Thursday, April 10, 2008

Managing Operational Risk: Beyond Basel II

download KPMG white paper from

Managing Credit Risk: Beyond Basel II

Download KPMG paper from

Lessons in Operational Risk Management

Notes on a Scandal: Lessons in Operational Risk Management from Société Générale
Sponsored By Diamond Management & Technology Consultants (2008)


Lightning can, in fact, strike twice and banks that want to avoid being rocked by a Société Générale-scale fraud incident need to move beyond stop-gap measures and build a culture of operational risk management. This report examines facts that have emerged thus far from the Société Générale situation, and the probable causes of fraud point to deficiencies in operational risk management. While details are still surfacing, Société Générale, or SocGen, appears to have lacked three essential ingredients in establishing a resilient operational risk environment: automated processes, an internal controls culture, and strong IT access controls. Banks that grasp the business and technology details of these primary operational risk management elements will lead the pack in managing fraud risks.

Download the full paper from after free registration

Thursday, March 6, 2008

Risk Management in Broker Dealers - Some Suggestions

From the
Joint Statement:
Broker-Dealer Risk Management Practices
Dt. July 29, 1999

Office of Compliance Inspections and Examinations,
Securities and Exchange Commission
New York Stock Exchange
NASD Regulation, Inc.

Risk management is the identification, management, measurement and oversight of various business risks and is part of a firm's internal control structure. These risks typically arise in such areas as proprietary trading, credit, liquidity and new products. The elements of a comprehensive risk management system are highly dependent on the nature of the broker-dealer's business and its structure.

Senior management must play a significant role in the adoption and maintenance of a comprehensive system of internal controls and risk management practices. This role should include the recognition of risk management as an essential part of the business process, management's willingness to fund the necessary elements of a risk management system, including personnel and information technology costs, and recognition that risk management is a dynamic function that must be modified and improved as a firm's business changes and improved processes and procedures become available.

The examinations of task force of some mid sized and large brokers revealed certain material weaknesses in the policies and practices employed by certain broker-dealers to manage risk, and also some sound practices.

Weaknesses in Practices

Some firms failed to adequately monitor trading risk due to poor supervisory structures, the inconsistent use of data, and employment of inappropriate risk measurement tools. For example, one inspection noted a broker-dealer that had assigned the head of the fixed income trading desk to oversee all trading risk management functions, including the risk monitoring of fixed income trading.

Several broker-dealers were found to have failed to monitor the consistency of information contained in the firm's trade processing, financial reporting and risk management systems, resulting in the omission of certain accounts and activity from the risk monitoring function.

Additionally, certain broker-dealers utilized risk measures, such as notional values, that were not commensurate with the complexity of products traded.

The inspections also identified numerous weaknesses in the manner by which broker-dealers manage credit risk.

Numerous broker-dealers conducted trading with counterparties for whom no credit limit had been established, and in some cases credit reviews of approved counterparties were not completed within prescribed time frames.

Further, many of these reviews were not adequately documented.

Reports used to monitor credit exposure were frequently inaccurate. For instance, many of the reports failed to capture fully the entire population of trades within each category of trading activity and failed to aggregate total credit exposures across all product lines on a system wide basis. Additionally, computerized system limitations yielded credit reports identifying false violations of credit guidelines due to an inability to recognize collateral or the failure to adjust credit lines. Other credit reports calculated exposure in a contradictory manner to what was intended, such as by treating credit exposure from the overcollateralization of repurchase agreements as reduction in risk.

The inspections also identified instances where broker-dealers maintained understaffed and inexperienced internal audit departments. Also, many of these internal audit departments failed to include key revenue producing and functional areas, such as trading risk management and credit risk management, in the internal audit plans.

Occasionally, internal audit failed to follow up on its findings, which contributed to the deficiencies which were identified remaining unremedied.

Sound Practices

Among the practices the staff observed as appropriate elements of a risk management system were the following:

The inspections identified instances where a firm's Board of Directors adopted guidelines defining authorized activities, the limits of these activities and the methodology for measuring the risks of these activities.

Frequently, the firm's senior management had substantial experience in the firm's major business areas and, accordingly, was cognizant of risks inherent in specific business lines.

Also, at certain firms, the risk profile of a product or venture was considered in senior management's allocation of capital and measurement of performance.

At several firms, traders and trading personnel were expected to play an active role in risk management.

Many firms employed an independent (i.e., from revenue production) risk manager who was appropriately experienced and reported to a sufficiently high level of authority (e.g., Board of Directors, or Chief Executive Officer) that his challenges to a trader's pricing of a position were taken seriously and were implemented without requiring the concurrence of the revenue side of the business.

The inspections identified several instances where pricing, P&L and adherence to position limits were monitored by an independent (i.e., from revenue production) and appropriately experienced group, such as product controllers. On a daily basis, this group compared each trading desk's P&L to possible earnings volatility at certain confidence levels (i.e., value or earnings at risk measurements), in order to assess the reasonableness of the firm's trading results.

At many firms where data flowing into risk measurement systems was consistent with trade and financial information, the firm would periodically reconcile the categories of data input into the various informational systems. At some firms, daily reconciliations would be performed at each point of systems interface to ensure data integrity.

Many firms maintained an independent (i.e. from revenue production) and centralized credit department which administered the establishment and documentation of credit lines and monitored the usage of these lines. Many firms have adopted a system of internal credit rating of counterparties. These ratings are updated as needed but no less often than annually. Some firms' credit monitoring systems have integrated the monitoring of credit risk over all products and operations of the firm and consider future potential exposure in monitoring credit utilization.

The inspections identified several firms with internal audit groups performing an annual risk assessment and ascribing various levels of risk, and a related audit cycle, to all segments of the firms' operations. At one firm, internal audit maintained an automated tracking system that tracked audit findings and the resolution of these findings. Audit findings that were not resolved within established time frames were reported to senior management. In those areas where audit findings were of significance, internal audit verified that policy and procedural changes had been implemented. Another internal audit group performed special reviews in reaction to news events or reported developments in the industry (cause audits).

With the increased volume of transactions, new financial products, global marketplaces and expanding use of the internet, the nature of the securities business is constantly changing and becoming more complex. As a result, a dynamic risk management function must play an essential role in assuring investor protection and the integrity of a firm's financial condition.

The task force found that broker-dealers need to devote adequate time and resources to assess risk management procedures and controls, and modify such systems to reflect today's market conditions. The extent and cost of the system needed should be determined by the size of the firm and the nature of its business activities.

Over the years, we have seen increased recognition in the broker-dealer community of the importance of the risk management function, and the need for continued adjustments to that function to address market and regulatory changes.

Most recently, the Counterparty Risk Management Policy Group joined the list of industry and regulatory groups that have evaluated risk management practices and recommended actions. All of these initiatives contribute to the potential development of improved risk management systems.

In recognition of the increased importance of this function, examination staffs of the SEC, NYSE and NASDR will increase their emphasis on the review of risk management controls during regulatory examinations.


Tuesday, January 8, 2008