and Capital-Markets Activities Manual > This page
Capital-Markets Activities Manual
Activities: Operations and System Risk (Management Information Systems)
Source: Federal Reserve System
(The complete Activities
Manual (pdf format) can be downloaded from the Federal Reserve's web
Management information systems (MIS) should
accumulate, interpret, and communicate information regarding the institution's
positions, profits, business activities, and inherent risks. The form
and content of management information for trading activities will be a
function of the size and complexity of the trading operation and organization,
policies and procedures, and management reporting lines. MIS generally
take two forms: computing systems with business applications and management
reporting. For institutions with trading operations, a computerized system
should be in place. For a small number of institutions with limited trading
activity, an elaborate computerized system may not be cost effective.
Not all management information systems are fully integrated. Examiners
should expect to see varying degrees of manual intervention and should
determine whether the integrity of the data is preserved through proper
controls. The examiner should review and evaluate the sophistication and
capability of the financial institution's computer systems and software,
which should be capable of supporting, processing, and monitoring the
capital-markets and trading activities of the financial institution.
An accurate, informative, and timely management information system is
essential to the prudent operation of a trading or derivative activity.
Accordingly, the examiner's assessment of the quality of the management
information system is an important factor in the overall evaluation of
the risk-management process. Examiners should determine the extent to
which the risk-management function monitors and reports its measure of
trading risks to appropriate levels of senior management and the board
of directors. Exposures and profit-and-loss statements should be reported
at least daily to managers who supervise but do not conduct trading activities.
More frequent reports should be made as market conditions dictate. Reports
to other levels of senior management and the board may occur less frequently,
but examiners should determine whether the frequency of reporting provides
these individuals with adequate information to judge the changing nature
of the institution's risk profile.
Examiners should ensure that the management information systems translate
the measured risk from a technical and quantitative format to one that
can be easily read and understood by senior managers and directors, who
may not have specialized and technical knowledge of trading activities
and derivative products. Risk exposures arising from various products
within the trading function should be reported to senior managers and
directors using a common conceptual framework for measuring and limiting
The trading institution should have personnel
with sufficient expertise to understand the financial instruments and
maintain the management information system. Reports should be updated
to reflect the changes in the business environment. Institutions that
develop their own applications should have adequate staff to alter and
test current software. Also, the implementation of automated reporting
systems is not a substitute for an adequate reconcilement procedure that
would ensure the integrity of data inputs. The system must be independently
audited by personnel with sufficient expertise to perform a comprehensive
review of management reporting, financial applications, and systems capacity.
Worldwide deregulation of financial markets
combined with the latest tools in information technologies have brought
capital markets together so that geographic financial centers are no longer
as important. Access to markets on competitive terms from any location
is made possible by instantaneous worldwide transmission of news and market
information. To manage their risk-management process in the current financial
and technological environment, financial institutions are more readily
prepared to incorporate the latest communications systems and database
management techniques. In addition, new financial concepts are rapidly
becoming standard practice in the industry, made possible by powerful
computing tools and communications systems.
Some capital-markets instruments require information technologies that
are more complex than those used for more traditional banking products,
such as loans, deposits, and standard foreign-exchange transactions.
Indeed, a department developing specialized trading products and their
supporting systems is often viewed by senior management as the laboratory
for the financial institution. For financial institutions active in capital
markets, conducting business in a safe and sound manner depends on the
successful integration of management information systems into the daily
processes of market- and credit-risk management; transaction processing;
settlement; accounting; and financial, regulatory, and management reporting.
Examiners should evaluate the processes of software development, technical
specifications, database management, local area networks, and communication
systems. Access to the automated systems should be adequately protected.
If the organization uses PCs, a written policy to address access, development,
maintenance, and other relevant issues should exist. Given the specialized
management skills and heightened sophistication in information technologies
found in many trading rooms, an evaluation of systems management should
be incorporated into the overall assessment of management and internal
controls. A full-scope examination of these areas is best performed by
specialized electronic data processing examiners. However, a general review
of these processes must also be incorporated in the financial examination.
