The 3 Ms of Risk Management
Recent market event have pointed to increasing volatility. As has happened all too many times in the past, risk management disasters continue to plague the industry and show up on the front page of the newspapers. Given the potential for these disasters to occur, lets discuss some required risk management capabilities.
Consider the following scenarios:
A major market move occurs. The Chief Risk Officer (“CRO”) of a broker/dealer wants to know right now what effect this has on the firm. Are they better or worse off? What actions should be taken? To determine the best course of action the CRO needs to know real-time what the positions are and the potential P&L effect. The CRO must also be able to perform a risk analysis immediately. As we have seen, inability to do this will consume resources, raise the firm’s risk profile and possibly cause losses as a result of the market move.
A major firm announces a significant profit restatement. The CRO of a major retail brokerage wants to know which accounts will be affected the most. The CRO needs to know real-time which accounts have concentrations in that industry and SIC code. Since it isn’t clear yet what the full effect of the restatement will be on security prices, can the CRO perform a what-if analysis on specific accounts to determine the potential effects on the firm and the accounts so that proper actions can be taken? Inability to do this real-time will consume resources and increase the risk profile of the firm and the accounts.
In both cases, could the CRO have set up early warnings so that the risk systems would have generated alerts as to problem positions or accounts when specific actions occur so that the CRO can spend less time finding risks and more time managing risks?
The industry has spent many dollars effecting comprehensive risk management capabilities. Ultimately risk management is, however, a process that requires tools and the right mindset, not just a system that measures risk. The purpose of risk management is the following: minimize the probability that an error occurs AND that it goes unnoticed. To do that, a firm must have all the components of effective risk management. The firm must have the ability to perform the 3 Ms of Risk Management: Measurement, Monitoring and Management of risk. In this paper, we will outline the basic capabilities of each of the three areas.
All firms must have the capability to measure their risks. Most firms have risk measurement systems. However, there is a lot more to it than that. Risk measurement involves ALL aspects of the capability to measure risk, not just having systems. To measure risk effectively and accurately, the firm must have accurate and timely information as to its positions, its counterparties and all relevant information regarding its positions and counterparties. This information should ideally be available on a real-time basis as markets move very rapidly and soon the risk analysis may no longer be valid. Measuring this information solely on an overnight (or end of day) basis will not be sufficient as market conditions change during the day, and customer and counterparty activity changes the firm’s risk profile constantly. It is also not sufficient to simply do this several times a day. As market conditions change, the value of the firm’s and its customers’ positions changes accordingly, either favorably or unfavorably. In addition, as customers do trades during the day the firm must be able to track its customers’ accounts as they transact business. This information must be accurate, accessible in a timely manner and able to be retrieved from the firm’s computers and sent to the relevant analytical models for risk evaluation. During some recent risk events, many firms learned that they could not do this effectively, much to their dismay.
So what does effective risk measurement entail? Several key components are required:
The risk measurement methodologies used must accurately measure the risks. There are many different ways to measure risks and firms use most of them. The two basic necessities for a risk measurement methodology to be effective are that they must reflect the risks they measure and all relevant parties must understand them.
Different kinds of firms will require different kinds of risk measures. The measures needed for a portfolio-based approach to risk measurement are not exactly the ones needed for a retail operation. The portfolio approach requires position, position attribute, counterparty and counterparty attribute data. A retail operation will require all that and extensive information at the account level so it can see what individual accounts are doing real-time.
The firm must be able to examine its risks at any level and aggregate up or drill down to any desired degree. For example, a broker dealer must be able to measure risk by security, security type, counterparty and type, industry or SIC classification, currency, geographical location, etc. The B/D should then be able to aggregate up or drill down in any direction (for example by country by currency or vice versa). A retail brokerage should be able to measure risk by account, by account type, by industry, SIC code, etc, and aggregate up. They should also be able to drill down to the account level after starting with a portfolio approach. In addition, a retail brokerage needs to perform sophisticated margin calculations on a wide variety of products. Also, they would need to be alerted when specific activities occur in selected accounts, e.g., large trades or prohibited activities.
The firm must be able to perform scenario and what if analysis on a real time basis for any of its risk measurement categories. For a retail operation, this means even at the account level.
The analytical models used to measure risk must be accurate and measure the right risks. The models must be appropriate to the business and the products. Different products may require different kinds of models and there is nothing wrong with that. Use as many models as is necessary and no more.
The inputs to the models must be accurate. Many firms have a problem with their data and getting it to the right system at the right time. The data must be accurate, clean, and timely. This applies to model-generated data (including the results of risk analysis) as well as historical market data. Without accurate inputs, the model will give misleading results, leading to inaccurate decision-making.
