RISK MANAGEMENT PROCESSES
Perhaps a good way to introduce the risk management processes is to rely on representative statements from the annual reports of various banks.
The "Three Lines of Defense" Principle
Control processes use various methods to align risk-taking and risk management throughout the organization. These controls, processes and methods are commonly organized around the so-called "three lines of defense":
• lines of business
• enterprise functions including risk management, compliance, finance, human resources and legal
• corporate audit.
The business lines, or front-office, make up the first line of defense and are responsible for identifying, quantifying, mitigating and managing all risks within their lines of business, while certain enterprise-wide risks are managed centrally.
In large banks, risk managers are embedded within the business lines and report to the central risk department for market risk and credit risk. They might report both to the business lines and to the central risk department. The existence of the risk department would not be enough to enforce risk practices because it would relieve the business lines from their risk responsibilities. For avoiding such lack of accountability, all risk departments have representatives in the front offices of banks.
The business line management is closer to the changing nature of risks. It is best able to take actions to manage and mitigate those risks. Lines of business prepare periodic self-assessment reports to identify the status of risk issues, including mitigation plans, if appropriate. These reports roll up to executive management and to the risk department, to ensure appropriate risk management and oversight. For large transactions, approval by credit officers and a credit committee is a standard process. Embedded risk managers might be necessary, but they might be too close to business development for ensuring efficient risk control, even if they report to the central risk unit.
Trading-related activities have strong controls at the front office levels because decisions are "real-time." Trading requires daily committees and various levels of control, at the broad level of the trading pole, as well as the levels of "books" of the main broad types of instruments (equity, fixed income or credit), and at the "desk" level where trading is conducted.
Management processes, structures and policies should comply with regulations and provide clear lines for decision-making and accountability. Wherever practical, decision-making authority is often as close to the transactions as possible, while retaining supervisory control functions from both in and outside of the lines of business.
The key elements of the second line of defense are the central units. Risk management is in charge of risk oversight and is accountable for risk-taking guidelines and decisions. Other central functions include compliance, finance, information technology and operations, human resources, and legal functions. These groups are independent of the lines of businesses and are enterprise-wide. For organizational purposes, a senior risk executive might be assigned to each of the lines of business and be responsible for the oversight of all risks associated with that line of business. Enterprise-level risk executives have responsibility to develop and implement policies and practices to assess and manage enterprise-wide credit, market and operational risks.
The finance department is in charge of managing interest rate risk, liquidity risk and mismatch risk. The unit who manages such positions is the asset-liability management (ALM) unit. It has extended responsibilities for ensuring that risks remain within limits bank-wide. ALM is described below and is fully expanded in Section 7 of this text with all required techniques for managing these risks. Because ALM is usually allowed to maintain risk positions open, rather than fully hedge those risks, the risk department extends its oversight to the finance department.
Corporate audit is the third line of defense, and provides an independent assessment of management and internal control systems. Corporate audit activities are designed to provide reasonable assurance that resources are adequately protected; that significant financial, managerial and operating information is materially complete, accurate and reliable; and that employees' actions are in compliance with corporate policies, standards, procedures, and applicable laws and regulations.
Various methods are implemented to manage risks at business level and corporate-wide. Examples of these methods include planning and forecasting, risk committees and forums, limits, models, and hedging strategies, with various roles such as:
• Risk committees are composed of lines of business, risk management, treasury, compliance, legal and finance personnel, among others, who monitor performance, limits, potential issues, and introduction of new products.
• For trading new products, a "product" committee should ensure that the new product is manageable within the risk systems, that risk reporting is feasible and examines accordingly all specifics of the new products, from the pricing tools and up to the pricing risk when model valuation is used.
• Limits, the amount of exposure that may be taken with a product, a client, as well as with a region or industry, seek to align corporate-wide risk goals with those of each line of business and are a key part of the overall risk management process. Limits apply to various risk measures, from market volatility, credit exposure and operational losses.
• Models are used to estimate market value and net interest income sensitivity, and to assess expected and unexpected losses for each product and line of business, where appropriate, down to the level of large transactions. The risk department and the ALM unit are usually in charge of models that aggregate risks bank-wide.
• Planning and forecasting facilitates analysis of actual versus planned results and provides an indication of forecasted risk levels.
• Hedging strategies and enforcements of limits are used to manage the risk of borrower or counterparty risk and to manage market risk in the portfolio. Hedging and limits are both local, at the business level, and global once risks are aggregated and after diversification effects have been assessed.