Bookshop > Trading and Capital-Markets Activities Manual > This page

Trading and Capital-Markets Activities Manual

Trading Activities: Overview of Risk Management in Trading Activities 
Source: Federal Reserve System 
(The complete Activities Manual (pdf format) can be downloaded from the Federal Reserve's web site)

Risk is an inevitable component of intermediation and trading activity. Given the fundamental trade-off between risks and returns, the objective of regulators is to determine when risk exposures either become excessive relative to the financial institution's capital position and financial condition or have not been identified to the extent that the situation represents an unsafe and unsound banking practice. 

Determination of whether the institution's risk-management system can measure and control its risks is of particular importance. The primary components of a sound risk-management process are a comprehensive risk-measurement approach; a detailed structure of limits, guidelines, and other parameters used to govern risk taking; and a strong management information system for monitoring and reporting risks. These components are fundamental to both trading and non-trading activities. Moreover, the underlying risks associated with these activities, such as market, credit, liquidity, operations, and legal risks, are not new to banking, although their measurement can be more complex for trading activities than for lending activities. Accordingly, the process of risk management for capital markets and trading activities should be integrated into the institution's overall risk-management system to the fullest extent possible using a conceptual framework common to the financial institution's other business activities. Such a common framework enables the institution to consolidate risk exposure more effectively, especially since the various individual risks involved in capital-markets and trading activities can be interconnected and may transcend specific markets. 

The examiner must apply a multitude of analyses to appropriately assess the risk-management system of an institution. The assessment of risk-management systems and controls may be performed in consideration of the type of risk, the type of instrument, or by function or activity. The examiner must become familiar with the institution's range of business activities, global risk-management framework, risk-measurement models, and system of internal controls. Furthermore, the examiner must assess the qualitative and quantitative assumptions implicit in the risk-management system as well as the effectiveness of the institution's approach to controlling risks. The examiner must determine that the computer system, management information reports, and other forms of communication are adequate and accurate for the level of business activity of the institution. 


The primary goal of risk management is to ensure that a financial institution's trading, position-taking, credit extension, and operational activities do not expose it to losses that could threaten the viability of the firm. Global risk management is ultimately the responsibility of senior management and the board of directors; it involves setting the strategic direction of the firm and determining the firm's tolerance for risk. The examiner should verify that the risk management of capital-markets and trading activities is embedded in a strong global (firmwide) risk-management system, and that senior management and the directors are actively involved in overseeing the risk management of capital-markets products. 

Role of Senior Management and the Board of Directors 

Senior management and the board of directors have a responsibility to fully understand the risks involved in the institution's activities, question line management about the nature and management of those risks, set high standards for prompt and open discussion of internal control problems and losses, and engage management in discussions regarding the events or developments that could expose the firm to substantial loss. The commitment to risk management in any organization should be clearly delineated in practice and codified in written policies and procedures approved by the board of directors. These policies should be consistent with the financial institution's broader business strategies and overall willingness to take risk. Accordingly, the board of directors should be informed regularly of the risk exposure of the institution and should regularly re-evaluate the organization's exposure and its risk tolerance regarding these activities. Middle and senior management, including trading and control staff, should be well versed in the risk-measurement and risk-management methodology of the financial institution. 

Senior management is responsible for ensuring that adequate policies and procedures for conducting long-term and day-to-day activities are in place. This responsibility includes ensuring clear delineations of responsibility for managing risk, adequate systems for measuring risk, appropriately structured limits on risk taking, effective internal controls, and a comprehensive risk-reporting process. 

The risk-management mandate from senior management and the board of directors should include- 

  identifying and assessing risks 
  establishing policies, procedures, and risk limits 
  monitoring and reporting compliance with limits 
  delineating capital allocation and portfolio management 
  developing guidelines for new products and including new exposures within the current framework 
  applying new measurement methods to existing products 

The limit structure should reflect the risk-measurement system in place, as well as the financial institution's tolerance for risk, given its risk profile, activities, and management's objectives. The limit structure should also be consistent with management's experience and the overall financial strength of the institution. 

In addition, senior management and the board of directors are responsible for maintaining the institution's activities with adequate financial support and staffing to manage and control the risks of its activities. Highly qualified personnel must staff not only front-office positions such as trading desks, relationship or account officers, and sales, but also all back-office functions responsible for risk management and internal control. 

Comprehensiveness of the Risk-Management System 

The examiner should verify that the global risk-management system is comprehensive and adequately identifies the major risks to which the institution is exposed. The global risk-management system should cover all areas of the institution, including ''special portfolios'' such as exotic currency and interest-rate options or specially structured derivatives. At a minimum, the global risk-management system should provide for the separate institution-wide measurement and management of credit, market, liquidity, legal, and operational risk. 