For examination purposes, the scope of the review should be tailored to
the functionality of the management information system as opposed to its
technical specifications. Functionality refers to how well the system
serves the needs of users in all areas of the institution, including senior
management, risk management, front office, back office, financial reporting,
and internal audit. The organization should have flow charts or narratives
that indicate the data flow from input through reporting. The comprehensiveness
of this information, however, will depend on the level of reporting necessary
for the institution.
An important aspect of evaluating information technology is the degree
to which various systems interface. For purposes of this discussion, automated
systems refers to the collection of various front-office and control systems.
Financial institutions relying on a single database of client and transaction
files may have stronger controls on data integrity than those with multiple
sources of data. However, rarely does a single automated system handle
data entry and all processing and control functions relevant to all over-the-counter
and exchange-traded instruments used by an institution. The group of systems
used may be a combination of systems purchased from vendors and applications
developed in-house by the firm's software programmers. Standard instructions
should be set within the automated systems. The organization should identify
which instructions may be overridden and under what circumstances.
The organization should give planned enhancement or development projects
appropriate priority, given management's stated goals and capital-markets
activity. Third-party vendors should be provided with adequate lead time
to make changes to existing programs. Sufficient testing should be performed
before system upgrades are implemented.
When consolidating data derived from multiple sources, the institution
should perform controls and reconciliations that minimize the potential
for corrupting consolidated data. If independent databases are used to
support subsidiary systems, then reconciliation controls should be evident
at each point that multiple data files are brought together. Regardless
of the combination of automated systems and manual processes, examiners
should ensure that appropriate validation processes are effected to ensure
Not all financial institutions have the same automation requirements.
For institutions with limited transaction volume, it is not cost effective
to perform risk-management reporting in an automated environment, and
most analysis can be handled manually. When volumes increase such that
timely risk monitoring can no longer be handled manually, then automated
applications may be appropriate.
A key element of the management information system of trading operations
is models and algorithms used to measure and manage risk. The frequency
and extent to which financial institutions should re-evaluate their models
and assumptions depend, in part, on the specific risk exposures created
by their trading activities, the pace and nature of market changes, and
the pace of innovation with respect to measuring and managing risks. At
a minimum, financial institutions with significant capital-markets and
trading activities should review the underlying methodologies and assumptions
of their models at least annually, and more often as market conditions
dictate, to ensure that they are appropriate and consistent for all products.
Such internal evaluations may, in many cases, be supplemented with reviews
by external auditors or other qualified outside parties, such as consultants
who have expertise with highly technical models and risk-management techniques.
When introducing a pricing model, it is imperative that adequate testing
of the algorithm be performed by systems personnel with appropriate sign-off
by model users (traders, controllers, and auditors). In practice, pricing
models for the most heavily traded financial instruments are well tested.
Financial algorithms for complex, exotic products should be well documented
as part of the policies and procedures manual and functional specifications.
Hazards are more likely to arise for instruments that have non-standard
or option-like features. The use of proprietary models that employ unconventional
techniques that are not widely agreed upon by market participants should
lead to further questioning by examiners. Even the use of standard models
may lead to errors if the financial tools are not appropriate for a given
The development of new products is a key
feature of capital-markets and trading operations. The general risks associated
with new products should be addressed through the new product-approval
process. In reviewing financial applications, examiners should evaluate
whether the current tools quantify and monitor the range of relevant exposures.
New applications require special review and additional measures of control.
In the absence of a model that provides a reasonable simulation of market
price, the risk-management, control, and audit areas should be responsible
for developing an appropriate valuation methodology. Non-standard software
applications should proceed through the institution's software development
process for testing before implementation. They should not be released
for actual business use until validation and sign-off is obtained from
appropriate functional departments.
