and Capital-Markets Activities Manual > This page
Capital-Markets Activities Manual
Activities: Overview of Risk Management in Trading Activities
Source: Federal Reserve System
(The complete Activities
Manual (pdf format) can be downloaded from the Federal Reserve's web
Risk is an inevitable component of intermediation
and trading activity. Given the fundamental trade-off between risks and
returns, the objective of regulators is to determine when risk exposures
either become excessive relative to the financial institution's capital
position and financial condition or have not been identified to the extent
that the situation represents an unsafe and unsound banking practice.
Determination of whether the institution's risk-management system can
measure and control its risks is of particular importance. The primary
components of a sound risk-management process are a comprehensive risk-measurement
approach; a detailed structure of limits, guidelines, and other parameters
used to govern risk taking; and a strong management information system
for monitoring and reporting risks. These components are fundamental to
both trading and non-trading activities. Moreover, the underlying risks
associated with these activities, such as market, credit, liquidity, operations,
and legal risks, are not new to banking, although their measurement can
be more complex for trading activities than for lending activities. Accordingly,
the process of risk management for capital markets and trading activities
should be integrated into the institution's overall risk-management system
to the fullest extent possible using a conceptual framework common to
the financial institution's other business activities. Such a common framework
enables the institution to consolidate risk exposure more effectively,
especially since the various individual risks involved in capital-markets
and trading activities can be interconnected and may transcend specific
The examiner must apply a multitude of analyses to appropriately assess
the risk-management system of an institution. The assessment of risk-management
systems and controls may be performed in consideration of the type of
risk, the type of instrument, or by function or activity. The examiner
must become familiar with the institution's range of business activities,
global risk-management framework, risk-measurement models, and system
of internal controls. Furthermore, the examiner must assess the qualitative
and quantitative assumptions implicit in the risk-management system as
well as the effectiveness of the institution's approach to controlling
risks. The examiner must determine that the computer system, management
information reports, and other forms of communication are adequate and
accurate for the level of business activity of the institution.
GLOBAL RISK-MANAGEMENT FRAMEWORK
The primary goal of risk management is to
ensure that a financial institution's trading, position-taking, credit
extension, and operational activities do not expose it to losses that
could threaten the viability of the firm. Global risk management is ultimately
the responsibility of senior management and the board of directors; it
involves setting the strategic direction of the firm and determining the
firm's tolerance for risk. The examiner should verify that the risk management
of capital-markets and trading activities is embedded in a strong global
(firmwide) risk-management system, and that senior management and the
directors are actively involved in overseeing the risk management of capital-markets
Role of Senior Management and the Board of Directors
Senior management and the board of directors have a responsibility to
fully understand the risks involved in the institution's activities, question
line management about the nature and management of those risks, set high
standards for prompt and open discussion of internal control problems
and losses, and engage management in discussions regarding the events
or developments that could expose the firm to substantial loss. The commitment
to risk management in any organization should be clearly delineated in
practice and codified in written policies and procedures approved by the
board of directors. These policies should be consistent with the financial
institution's broader business strategies and overall willingness to take
risk. Accordingly, the board of directors should be informed regularly
of the risk exposure of the institution and should regularly re-evaluate
the organization's exposure and its risk tolerance regarding these activities.
Middle and senior management, including trading and control staff, should
be well versed in the risk-measurement and risk-management methodology
of the financial institution.
Senior management is responsible for ensuring that adequate policies and
procedures for conducting long-term and day-to-day activities are in place.
This responsibility includes ensuring clear delineations of responsibility
for managing risk, adequate systems for measuring risk, appropriately
structured limits on risk taking, effective internal controls, and a comprehensive
The risk-management mandate from senior management and the board of directors
• identifying and assessing risks
• establishing policies, procedures, and risk limits
• monitoring and reporting compliance with limits
• delineating capital allocation and portfolio management
• developing guidelines for new products and including new exposures
within the current framework
• applying new measurement methods to existing products
The limit structure should reflect the risk-measurement system in place,
as well as the financial institution's tolerance for risk, given its risk
profile, activities, and management's objectives. The limit structure
should also be consistent with management's experience and the overall
financial strength of the institution.
In addition, senior management and the board of directors are responsible
for maintaining the institution's activities with adequate financial support
and staffing to manage and control the risks of its activities. Highly
qualified personnel must staff not only front-office positions such as
trading desks, relationship or account officers, and sales, but also all
back-office functions responsible for risk management and internal control.
