, execution, and monitoring to feedback. The achievement of that task depends on the authority the operational layer grants to the risk-monitoring division. Given that the role of internal risk monitoring is hardly recognized by the operation layer in a securities company, it is very difficult to change the reality that there are blind spots in risk monitoring.
Business Innovation Risk Management Innovation will be an important field for Chinese securities companies in the future. In the process of exploring for financial innovation, a lack of in-depth research on innovative products or deficiencies of the design of new products may lead to disputes with clients, bringing about economic loss, legal problems, or reputation risks to the company. Factors that may result in great losses of funds include incomprehensive understanding of the risks associated with innovative business, underestimation of risks, incomplete risk control mechanisms, and insufficient innovative business risk control measures, as well as poor execution of risk-control measures or innovative business. However, business qualification constraints currently limit most securities companies from carrying out innovative business. Those with the willingness to engage in innovative business tend to focus on the market development of innovative business and fail to come up with strategic risk-control planning and deployment.
Utilization of Risk-Monitoring Techniques Market risk-control techniques commonly used internationally fall into the following three categories:
1. Index control systems, including economic indexes and regulatory indexes, sensitivity analysis, and fluctuation analysis
2. Risk measurement, including extreme value theory, value at risk (VaR), and stress test
3. Risk-based performance evaluation, including economic value added (EVA) and risk-adjusted return on capital (RAROC)
Securities companies currently use index control systems and risk-measurement methods most frequently. Risk-based performance evaluation is less used. This reflects the fact that Chinese securities companies still have a long way to go before achieving delicate management. The most widely used risk-control technique right now is the regulatory index method. This is the risk-control index, such as net capital, required by the CSRC. Because of their compulsory nature, risk-monitoring efforts of Chinese securities companies are almost exclusively focused on regulatory indexes. Such efforts include establishing centralized monitoring systems and realizing dynamic monitoring. The system solutions currently provided by software companies for securities companies are also tailored, with few exceptions, for regulatory indexes. The monitoring systems of current securities companies are essentially able to meet regulatory requirements by collecting real and complete operational data in a timely manner. The sensitivity analysis and stress test was used in client fund safety monitoring in the independent deposit period. Its two types of techniques have been rarely used since the implementation of third-party deposits. The Guideline for Risk Control Index Dynamic Monitoring System of Securities Companies (Trial) states that the risk-monitoring division of a securities company conduct sensitivity analyses and stress tests on net capital and risk control indexes. Companies should also carry out predicative analyses based on business plans and come up with business scale adjustment proposals.
Value at risk (VaR) has been the most popular worldwide risk-measurement method over the past few decades. In practice, however, the Chinese securities market does not quite fit the basic premise of VaR due to high regulatory intensity and low efficiency. A lack of securities product varieties, however, makes for a very small number of securities products created based on modern asset portfolio theories. As a result, VaR and similar risk-measurement techniques still do not have much of a role to play in China.
Risk-based performance evaluation is the risk-monitoring technique that securities companies urgently need to introduce. This technique can be a breakthrough point for risk monitoring to gain greater attention from the operation layer of securities companies. The operation layer is often resistant to risk monitoring. This is because it often appears to hinder the business in day-to-day operation, and the benefit from risk monitoring is difficult to put in numerical terms. Through RAROC and similar risk-based performance evaluation techniques, however, the risk/profit ratios of different business lines can now be quantified. This makes a clear and convincing argument for risk monitoring in front of the operation layer and the management layer. However, due to the high technique requirements associated with risk-based performance evaluation, there is still a gap in terms of the acquisition of empirical data and its specific application.