Parameter Selection and Review
Examiners should ensure that financial institutions have a process whereby
parameters used in valuation models depend on rigorous statistical methods
and are updated to reflect changing market conditions. To the extent possible,
the results derived from statistical methods should be validated against
available market information.
Models that incorporate assumptions about underlying market conditions
or price relationships require ongoing monitoring. Input parameters such
as volatility, correlations between market prices, interest rates and
currencies, and prepayment speeds of underlying mortgage pools require
frequent review. For example, volatility quotes may be compared to those
in available published sources, or from implied volatilities derived from
a pricing model using current market prices of actively traded exchange-listed
options. Mortgage securities prepayment assumptions can be compared to
vectors provided by the dealer community to automated services or to factors
provided by third-party vendors.
Examiners should evaluate the ability of an institution's model to accommodate
changes in assumptions and parameters. Institutions should conduct ''what-if''
analyses and tests of the sensitivity of specific portfolios or their
aggregate risk position. Examiners should expect the risk-management and
measurement system to be sufficiently flexible to stress test the range
of portfolios managed by the institution. Any parameter variations used
for stress tests or what-if analyses should be clearly identified. These
simulations usually summarize the profit or loss given a change in interest
rates, foreign exchange rates, equity or commodity prices, volatility,
or time to maturity or expiry.
MANAGEMENT INFORMATION REPORTING
Management reporting summarizes day-to-day
operations, including risk exposure. The financial institution's goal
and market profile will be reflected in the reporting format and process
at the operational level. These reporting formats should be evaluated
for data integrity and clarity. Examiners should determine if reporting
is sufficiently comprehensive for sound decision making.
In addition, reports are used to provide management with an overall view
of business activity for strategic planning. Overall management reporting
should reflect the organizational structure of the institution and the
risk tolerance of senior management. Examiners should expect reports to
aggregate data across geographic locations when appropriate and segregate
positions by legal entity when appropriate. Examiners may find that periodic
reporting is provided to management on market-limit and credit-line utilization.
Management uses these to re-evaluate the limit structure, relate risks
to profitability over a discrete period, evaluate growing businesses,
and identify areas of potential profit. Management reporting also should
relate risks undertaken to return on capital. In fact, management information
systems should allow management to identify and address market, credit,
and liquidity risks. See sections 2010.1, 2020.1, and 2030.1 on market,
credit, and liquidity risk, respectively.
Management reports will usually be generated by control departments within
the institution, independent from front-office influence. When front-office
managers have input to reports, the senior managers should be well aware
of potential weaknesses in the data provided. Risk reporting should be
assessed and performed independently of the front office to ensure objectivity
and accuracy and to prevent manipulation or fraud. However, if the back
office uses databases and software programs that are independent from
those used in the front office, it needs to perform a periodic reconciliation
of differences. For financial institutions operating in a less automated
environment, report preparation should be evaluated in terms of timeliness
and data accuracy. Cross-checking and sign-off by the report preparer
and reviewer with appropriate authority should be evident.
Each financial institution will define the acceptable trade-off between
model accuracy and information timeliness. As part of their appraisal
of risk management, examiners should review the frequency and accuracy
of reporting against the institution's posture in the marketplace, volume
of activity, aggregate range of exposures, and capacity to absorb losses.
Operations and Systems Risk
(Management Information Systems)
1. To determine the scope and adequacy of the audit function for management
information systems and management reporting.
2. To determine if the policies, practices, procedures, and internal controls
regarding management information systems and management reporting are
3. To ensure that only authorized users are able to gain access to automated
4. To evaluate computer systems, communications networks, and software
applications in terms of their ability to support and control the capital-markets
and trading activities.
5. To determine that the functions of automated systems and reporting
processes are well understood by staff and are fully documented.
6. To determine that software applications pertaining to risk reporting,
pricing, and other applications that depend on modelling are fully documented
and subject to independent review.