The connections between the systems must be accurate. Feeder systems must feed the inputs to the risk model on a timely and accurate basis, just as the risk system must feed other systems in the same manner.
The systems must work automatically. You should not have to do anything extra for the system to be measuring risk accurately and timely.
The firm should periodically assess its systems and their ability to perform, effecting updated capabilities when necessary.
For effective risk management to take place, risks must be monitored. A firm that simply measures risk three thousand ways but does not monitor it on a timely basis will likely suffer at some point. Risk monitoring includes all aspects of ensuring that accurate risk measurement information is available to the right people on a timely and accurate basis. What does effective risk monitoring entail? Several key capabilities are required.
The firm must have timely and accurate risk information available to the right people at the right time.
The firm must have a set of comprehensive risk reports generated during the day. The reason that a set of reports is necessary is that different levels of management require different levels of risk information. The key criterion is that the reports reflect the degree of granularity and breadth of information required to optimize the decision-making capabilities of the party that gets the reports.
The firm must also have this information available on a real-time basis. This means that it must be available online for the parties that require it so they can see what is going on at all times. The same issues of granularity and breadth apply here.
The risk systems should have the capability to alert the proper manager when preset conditions occur so that proactive risk management can occur. The firm should set up a variety (as many as needed) of risk conditions that different managers are concerned with. These conditions should also be set in a variety of ways. The parties could set up criteria that will generate alerts. The relevant manager could then drill down into the alert to investigate further. The proper action could be taken.
For example, a B/D could set these alerts to show limit utilization above a certain level (e.g., 75%) and by security, currency, counterparty, trading ledger, industry or geographic location. The system alerts the appropriate level(s) of management when the condition is met. The alerts should also happen as a result of a what-if or scenario analysis, alerting the appropriate party to what could happen under certain conditions. For example, an alert could occur if a major market move would cause an X% loss in a particular security. Management can then examine the alert and take appropriate action, if any. These alerts are set by management and should reflect the conditions with which management is currently concerned.
For a retail operation, this would include all the above. It would also need to include alerts at the account level such as a big trade or an account that is utilizing an increasing portion of its credit and is heading toward a potential margin call. For example, an alert could occur if an X% market move would cause a margin call in a large (or small) account(s). Management can set up appropriate conditions for accounts it wishes to monitor and be alerted when those conditions are met. Management can then examine further and take the appropriate action, if any.
In addition to all the reports and alerts, managers must effectively communicate with each other so that they are aware of current conditions.
The first two steps in the process provide the analytics and the tools that managers at all levels must have in order to make effective decisions regarding risks. The final step in the process may be the simplest to explain. After all the risks that can be measured are monitored (those that can be measured. Not all risks can be measured and you should not try!), and after the correct monitoring systems and procedures are in place, the final step in the process is actually managing the risk. This simply means management decision-making when called for, based on the information that is available. Managers at every level must be ready to take appropriate actions when a condition exists that warrants attention. This means proactive actions. Remember that not every risk condition or situation requires action. It possible that, for example, that a limit is exceeded on a trading floor and management becomes aware of it. After reviewing the excess, determining the cause and discussing the possible harm, the appropriate managers may let it stand and take no action. Or, an alert can be generated on a specific account. After drill down and review, management decides no action is called for.
Some of the critical aspects of managing risk effectively are:
The proper analytical tools must be used so that the information to decide possible courses of action is reliable
The proper risk monitoring capabilities, including alerting capabilities that provide this information on a real time basis, must be in place
A risk-oriented mindset must exist in all employees. Senior management must drive this mindset from the top down. Everyone bears some of the responsibility, not just management and risk managers
A willingness to be proactive regarding risk management, treating risk management as a business partner, not simply part of a compliance function
As we all know, there are many crucial aspects to implementing effective risk management capabilities at a firm. It is critical that each phase be implemented at any firm that wishes to effectively manage its risks. This can be summarized relatively simply. The tools for measuring risk must be accurate as must be the inputs to those tools. This means models must be accurate. Data must be clean. The technology behind the system should help the risk management process by identifying risk so that managers gave increased resources for managing risks. Real-time capability is required; batch processes won’t cut it any more. The outputs of the risk measurement process must be available on a real time basis so that managers understand what is happening as it is happening and can take appropriate action. This means everyone gets the info when they need it. Systems that inform management of current conditions go a long way to helping the process. Finally, everyone should consider risk management as part of his or her job. Effective risk management is possible when these conditions are met.