Comprehensiveness of the Risk-Management System
The examiner should verify that the global risk-management system is comprehensive
and adequately identifies the major risks to which the institution is
exposed. The global risk-management system should cover all areas of the
institution, including ''special portfolios'' such as exotic currency
and interest-rate options or specially structured derivatives. At a minimum,
the global risk-management system should provide for the separate institution-wide
measurement and management of credit, market, liquidity, legal, and operational
The evaluation of the firm's institution-wide risk relative to the firm's
capital, earnings capacity, market liquidity, and professional and technological
resources is an essential responsibility of senior management. The examiner
should also verify that senior management oversees each of the major risk
categories (credit, market, liquidity, operational, and legal risk).
Examiners should ascertain whether the financial institution has an effective
process to evaluate and review the risks involved in products that are
(1) either new to the firm or new to the marketplace and (2) of potential
interest to the firm. In general, a bank should not trade a product until
senior management and all relevant personnel (including those in risk
management, internal control, legal, accounting, and audit) understand
the product and are able to integrate the product into the financial institution's
risk-measurement and control systems. Examiners should determine whether
the financial institution has a formal process for reviewing new products
and whether it introduces new products in a manner that adequately limits
Financial institutions active in the derivatives markets generate many
new products that are variants of existing instruments they offer. In
evaluating whether these products should be subject to the new-product-evaluation
process, examiners should consider whether the firm has adequately identified
and aggregated all significant risks. In general, all significant structural
variations in options products should receive some form of new-product
review, even when the firm is dealing in similar products.
ORGANIZATIONAL STRUCTURE OF RISK MANAGEMENT
Examiners should evaluate the company's
organizational structure and job descriptions to make sure that there
is a clear understanding of the appropriate personnel interaction required
to control risk. In particular, measuring and setting parameters for the
total amount of various risks facing the institution are distinct functions
that should be clearly separated from the day-to-day management of risks
associated with the normal flow of business. Normally, these parameters
should be managed independently by senior management, with approval from
the institution's board of directors.
The trading-risk-management role within an organization includes defining
trading risk-management policies, setting uniform standards of risk assessment
and capital allocation, providing senior management with global risk reporting
and evaluation, monitoring compliance with limits, and assisting in strategic
planning related to risk management.
In some organizations, risk management has a control or policing function;
in others, it is a counselor to the trading-operations area. Regardless
of how it is implemented, the risk-management function should have reporting
lines that are fully independent of the trading groups.
When defining an institution's exposures, risk managers must address all
risks, those that are easily quantifiable and those that are not. Many
trading risks lend themselves to common financial-estimation methods.
Quantifiable risks related to price changes should be applied consistently
to derive realistic estimates of market exposure. Consequently, examiners
must subjectively and pragmatically evaluate an institution's risk related
to capital-markets and trading activities.
The risk measurement and management of an institution will only be as
strong as its internal control system. Effective internal control mechanisms
for monitoring risk require that risk managers maintain a level of independence
from the trading and marketing functions-a requirement not only for the
development of the conceptual framework applied but for determining the
applicable parameters used in daily evaluations of market risks. This
function would be responsible for measuring risk, setting risk parameters,
identifying risk vulnerabilities, monitoring risk limits, and evaluating
or validating pricing and valuation models. Examiners should ascertain
that the financial institution has some form of independent risk management
and that management information is comprehensive and reported to senior
management on a frequency commensurate with the level of trading activity.
The day-to-day management of risks that occur in the normal course of
business can be accomplished through either centralized or decentralized
structures. The choice of approach should reflect the organization's risk
profile, trading philosophy, and strategy. In a highly decentralized structure,
examiners should ascertain that adequate controls are in place to ensure
the integrity of the aggregate information provided to senior management
and the board of directors.
Trading positions must be accurately transmitted to the risk-measurement
systems. The appropriate reconciliations should be performed to ensure
data integrity across the full range of products, including new products
that may be monitored apart from the main processing networks. Management
reports should be reviewed to determine the frequency and magnitude of
limit excesses over time. Traders, risk managers, and senior management
should be able to define constraints on trading and justify identified
excesses. The integrity of the management information system is especially
important in this regard (See section 2040.1, ''Operations and Systems
Risk (Management Information Systems)''.) Examiners should also review
and assess the compensation arrangements of risk-management staff to ensure
that there are no incentives which may conflict with maintaining the integrity
of the risk-control system.
Measurement of Risks
The increasing globalization and complexity of capital markets and the
expanding range of esoteric financial instruments have made trading-risk
management more difficult to accomplish and evaluate. Fortunately, a number
of commonly used risk-measurement systems have been developed to assist
financial institutions in evaluating their unique combinations of risk
exposures. These systems all aim to identify the risks associated with
particular business activities and group them into generic components,
resulting in a single measure for each type of risk. These systems also
allow institutions to manage risks on a portfolio basis and to consider
exposures in relation to the institution's global strategy and risk profile.
