Bookshop > Trading and Capital-Markets Activities Manual > This page

Trading and Capital-Markets Activities Manual

Trading Activities: Operations and System Risk (Management Information Systems)
Source: Federal Reserve System 
(The complete Activities Manual (pdf format) can be downloaded from the Federal Reserve's web site)

Management information systems (MIS) should accumulate, interpret, and communicate information regarding the institution's positions, profits, business activities, and inherent risks. The form and content of management information for trading activities will be a function of the size and complexity of the trading operation and organization, policies and procedures, and management reporting lines. MIS generally take two forms: computing systems with business applications and management reporting. For institutions with trading operations, a computerized system should be in place. For a small number of institutions with limited trading activity, an elaborate computerized system may not be cost effective. Not all management information systems are fully integrated. Examiners should expect to see varying degrees of manual intervention and should determine whether the integrity of the data is preserved through proper controls. The examiner should review and evaluate the sophistication and capability of the financial institution's computer systems and software, which should be capable of supporting, processing, and monitoring the capital-markets and trading activities of the financial institution. 

An accurate, informative, and timely management information system is essential to the prudent operation of a trading or derivative activity. Accordingly, the examiner's assessment of the quality of the management information system is an important factor in the overall evaluation of the risk-management process. Examiners should determine the extent to which the risk-management function monitors and reports its measure of trading risks to appropriate levels of senior management and the board of directors. Exposures and profit-and-loss statements should be reported at least daily to managers who supervise but do not conduct trading activities. More frequent reports should be made as market conditions dictate. Reports to other levels of senior management and the board may occur less frequently, but examiners should determine whether the frequency of reporting provides these individuals with adequate information to judge the changing nature of the institution's risk profile. 

Examiners should ensure that the management information systems translate the measured risk from a technical and quantitative format to one that can be easily read and understood by senior managers and directors, who may not have specialized and technical knowledge of trading activities and derivative products. Risk exposures arising from various products within the trading function should be reported to senior managers and directors using a common conceptual framework for measuring and limiting risks. 


The trading institution should have personnel with sufficient expertise to understand the financial instruments and maintain the management information system. Reports should be updated to reflect the changes in the business environment. Institutions that develop their own applications should have adequate staff to alter and test current software. Also, the implementation of automated reporting systems is not a substitute for an adequate reconcilement procedure that would ensure the integrity of data inputs. The system must be independently audited by personnel with sufficient expertise to perform a comprehensive review of management reporting, financial applications, and systems capacity. 


Worldwide deregulation of financial markets combined with the latest tools in information technologies have brought capital markets together so that geographic financial centers are no longer as important. Access to markets on competitive terms from any location is made possible by instantaneous worldwide transmission of news and market information. To manage their risk-management process in the current financial and technological environment, financial institutions are more readily prepared to incorporate the latest communications systems and database management techniques. In addition, new financial concepts are rapidly becoming standard practice in the industry, made possible by powerful computing tools and communications systems. 

Some capital-markets instruments require information technologies that are more complex than those used for more traditional banking products, such as loans, deposits, and standard  foreign-exchange transactions. Indeed, a department developing specialized trading products and their supporting systems is often viewed by senior management as the laboratory for the financial institution. For financial institutions active in capital markets, conducting business in a safe and sound manner depends on the successful integration of management information systems into the daily processes of market- and credit-risk management; transaction processing; settlement; accounting; and financial, regulatory, and management reporting. 

Examiners should evaluate the processes of software development, technical specifications, database management, local area networks, and communication systems. Access to the automated systems should be adequately protected. If the organization uses PCs, a written policy to address access, development, maintenance, and other relevant issues should exist. Given the specialized management skills and heightened sophistication in information technologies found in many trading rooms, an evaluation of systems management should be incorporated into the overall assessment of management and internal controls. A full-scope examination of these areas is best performed by specialized electronic data processing examiners. However, a general review of these processes must also be incorporated in the financial examination. 

For examination purposes, the scope of the review should be tailored to the functionality of the management information system as opposed to its technical specifications. Functionality refers to how well the system serves the needs of users in all areas of the institution, including senior management, risk management, front office, back office, financial reporting, and internal audit. The organization should have flow charts or narratives that indicate the data flow from input through reporting. The comprehensiveness of this information, however, will depend on the level of reporting necessary for the institution. 

An important aspect of evaluating information technology is the degree to which various systems interface. For purposes of this discussion, automated systems refers to the collection of various front-office and control systems. Financial institutions relying on a single database of client and transaction files may have stronger controls on data integrity than those with multiple sources of data. However, rarely does a single automated system handle data entry and all processing and control functions relevant to all over-the-counter and exchange-traded instruments used by an institution. The group of systems used may be a combination of systems purchased from vendors and applications developed in-house by the firm's software programmers. Standard instructions should be set within the automated systems. The organization should identify which instructions may be overridden and under what circumstances. 