The evaluation of the firm's institution-wide risk relative to the firm's capital, earnings capacity, market liquidity, and professional and technological resources is an essential responsibility of senior management. The examiner should also verify that senior management oversees each of the major risk categories (credit, market, liquidity, operational, and legal risk). 

Examiners should ascertain whether the financial institution has an effective process to evaluate and review the risks involved in products that are (1) either new to the firm or new to the marketplace and (2) of potential interest to the firm. In general, a bank should not trade a product until senior management and all relevant personnel (including those in risk management, internal control, legal, accounting, and audit) understand the product and are able to integrate the product into the financial institution's risk-measurement and control systems. Examiners should determine whether the financial institution has a formal process for reviewing new products and whether it introduces new products in a manner that adequately limits potential losses. 

Financial institutions active in the derivatives markets generate many new products that are variants of existing instruments they offer. In evaluating whether these products should be subject to the new-product-evaluation process, examiners should consider whether the firm has adequately identified and aggregated all significant risks. In general, all significant structural variations in options products should receive some form of new-product review, even when the firm is dealing in similar products. 


Examiners should evaluate the company's organizational structure and job descriptions to make sure that there is a clear understanding of the appropriate personnel interaction required to control risk. In particular, measuring and setting parameters for the total amount of various risks facing the institution are distinct functions that should be clearly separated from the day-to-day management of risks associated with the normal flow of business. Normally, these parameters should be managed independently by senior management, with approval from the institution's board of directors. 

The trading-risk-management role within an organization includes defining trading risk-management policies, setting uniform standards of risk assessment and capital allocation, providing senior management with global risk reporting and evaluation, monitoring compliance with limits, and assisting in strategic planning related to risk management. 

In some organizations, risk management has a control or policing function; in others, it is a counselor to the trading-operations area. Regardless of how it is implemented, the risk-management function should have reporting lines that are fully independent of the trading groups. 

When defining an institution's exposures, risk managers must address all risks, those that are easily quantifiable and those that are not. Many trading risks lend themselves to common financial-estimation methods. Quantifiable risks related to price changes should be applied consistently to derive realistic estimates of market exposure. Consequently, examiners must subjectively and pragmatically evaluate an institution's risk related to capital-markets and trading activities. 

The risk measurement and management of an institution will only be as strong as its internal control system. Effective internal control mechanisms for monitoring risk require that risk managers maintain a level of independence from the trading and marketing functions-a requirement not only for the development of the conceptual framework applied but for determining the applicable parameters used in daily evaluations of market risks. This function would be responsible for measuring risk, setting risk parameters, identifying risk vulnerabilities, monitoring risk limits, and evaluating or validating pricing and valuation models. Examiners should ascertain that the financial institution has some form of independent risk management and that management information is comprehensive and reported to senior management on a frequency commensurate with the level of trading activity. 

The day-to-day management of risks that occur in the normal course of business can be accomplished through either centralized or decentralized structures. The choice of approach should reflect the organization's risk profile, trading philosophy, and strategy. In a highly decentralized structure, examiners should ascertain that adequate controls are in place to ensure the integrity of the aggregate information provided to senior management and the board of directors. 

Trading positions must be accurately transmitted to the risk-measurement systems. The appropriate reconciliations should be performed to ensure data integrity across the full range of products, including new products that may be monitored apart from the main processing networks. Management reports should be reviewed to determine the frequency and magnitude of limit excesses over time. Traders, risk managers, and senior management should be able to define constraints on trading and justify identified excesses. The integrity of the management information system is especially important in this regard (See section 2040.1, ''Operations and Systems Risk (Management Information Systems)''.) Examiners should also review and assess the compensation arrangements of risk-management staff to ensure that there are no incentives which may conflict with maintaining the integrity of the risk-control system. 

Measurement of Risks 

The increasing globalization and complexity of capital markets and the expanding range of esoteric financial instruments have made trading-risk management more difficult to accomplish and evaluate. Fortunately, a number of commonly used risk-measurement systems have been developed to assist financial institutions in evaluating their unique combinations of risk exposures. These systems all aim to identify the risks associated with particular business activities and group them into generic components, resulting in a single measure for each type of risk. These systems also allow institutions to manage risks on a portfolio basis and to consider exposures in relation to the institution's global strategy and risk profile. 