Managing the residual exposure or net position of a portfolio, instead
of separate transactions and positions, provides two important benefits:
a better understanding of the port-folio's exposure and more efficient
hedging. A market maker's portfolio benefits from economies of scale in
market-risk management because large portfolios tend to contain naturally
offsetting positions, which may significantly reduce the overall market
risk. Hedging the residual risk of the net portfolio position rather than
individual transactions greatly reduces transactions costs. A portfolio-focused
management approach reduces the complexity of position tracking and management.
All major risks should be measured explicitly and consistently and integrated
into the firm-wide risk-management system. Systems and procedures should
recognize that measurement of some types of risk is an approximation and
that some risks, such as the market liquidity of a marketable instrument,
can be very difficult to quantify and can vary with economic and market
conditions. Nevertheless, at a minimum, the vulnerabilities of the firm
to these risks should be explicitly assessed on an ongoing basis in response
to changing circumstances.
Sound risk-measurement practices include the careful and continuous identification
of possible events or changes in market behavior that could have a detrimental
impact on the financial institution. The financial institution's ability
to withstand economic and market shocks points to the desirability of
developing comprehensive and flexible data-management systems.
The risk-management system should include a sound system of integrated
institution-wide risk limits that should be developed under the direction
of and approved by senior management and the board of directors. The established
limits structure should apply to all risks arising from an institution's
activities. For credit and market risk, in particular, limits on derivatives
should be directly integrated with institution-wide limits on those risks
as they arise in all other activities of the firm. When risks are not
quantifiable, management should demonstrate an awareness of their potential
In addition to credit risk and market risk, limits or firm guidelines
should be established to address liquidity and funding risk, operational
risk, and legal risk. Careful assessment of operational risk by the financial
institution is especially important, since the identification of vulnerabilities
in the operational process can often lead to improvements in procedures,
data processing systems, and contingency plans that significantly reduce
Examiners should ascertain whether management has considered the largest
losses which might arise during adverse events, even scenarios which the
financial institution may consider fairly remote possibilities. The evaluation
of worst-case scenarios does not suggest that the limits themselves must
reflect the outcomes of a worst-case scenario or that the financial institution
would be imprudent to assume risk positions that involve large losses
if remote events were to occur. However, financial institutions should
have a sense of how large this type of risk might be and how the institution
would manage its positions if such an event occured. Evaluation of such
scenarios is crucial to risk management since significant deviations from
past experience do occur, such as the breakdown in 1992 and 1993 of the
traditionally high correlation of the movements of the dollar and other
European currencies of the European monetary system.
An institution's exposures should be monitored against limits by control
staff who are fully independent of the trading function. The process for
approving limit excesses should require that, before exceeding limits,
trading personnel obtain at least oral approval from senior management
independent of the trading area. The organization should require written
approval of limit excesses and maintenance of such documentation. Limits
need not be absolute; however, appropriate dialogue with non-trading senior
management should take place before limits are exceeded. Finally, senior
management should properly address repeated limit excesses and divergences
from approved trading strategies.
Procedures should address the frequency of limit review, method of approval,
and authority required to change limits. Relevant management reports and
their routing through the organization should be delineated.
Complex instruments require sound analytical tools to assess their risk.
These tools are grounded in rigorous financial theory and mathematics.
As an institution commits more resources to structured products, complex
cash instruments, or derivatives, existing staff will be required to develop
an understanding of the methodologies applied. Institutions should not
create an environment in which only trading staff can evaluate market
risk; information on new products and their attendant risks should be
Concurrent with the review of the existing risk-management framework,
the resources provided to maintain the integrity of the risk-measurement
system should be evaluated. Limits should be reviewed at least annually.
Assumptions underlying the established limits should be reviewed in the
context of changes in strategy, the risk tolerance of the institution,
or market conditions. Automated systems should be upgraded to accommodate
increased volumes and added financial complexity, either in applying new
valuation methodologies or implementing tools to evaluate new products.
Products that are recorded ''off-line,'' that is, not on the mainframe
or LAN (linked personal computers), should provide automated data feeds
to the risk-measurement systems to reduce the incidence of manual error.
Internal Controls and Audits
A review of internal controls has long been central to the examination
of capital-markets and trading activities. The examiner should review
the system of internal controls to ensure that they promote effective
and efficient operations; reliable financial and regulatory reporting;
and compliance with relevant laws and regulations, safe and sound banking
practices, and policies of the board of directors and management. Evaluating
the ability of internal controls to achieve these objectives involves
understanding and documenting adherence to control activities such as
approvals, verifications, and reconciliations.
When evaluating internal controls, examiners should consider the frequency,
scope, and findings of internal and external audits and the ability of
those auditors to review the capital-markets and trading activities. Internal
auditors should audit and test the risk-management process and internal
controls periodically, with the frequency based on a careful risk assessment.