The organization should give planned enhancement or development projects appropriate priority, given management's stated goals and capital-markets activity. Third-party vendors should be provided with adequate lead time to make changes to existing programs. Sufficient testing should be performed before system upgrades are implemented. 

When consolidating data derived from multiple sources, the institution should perform controls and reconciliations that minimize the potential for corrupting consolidated data. If independent databases are used to support subsidiary systems, then reconciliation controls should be evident at each point that multiple data files are brought together. Regardless of the combination of automated systems and manual processes, examiners should ensure that appropriate validation processes are effected to ensure data integrity. 

Not all financial institutions have the same automation requirements. For institutions with limited transaction volume, it is not cost effective to perform risk-management reporting in an automated environment, and most analysis can be handled manually. When volumes increase such that timely risk monitoring can no longer be handled manually, then automated applications may be appropriate. 


A key element of the management information system of trading operations is models and algorithms used to measure and manage risk. The frequency and extent to which financial institutions should re-evaluate their models and assumptions depend, in part, on the specific risk exposures created by their trading activities, the pace and nature of market changes, and the pace of innovation with respect to measuring and managing risks. At a minimum, financial institutions with significant capital-markets and trading activities should review the underlying methodologies and assumptions of their models at least annually, and more often as market conditions dictate, to ensure that they are appropriate and consistent for all products. Such internal evaluations may, in many cases, be supplemented with reviews by external auditors or other qualified outside parties, such as consultants who have expertise with highly technical models and risk-management techniques. 

When introducing a pricing model, it is imperative that adequate testing of the algorithm be performed by systems personnel with appropriate sign-off by model users (traders, controllers, and auditors). In practice, pricing models for the most heavily traded financial instruments are well tested. Financial algorithms for complex, exotic products should be well documented as part of the policies and procedures manual and functional specifications. Hazards are more likely to arise for instruments that have non-standard or option-like features. The use of proprietary models that employ unconventional techniques that are not widely agreed upon by market participants should lead to further questioning by examiners. Even the use of standard models may lead to errors if the financial tools are not appropriate for a given instrument. 


The development of new products is a key feature of capital-markets and trading operations. The general risks associated with new products should be addressed through the new product-approval process. In reviewing financial applications, examiners should evaluate whether the current tools quantify and monitor the range of relevant exposures. New applications require special review and additional measures of control. In the absence of a model that provides a reasonable simulation of market price, the risk-management, control, and audit areas should be responsible for developing an appropriate valuation methodology. Non-standard software applications should proceed through the institution's software development process for testing before implementation. They should not be released for actual business use until validation and sign-off is obtained from appropriate functional departments. 

Parameter Selection and Review 

Examiners should ensure that financial institutions have a process whereby parameters used in valuation models depend on rigorous statistical methods and are updated to reflect changing market conditions. To the extent possible, the results derived from statistical methods should be validated against available market information. 

Models that incorporate assumptions about underlying market conditions or price relationships require ongoing monitoring. Input parameters such as volatility, correlations between market prices, interest rates and currencies, and prepayment speeds of underlying mortgage pools require frequent review. For example, volatility quotes may be compared to those in available published sources, or from implied volatilities derived from a pricing model using current market prices of actively traded exchange-listed options. Mortgage securities prepayment assumptions can be compared to vectors provided by the dealer community to automated services or to factors provided by third-party vendors. 

Examiners should evaluate the ability of an institution's model to accommodate changes in assumptions and parameters. Institutions should conduct ''what-if'' analyses and tests of the sensitivity of specific portfolios or their aggregate risk position. Examiners should expect the risk-management and measurement system to be sufficiently flexible to stress test the range of portfolios managed by the institution. Any parameter variations used for stress tests or what-if analyses should be clearly identified. These simulations usually summarize the profit or loss given a change in interest rates, foreign exchange rates, equity or commodity prices, volatility, or time to maturity or expiry. 


Management reporting summarizes day-to-day operations, including risk exposure. The financial institution's goal and market profile will be reflected in the reporting format and process at the operational level. These reporting formats should be evaluated for data integrity and clarity. Examiners should determine if reporting is sufficiently comprehensive for sound decision making. 

In addition, reports are used to provide management with an overall view of business activity for strategic planning. Overall management reporting should reflect the organizational structure of the institution and the risk tolerance of senior management. Examiners should expect reports to aggregate data across geographic locations when appropriate and segregate positions by legal entity when appropriate. Examiners may find that periodic reporting is provided to management on market-limit and credit-line utilization. Management uses these to re-evaluate the limit structure, relate risks to profitability over a discrete period, evaluate growing businesses, and identify areas of potential profit. Management reporting also should relate risks undertaken to return on capital. In fact, management information systems should allow management to identify and address market, credit, and liquidity risks. See sections 2010.1, 2020.1, and 2030.1 on market, credit, and liquidity risk, respectively. 