Managing the residual exposure or net position of a portfolio, instead of separate transactions and positions, provides two important benefits: a better understanding of the port-folio's exposure and more efficient hedging. A market maker's portfolio benefits from economies of scale in market-risk management because large portfolios tend to contain naturally offsetting positions, which may significantly reduce the overall market risk. Hedging the residual risk of the net portfolio position rather than individual transactions greatly reduces transactions costs. A portfolio-focused management approach reduces the complexity of position tracking and management. 

All major risks should be measured explicitly and consistently and integrated into the firm-wide risk-management system. Systems and procedures should recognize that measurement of some types of risk is an approximation and that some risks, such as the market liquidity of a marketable instrument, can be very difficult to quantify and can vary with economic and market conditions. Nevertheless, at a minimum, the vulnerabilities of the firm to these risks should be explicitly assessed on an ongoing basis in response to changing circumstances. 

Sound risk-measurement practices include the careful and continuous identification of possible events or changes in market behavior that could have a detrimental impact on the financial institution. The financial institution's ability to withstand economic and market shocks points to the desirability of developing comprehensive and flexible data-management systems. 

Risk Limits 

The risk-management system should include a sound system of integrated institution-wide risk limits that should be developed under the direction of and approved by senior management and the board of directors. The established limits structure should apply to all risks arising from an institution's activities. For credit and market risk, in particular, limits on derivatives should be directly integrated with institution-wide limits on those risks as they arise in all other activities of the firm. When risks are not quantifiable, management should demonstrate an awareness of their potential impact. 

In addition to credit risk and market risk, limits or firm guidelines should be established to address liquidity and funding risk, operational risk, and legal risk. Careful assessment of operational risk by the financial institution is especially important, since the identification of vulnerabilities in the operational process can often lead to improvements in procedures, data processing systems, and contingency plans that significantly reduce operational risk. 

Examiners should ascertain whether management has considered the largest losses which might arise during adverse events, even scenarios which the financial institution may consider fairly remote possibilities. The evaluation of worst-case scenarios does not suggest that the limits themselves must reflect the outcomes of a worst-case scenario or that the financial institution would be imprudent to assume risk positions that involve large losses if remote events were to occur. However, financial institutions should have a sense of how large this type of risk might be and how the institution would manage its positions if such an event occured. Evaluation of such scenarios is crucial to risk management since significant deviations from past experience do occur, such as the breakdown in 1992 and 1993 of the traditionally high correlation of the movements of the dollar and other European currencies of the European monetary system. 

An institution's exposures should be monitored against limits by control staff who are fully independent of the trading function. The process for approving limit excesses should require that, before exceeding limits, trading personnel obtain at least oral approval from senior management independent of the trading area. The organization should require written approval of limit excesses and maintenance of such documentation. Limits need not be absolute; however, appropriate dialogue with non-trading senior management should take place before limits are exceeded. Finally, senior management should properly address repeated limit excesses and divergences from approved trading strategies. 

Procedures should address the frequency of limit review, method of approval, and authority required to change limits. Relevant management reports and their routing through the organization should be delineated. 

Maintenance Issues 

Complex instruments require sound analytical tools to assess their risk. These tools are grounded in rigorous financial theory and mathematics. As an institution commits more resources to structured products, complex cash instruments, or derivatives, existing staff will be required to develop an understanding of the methodologies applied. Institutions should not create an environment in which only trading staff can evaluate market risk; information on new products and their attendant risks should be widely disseminated. 

Concurrent with the review of the existing risk-management framework, the resources provided to maintain the integrity of the risk-measurement system should be evaluated. Limits should be reviewed at least annually. Assumptions underlying the established limits should be reviewed in the context of changes in strategy, the risk tolerance of the institution, or market conditions. Automated systems should be upgraded to accommodate increased volumes and added financial complexity, either in applying new valuation methodologies or implementing tools to evaluate new products. Products that are recorded ''off-line,'' that is, not on the mainframe or LAN (linked personal computers), should provide automated data feeds to the risk-measurement systems to reduce the incidence of manual error. 

Internal Controls and Audits 

A review of internal controls has long been central to the examination of capital-markets and trading activities. The examiner should review the system of internal controls to ensure that they promote effective and efficient operations; reliable financial and regulatory reporting; and compliance with relevant laws and regulations, safe and sound banking practices, and policies of the board of directors and management. Evaluating the ability of internal controls to achieve these objectives involves understanding and documenting adherence to control activities such as approvals, verifications, and reconciliations. 

When evaluating internal controls, examiners should consider the frequency, scope, and findings of internal and external audits and the ability of those auditors to review the capital-markets and trading activities. Internal auditors should audit and test the risk-management process and internal controls periodically, with the frequency based on a careful risk assessment. Adequate test work should be conducted to re-create summary risk factors in management reports from exposures in the trading position. This may include validation of risk-measurement algorithms independent of the trading or control functions with special emphasis on new, complex products. Internal auditors should also test compliance with risk limits and evaluate the reliability and timeliness of information reported to the financial institution's senior management and the board of directors. Internal auditors are also expected to evaluate the independence and overall effectiveness of the financial institution's risk-management functions. 