Adequate test work should be conducted to re-create summary risk factors
in management reports from exposures in the trading position. This may
include validation of risk-measurement algorithms independent of the trading
or control functions with special emphasis on new, complex products. Internal
auditors should also test compliance with risk limits and evaluate the
reliability and timeliness of information reported to the financial institution's
senior management and the board of directors. Internal auditors are also
expected to evaluate the independence and overall effectiveness of the
financial institution's risk-management functions.
The level of confidence that examiners place in the audit work, the nature
of the audit findings, and management's response to those findings will
influence the scope of the current examination. Even when the audit process
and findings are satisfactory, examiners should test critical internal
controls, including the revaluation process, the credit-approval process,
and adherence to established limits. Significant changes in product lines;
modeling; or risk-management methodologies, limits, and internal controls
should receive special attention. Substantial changes in earnings from
capital-markets and trading activities, in the size of positions, or the
value-at-risk associated with these activities should also be investigated
during the examination. These findings and evaluations and other factors,
as appropriate, should be the basis for decisions to dedicate greater
resources to examining the trading functions.
Capital-markets and trading operations vary
significantly among financial institutions, depending on the size of the
trading operation, trading and management expertise, organizational structures,
the sophistication of computer systems, the institution's focus and strategy,
historical and expected income, past problems and losses, risks, and types
and sophistication of the trading products and activities. As a result,
the risk-management practices, policies, and procedures expected in one
institution may not be necessary in another. With these caveats in mind,
a list of sound practices for financial institutions actively engaged
in capital-markets and trading operations follows:
• Every organization should have a risk-management function that
is independent of its trading staff.
• Every organization should have a risk-management policy that
is approved by the board of directors annually. The policy should outline
products traded, parameters for risk activities, the limit structure,
over-limit-approval procedures, and frequency of review. In addition,
every organization should have a process to periodically review limit
policies, pricing assumptions, and model inputs under changing market
conditions. In some markets, frequent, high-level review of such factors
may be warranted.
• Every organization should have a new-product policy that requires
review and approval by all operational areas affected by such transactions
(for example, risk management, credit management, trading, accounting,
regulatory reporting, back office, audit, compliance, and legal). This
policy should be evidenced by an audit trail of approvals before a new
product is introduced.
• Every organization should be able to aggregate each major type
of risk on a single common basis, including market, credit, and operational
risks. Ideally, risks would be evaluated within a value-at-risk framework
to determine the overall level of risk to the institution. The risk-measurement
system should also permit disaggregation of risk by type and by customer,
instrument, or business unit to effectively support the management and
control of risks.
• Every organization should have a methodology to stress test the
institution's portfolios with respect to key variables or events to create
plausible worst-case scenarios for review by senior management. The limit
structure of the institution should consider the results of the stress
• Every organization should have an integrated management information
system that controls market risks and provides comprehensive reporting.
The sophistication of the system should match the level of risk and complexity
of trading activity. Every institution should have adequate financial
applications in place to quantify and monitor risk positions and to process
the variety of instruments currently in use. A minimum of manual intervention
should be required to process and monitor transactions.
• Risk management or the control function should be able to produce
a risk-management report that highlights positions, limits, and excesses
on a basis commensurate with trading activity. This report should be sent
to senior management, reviewed, signed, and returned to control staff.
• Counterparty credit exposure on derivative transactions should
be measured on a replacement-cost and potential-exposure basis. Every
organization should perform a periodic assessment of credit exposure to
redefine statistical parameters used to derive potential exposure.
• With regard to credit risk, any organization that employs netting
should have a policy related to netting agreements. Appropriate legal
inquiry should be conducted to determine enforceability by jurisdiction
and counterparty type. Netting should be implemented only when legally
• Every organization should have middle and senior management inside
and outside the trading room who are familiar with the stated philosophy
on market and credit risk. Also, pricing methods employed by the traders
should be well understood.
• Every organization should be cognizant of non-quantifiable risks
(such as operational risks), have an approach to assessing them, and have
guidelines and trading practices to control them.
• Every organization with a high level of trading activity should
be able to demonstrate that it can adjust strategies and positions under
rapidly changing market conditions and crisis situations on a timely basis.
• For business lines with high levels of activity, risk management
should be able to review exposures on an intraday basis.
• Management information systems should provide sufficient reporting
for decision making on market and credit risks, as well as operational
data including profitability, unsettled items, and payments.
• A periodic compliance review should be conducted to ensure conformity
with federal, state, and foreign securities laws and regulatory guidelines.
• Every institution should have a compensation system that does
not create incentives which may conflict with maintaining the integrity
of the risk-control system.
• Auditors should perform a comprehensive review of risk management
annually, emphasizing segregation of duties and validation of data integrity.
Additional test work should be performed when numerous new products or
models are introduced. Models used by both the front and back offices
should be reassessed periodically to ensure sound results.
Back to Activities