Management reports will usually be generated by control departments within the institution, independent from front-office influence. When front-office managers have input to reports, the senior managers should be well aware of potential weaknesses in the data provided. Risk reporting should be assessed and performed independently of the front office to ensure objectivity and accuracy and to prevent manipulation or fraud. However, if the back office uses databases and software programs that are independent from those used in the front office, it needs to perform a periodic reconciliation of differences. For financial institutions operating in a less automated environment, report preparation should be evaluated in terms of timeliness and data accuracy. Cross-checking and sign-off by the report preparer and reviewer with appropriate authority should be evident. 

Each financial institution will define the acceptable trade-off between model accuracy and information timeliness. As part of their appraisal of risk management, examiners should review the frequency and accuracy of reporting against the institution's posture in the marketplace, volume of activity, aggregate range of exposures, and capacity to absorb losses.

Operations and Systems Risk 
(Management Information Systems) 

Examination Objectives 

1. To determine the scope and adequacy of the audit function for management information systems and management reporting. 

2. To determine if the policies, practices, procedures, and internal controls regarding management information systems and management reporting are adequate. 

3. To ensure that only authorized users are able to gain access to automated systems. 

4. To evaluate computer systems, communications networks, and software applications in terms of their ability to support and control the capital-markets and trading activities. 

5. To determine that the functions of automated systems and reporting processes are well understood by staff and are fully documented. 

6. To determine that software applications pertaining to risk reporting, pricing, and other applications that depend on modelling are fully documented and subject to independent review. 

7. To determine that the automated systems and manual processes are designed with sufficient audit trails to evaluate and ensure data integrity. 

8. To ensure that reports are fully described in functional specifications and are also included in the policies and procedures of the respective user departments. 

9. To determine whether management reporting provides adequate information for strategic planning. 

10. To determine that risk-management reporting summarizes the quantifiable and non-quantifiable risks facing the institution. 

11. To determine whether financial performance reports are accurate and sufficiently detailed to relate profits to risks assumed. 

12. To evaluate summary reports on operations for adequacy. 

13. To recommend corrective action when policies, practices, procedures, internal controls, or management information systems are deficient. 

Operations and Systems Risk 
(Management Information Systems) 

Examination Procedures 

These procedures represent a list of processes and activities that may be reviewed during a full-scope examination. The examiner-in-charge will establish the general scope of examination and work with the examination staff to tailor specific areas for review as circumstances warrant. As part of this process, the examiner reviewing a function or product will analyze and evaluate internal-audit comments and previous examination workpapers to assist in designing the scope of examination. In addition, after a general review of a particular area to be examined, the examiner should use these procedures, to the extent they are applicable, for further guidance. Ultimately, it is the seasoned judgment of the examiner and the examiner-in-charge as to which procedures are warranted in examining any particular activity. 

1. Obtain copies of internal and external audit reports for MIS and management reporting. Review findings and management's responses to them and determine whether appropriate corrective action was taken. 

2. Obtain a flow chart of reporting and systems flows and review information to identify important risk points. Review policies and procedures for MIS. Review the personal computer policy for the institution, if available. 

3. Determine the usage of financial applications on terminals that are not part of the mainframe, minicomputer, or local area network. For instance, traders may use their own written spreadsheet to monitor risk exposure or for reconciliation. 

4. Obtain an overview of the system's functional features. Browse the system with the institution's systems administrator. Determine whether passwords are used and access to the automated system is restricted to approved users. 

5. Review a list of ongoing or planned management information systems projects. Determine whether the priority of projects is justified given management's strategic goals and recent mix of business activity. 

6. From the systems overview, ascertain the range of databases in use. Some system architecture may use independent databases for front office, back office, or credit administration. Determine the types of reconciliations performed, frequency of database reconciliation, and tolerance for variance. The more independent databases are, the more the potential for data error exists. 

7. Determine the extent of data-parameter defaults, for example, standard settlement instructions to alleviate manual intervention. Determine the extent of manual intervention for transaction processing, financial analysis, and management reporting. 

8. Review the policies and procedures manual for reporting requirements for management. 

9. Determine whether the automated and manual process have sufficient audit trails to evaluate and ensure data integrity for the range of functional applications. Determine how control staff validates report content and whether the report content is well understood by the preparer. 

10. Determine whether the processing and production of reports is segregated from frontoffice staff. When the front office has influence, how does management validate summary data and findings? 

11. Review the functional applications such as credit administration, trade settlement, accounting, revaluation, and risk monitoring to determine the combination of automation and manual intervention for management reporting. Compare findings with examiners reviewing specific products or business lines. 