The level of confidence that examiners place in the audit work, the nature of the audit findings, and management's response to those findings will influence the scope of the current examination. Even when the audit process and findings are satisfactory, examiners should test critical internal controls, including the revaluation process, the credit-approval process, and adherence to established limits. Significant changes in product lines; modeling; or risk-management methodologies, limits, and internal controls should receive special attention. Substantial changes in earnings from capital-markets and trading activities, in the size of positions, or the value-at-risk associated with these activities should also be investigated during the examination. These findings and evaluations and other factors, as appropriate, should be the basis for decisions to dedicate greater resources to examining the trading functions. 


Capital-markets and trading operations vary significantly among financial institutions, depending on the size of the trading operation, trading and management expertise, organizational structures, the sophistication of computer systems, the institution's focus and strategy, historical and expected income, past problems and losses, risks, and types and sophistication of the trading products and activities. As a result, the risk-management practices, policies, and procedures expected in one institution may not be necessary in another. With these caveats in mind, a list of sound practices for financial institutions actively engaged in capital-markets and trading operations follows: 

  Every organization should have a risk-management function that is independent of its trading staff. 
  Every organization should have a risk-management policy that is approved by the board of directors annually. The policy should outline products traded, parameters for risk activities, the limit structure, over-limit-approval procedures, and frequency of review. In addition, every organization should have a process to periodically review limit policies, pricing assumptions, and model inputs under changing market conditions. In some markets, frequent, high-level review of such factors may be warranted. 
  Every organization should have a new-product policy that requires review and approval by all operational areas affected by such transactions (for example, risk management, credit management, trading, accounting, regulatory reporting, back office, audit, compliance, and legal). This policy should be evidenced by an audit trail of approvals before a new product is introduced. 
  Every organization should be able to aggregate each major type of risk on a single common basis, including market, credit, and operational risks. Ideally, risks would be evaluated within a value-at-risk framework to determine the overall level of risk to the institution. The risk-measurement system should also permit disaggregation of risk by type and by customer, instrument, or business unit to effectively support the management and control of risks. 
  Every organization should have a methodology to stress test the institution's portfolios with respect to key variables or events to create plausible worst-case scenarios for review by senior management. The limit structure of the institution should consider the results of the stress tests. 
  Every organization should have an integrated management information system that controls market risks and provides comprehensive reporting. The sophistication of the system should match the level of risk and complexity of trading activity. Every institution should have adequate financial applications in place to quantify and monitor risk positions and to process the variety of instruments currently in use. A minimum of manual intervention should be required to process and monitor transactions. 
  Risk management or the control function should be able to produce a risk-management report that highlights positions, limits, and excesses on a basis commensurate with trading activity. This report should be sent to senior management, reviewed, signed, and returned to control staff. 
  Counterparty credit exposure on derivative transactions should be measured on a replacement-cost and potential-exposure basis. Every organization should perform a periodic assessment of credit exposure to redefine statistical parameters used to derive potential exposure. 
  With regard to credit risk, any organization that employs netting should have a policy related to netting agreements. Appropriate legal inquiry should be conducted to determine enforceability by jurisdiction and counterparty type. Netting should be implemented only when legally enforceable. 
  Every organization should have middle and senior management inside and outside the trading room who are familiar with the stated philosophy on market and credit risk. Also, pricing methods employed by the traders should be well understood. 
  Every organization should be cognizant of non-quantifiable risks (such as operational risks), have an approach to assessing them, and have guidelines and trading practices to control them. 
  Every organization with a high level of trading activity should be able to demonstrate that it can adjust strategies and positions under rapidly changing market conditions and crisis situations on a timely basis. 
  For business lines with high levels of activity, risk management should be able to review exposures on an intraday basis. 
  Management information systems should provide sufficient reporting for decision making on market and credit risks, as well as operational data including profitability, unsettled items, and payments. 
  A periodic compliance review should be conducted to ensure conformity with federal, state, and foreign securities laws and regulatory guidelines. 
  Every institution should have a compensation system that does not create incentives which may conflict with maintaining the integrity of the risk-control system. 
  Auditors should perform a comprehensive review of risk management annually, emphasizing segregation of duties and validation of data integrity. Additional test work should be performed when numerous new products or models are introduced. Models used by both the front and back offices should be reassessed periodically to ensure sound results. 

Back to Activities Manual Index