7. To determine that the automated systems and manual processes are designed
with sufficient audit trails to evaluate and ensure data integrity.
8. To ensure that reports are fully described in functional specifications
and are also included in the policies and procedures of the respective
9. To determine whether management reporting provides adequate information
for strategic planning.
10. To determine that risk-management reporting summarizes the quantifiable
and non-quantifiable risks facing the institution.
11. To determine whether financial performance reports are accurate and
sufficiently detailed to relate profits to risks assumed.
12. To evaluate summary reports on operations for adequacy.
13. To recommend corrective action when policies, practices, procedures,
internal controls, or management information systems are deficient.
Operations and Systems Risk
(Management Information Systems)
These procedures represent a list of processes and activities that may
be reviewed during a full-scope examination. The examiner-in-charge will
establish the general scope of examination and work with the examination
staff to tailor specific areas for review as circumstances warrant. As
part of this process, the examiner reviewing a function or product will
analyze and evaluate internal-audit comments and previous examination
workpapers to assist in designing the scope of examination. In addition,
after a general review of a particular area to be examined, the examiner
should use these procedures, to the extent they are applicable, for further
guidance. Ultimately, it is the seasoned judgment of the examiner and
the examiner-in-charge as to which procedures are warranted in examining
any particular activity.
1. Obtain copies of internal and external audit reports for MIS and management
reporting. Review findings and management's responses to them and determine
whether appropriate corrective action was taken.
2. Obtain a flow chart of reporting and systems flows and review information
to identify important risk points. Review policies and procedures for
MIS. Review the personal computer policy for the institution, if available.
3. Determine the usage of financial applications on terminals that are
not part of the mainframe, minicomputer, or local area network. For instance,
traders may use their own written spreadsheet to monitor risk exposure
or for reconciliation.
4. Obtain an overview of the system's functional features. Browse the
system with the institution's systems administrator. Determine whether
passwords are used and access to the automated system is restricted to
5. Review a list of ongoing or planned management information systems
projects. Determine whether the priority of projects is justified given
management's strategic goals and recent mix of business activity.
6. From the systems overview, ascertain the range of databases in use.
Some system architecture may use independent databases for front office,
back office, or credit administration. Determine the types of reconciliations
performed, frequency of database reconciliation, and tolerance for variance.
The more independent databases are, the more the potential for data error
7. Determine the extent of data-parameter defaults, for example, standard
settlement instructions to alleviate manual intervention. Determine the
extent of manual intervention for transaction processing, financial analysis,
and management reporting.
8. Review the policies and procedures manual for reporting requirements
9. Determine whether the automated and manual process have sufficient
audit trails to evaluate and ensure data integrity for the range of functional
applications. Determine how control staff validates report content and
whether the report content is well understood by the preparer.
10. Determine whether the processing and production of reports is segregated
from frontoffice staff. When the front office has influence, how does
management validate summary data and findings?
11. Review the functional applications such as credit administration,
trade settlement, accounting, revaluation, and risk monitoring to determine
the combination of automation and manual intervention for management reporting.
Compare findings with examiners reviewing specific products or business
12. Determine whether the documentation supporting pricing models is adequate.
Determine whether ''user instructions'' provide sufficient guidance in
13. Determine whether the range of risk-management reports is adequately
documented in terms of inputs (databases, datafeeds external to the organization,
economic and market assumptions), computational features, and outputs
(report formats, definitions). Evaluate the documentation for thoroughness
14. Determine whether the range of reports (risk management, financial
performance and operational controls) provides valid results to evaluate
business activity and for strategic planning.
15. Recommend corrective action when policies, practices, procedures,
internal controls, or management information systems are deficient.
Operations and Systems Risk
(Management Information Systems)
Internal Control Questionnaire
1. Is the scope of the audit coverage comprehensive? Are audits for management
information systems and reporting available? Are findings discussed with
management? Has management implemented timely corrective actions for deficiencies?