12. Determine whether the documentation supporting pricing models is adequate. Determine whether ''user instructions'' provide sufficient guidance in model use. 

13. Determine whether the range of risk-management reports is adequately documented in terms of inputs (databases, datafeeds external to the organization, economic and market assumptions), computational features, and outputs (report formats, definitions). Evaluate the documentation for thoroughness and comprehensiveness. 

14. Determine whether the range of reports (risk management, financial performance and operational controls) provides valid results to evaluate business activity and for strategic planning. 

15. Recommend corrective action when policies, practices, procedures, internal controls, or management information systems are deficient. 

Operations and Systems Risk 
(Management Information Systems) 

Internal Control Questionnaire 

1. Is the scope of the audit coverage comprehensive? Are audits for management information systems and reporting available? Are findings discussed with management? Has management implemented timely corrective actions for deficiencies? 

2. Do policies and procedures address the range of system development and technical maintenance at the institution, including the use of outside vendors and consultants? Does the institution have a comprehensive personal computer policy? If the organization uses PCs, is there a written policy to address access, development, maintenance, and other relevant issues? 

3. Do the new product policies and procedures require notification and sign-off by key systems development and management reporting staff? 

4. Are there functional specifications for the systems? Are they adequate for the current range of automated systems at the institution? Do they address both automated and manual input and intervention? 

5. Does the organization have flow charts or narratives that indicate the data flow from input through reporting? Is this information comprehensive for the level of reporting necessary for the financial institution? 

6. Is access to the automated systems adequately protected? 
a. Do access rights, passwords, and logon ID's protect key databases from corruption? 
b. Are ''write or edit'' commands restricted to a limited set of individuals? 
c. Are specific functions assigned to a limited set of individuals? Are access rights reviewed periodically? 
d. Does the system have an audit report for monitoring user access? 
e. Is access logon information stored in records for audit trail support? 

7. Is management information provided from mainframe, minicomputers, local area networks (multi-user personal computer networks), or single-user personal computers or a combination of the above? 

8. Are third-party vendors provided with adequate lead time to make changes to existing programs? Is sufficient testing performed before system upgrades are implemented? 

9. Do planned enhancement or development projects have appropriate priority, given management's stated goals and capital-markets activity? 

10. Identify the key databases used for the range of management reports. 
a. Are direct electronic feeds from external services such as Reuters, Telerate, and Bloomberg employed? How are incomplete datafeeds identified? Can market data be overridden by users? How does the institution ensure the data integrity of datafeeds or manually input rates, yields, or prices from market sources? 
b. Are standard instructions set within the automated systems? Can these be overridden? Under what circumstances? 
c. For merging and combining databases, how does the institution ensure accurate output? 
d. What periodic reconciliations are performed to ensure data integrity? Is the reconciliation clerk sufficiently familiar with the information to identify ''contaminated'' data? 

11. Does the institution have a model-validation process? Does the organization use consultants for model development and validation? Are these consultants used effectively? Are the yield curve calculations, interpolation methods, discount factors, and other parameters used clearly documented and appropriate to the instruments utilized? Regardless of the source of the model, how does management ensure accurate and consistent results? 

12. Does the system design account for the different pricing conventions and accrual methods across the range of products in use at the financial institution? Evaluate the range of system limitations for processing and valuation across the range of products used by the institution. Assess the possible impact on accuracy of management reporting. 

13. Is management reporting prepared on a sufficiently independent basis from line management? Is management reporting adequate for the volume and complexity of capital-markets and trading activities for the types of reports listed below? Are reports complete? Do they have clear formats? Are the data accurate? Are exceptions highlighted? Is appropriate segregation of duties in place for report preparation? Are there reports for the following: 

a. Market-risk exposure against limits? 
b. Credit-risk exposure against limits? 
c. Market-liquidity risk exposure against limits? 
d. Funding-liquidity risk exposure against market demand? 
e. Transaction volumes and business mix? 
f. Profit and loss? 
g. Other risk exposures and management information reports? 

14. Do reports reflect aggregation of data across geographic locations when appropriate? 

15. Do reports segregate positions by legal entity when appropriate? 

16. Determine whether the system for measuring and managing risk is sufficiently flexible to stress test the range of portfolios managed by the institution. Does the system provide usable and accurate output? If the institution does not perform automated stress testing, what process is used to minimize quantifiable risks in adverse markets? 

17. Are parameter variations used for stress tests or are ''what if'' analyses clearly identified? 

18. Does management reporting relate risks undertaken to return on capital? 

19. Do reports provide information on the business units that is adequate for sound strategic planning? Are profitable and unprofitable businesses clearly identified? Does management have adequate information? 


Back to Activities Manual Index