2. Do policies and procedures address the range of system development
and technical maintenance at the institution, including the use of outside
vendors and consultants? Does the institution have a comprehensive personal
computer policy? If the organization uses PCs, is there a written policy
to address access, development, maintenance, and other relevant issues?
3. Do the new product policies and procedures require notification and
sign-off by key systems development and management reporting staff?
4. Are there functional specifications for the systems? Are they adequate
for the current range of automated systems at the institution? Do they
address both automated and manual input and intervention?
5. Does the organization have flow charts or narratives that indicate
the data flow from input through reporting? Is this information comprehensive
for the level of reporting necessary for the financial institution?
6. Is access to the automated systems adequately protected?
a. Do access rights, passwords, and logon ID's protect key databases from
b. Are ''write or edit'' commands restricted to a limited set of individuals?
c. Are specific functions assigned to a limited set of individuals? Are
access rights reviewed periodically?
d. Does the system have an audit report for monitoring user access?
e. Is access logon information stored in records for audit trail support?
7. Is management information provided from mainframe, minicomputers, local
area networks (multi-user personal computer networks), or single-user
personal computers or a combination of the above?
8. Are third-party vendors provided with adequate lead time to make changes
to existing programs? Is sufficient testing performed before system upgrades
9. Do planned enhancement or development projects have appropriate priority,
given management's stated goals and capital-markets activity?
10. Identify the key databases used for the range of management reports.
a. Are direct electronic feeds from external services such as Reuters,
Telerate, and Bloomberg employed? How are incomplete datafeeds identified?
Can market data be overridden by users? How does the institution ensure
the data integrity of datafeeds or manually input rates, yields, or prices
from market sources?
b. Are standard instructions set within the automated systems? Can these
be overridden? Under what circumstances?
c. For merging and combining databases, how does the institution ensure
d. What periodic reconciliations are performed to ensure data integrity?
Is the reconciliation clerk sufficiently familiar with the information
to identify ''contaminated'' data?
11. Does the institution have a model-validation process? Does the organization
use consultants for model development and validation? Are these consultants
used effectively? Are the yield curve calculations, interpolation methods,
discount factors, and other parameters used clearly documented and appropriate
to the instruments utilized? Regardless of the source of the model, how
does management ensure accurate and consistent results?
12. Does the system design account for the different pricing conventions
and accrual methods across the range of products in use at the financial
institution? Evaluate the range of system limitations for processing and
valuation across the range of products used by the institution. Assess
the possible impact on accuracy of management reporting.
13. Is management reporting prepared on a sufficiently independent basis
from line management? Is management reporting adequate for the volume
and complexity of capital-markets and trading activities for the types
of reports listed below? Are reports complete? Do they have clear formats?
Are the data accurate? Are exceptions highlighted? Is appropriate segregation
of duties in place for report preparation? Are there reports for the following:
a. Market-risk exposure against limits?
b. Credit-risk exposure against limits?
c. Market-liquidity risk exposure against limits?
d. Funding-liquidity risk exposure against market demand?
e. Transaction volumes and business mix?
f. Profit and loss?
g. Other risk exposures and management information reports?
14. Do reports reflect aggregation of data across geographic locations
15. Do reports segregate positions by legal entity when appropriate?
16. Determine whether the system for measuring and managing risk is sufficiently
flexible to stress test the range of portfolios managed by the institution.
Does the system provide usable and accurate output? If the institution
does not perform automated stress testing, what process is used to minimize
quantifiable risks in adverse markets?
17. Are parameter variations used for stress tests or are ''what if''
analyses clearly identified?
18. Does management reporting relate risks undertaken to return on capital?
19. Do reports provide information on the business units that is adequate
for sound strategic planning? Are profitable and unprofitable businesses
clearly identified? Does management have adequate information?
Continue to OPERATIONS
AND SYSTEMS RISK (FRONT OFFICE OPERATIONS)
Back to Activities