Risk Management (M11)

Preview

About this topic
Risk management cuts to the core of compliance. In this topic, we examine risk
management generally and then look specifically at risk management in a fiduciary
relationship. We then consider the process and procedure of risk management before
describing some of the tools which can be utilised to manage risk. We conclude this
topic with a discussion of the ethics involved.
Topic Objectives
At the end of this topic, you should be able to:

  • define risk management
    al explain the principles of risk management
  • describe the relationship between risk management, corporate governance and
    compliance
    list and describe the different types of risk
    explain risk management in a fiduciary relationship
    describe risk management infrastructure
    explain assessment and disclosure of risk
    discuss the various tools for risk management

Introduction to Risk Management
1.1 Definition

Rescher, in his book Risk: A Philosophical Introduction to the Theory of Risk Evaluation
and Management, 1993, defines risk as “…the chancing of a negative outcome. To
measure risk we must accordingly measure both of its defining components, the
chance and the negativity.”

The effect on the combination of a “chance” happening and the impact of the
“negativity” leads to the effect of a “risk”. Gratt, in Uncertainty in Risk Assessment,
Risk Management and Decision Making, 1987, defines this combination as “…the
expected result of the conditional probability of the event occurring times the
consequences of the event times the consequences of the event given that it has
occurred”.

Risk, therefore, indicates to us the probability of a certain event happening and the
negative effect of such an event if it happens. If an action or inaction has a high
probability that it will lead to a negative outcome, then we call that action or inaction
“highly risked”.

Through experience, we become aware of actions or inactions that are either high-
risked or low-risked. In the market, the evaluation of risk and the steps taken to
protect a firm from risk is called “risk management”.

1.2 Risk management principles

By and large, the best risk management systems are based upon common sense. Here
are some basic principles that a firm should have:

a sound philosophy toward risk;

a sound knowledge and understanding of the business by Management and
Board of Directors;

an appropriate person to formulate guidelines and policies, approved by the
Board of Directors;

• a strong risk management culture;

• a commitment to ensuring the integrity of the risk management systems;

• separation of duties between those who generate risk and those who manage and control it;

• limits on the use of certain financial instruments;

• prudent valuation procedures, particularly for derivatives;

• implementation of limits for particular types of dealings; and

• frequent reporting to the Board on financial exposures.

The article in Appendix 1 examines three risk management failures and concludes that risk control is also about learning the lessons of past errors.

Relationship between risk management, corporate governance
and compliance

The activities of a firm involve taking risk. In trying to maximise profits, firms sometimes take risks beyond their capability and this has resulted in a failure of the firm and, in some cases, has led to systemic failure. How much risk a firm undertakes and its effect on the firm and the market, is an issue not only for the risk manager, but relates also to corporate governance and compliance.

The market is made up of different categories of clients — from those wishing to take high risks with the expectation of high returns at one end, to clients who want a long term stable return. Because of the differences in demand, the regulators cannot dismiss a product that represents higher risks than normal. A firm will participate in
products that have a high risk, if it is of the opinion that it can manage the negative outcome and it desires the above-average profit.

In performing his/her functions, the Compliance Officer is also faced with a number of risks, namely legal, reputational, operational and ethical risks. In this context, the Compliance Officer needs to assess the risks involved in the operations of the firm to avoid, for example, legal risk. To achieve this, the Compliance Officer must put in the compliance programme steps or processes that will protect the operations from
breaching regulatory requirements.

The function of a Compliance Officer, however, does not replace that of a Risk Manager. The Compliance Officer, in performing risk management, complements the task of the Risk Manager. While the Compliance Officer deals with legal or reputational risk, the Risk Manager evaluates and oversees other risks. In practice, when a firm wants to introduce a new product into the market, it should consult the Compliance Officer to ensure the proposed product is within or fulfills the regulatory
requirements. Once the Compliance Officer approves the product, it should be submitted to the Risk Manager. The Risk Manager will evaluate other risks such as market risk, credit risk and/ or liquidity risk.

Risk management and corporate governance

Corporate governance highlights this issue from the perspective of disclosure. In the capital market, there have been cases where the exposure of a company to high-risk products has led to excessive losses and in some cases the collapse of the company and in turn, major losses for investors. The possibility of systemic risk may be reduced by enhancing corporate governance and disclosure.
Disclosure of their risk level by companies may assist in reducing the possibility of systemic risk. By informing the public, either through financial statements or the media, the investors will be able to evaluate the quality of their investment. Investors who feel that the company is too risky may sell-off their interest or change their investment decision. While Risk Managers may feel that the company can afford the risk, the investor may think otherwise. Hence, disclosure creates a check and balance in the company.
The Basel Committee recommends the following in relation to risk management:

(a) appropriate oversight by the Board of Directors and senior management;

(b) adequate risk management process that integrates prudent risk limits, sound measurement procedures and information systems, continuous risk monitoring and frequent reporting; and

(c) comprehensive internal controls and audit procedures. The role of the Board of Directors in relation to risk management includes:

(d) approval of risk management policies and procedures;

(e) ensuring that level of risk is effectively managed; and

(f) ensuring that risk exposures are reported directly to the Board of Directors and Management.
Compliance, in this context, complements not only Risk Managers but also assists and advises the Board of Directors and Management in the formulation of policies and procedures as well as assisting the regulators. Compliance Officers may advise Risk Managers and management on the matters which must be disclosed. At the same time, Compliance Officers may advise on the capital requirement level and indicate to the Risk Managers and Management when the activities of firms have breached the safety net of the firm. Monitoring, therefore, is important when dealing with high-risk issues. The Compliance Guidelines for Futures Brokers contains information on types of risk management of exchange-traded derivatives.

1.4 Concept of risk
There are many different types of risks which are relevant to a firm. Some of these are:
Market risk
This is a risk associated with adverse movements in prices caused by overall movements in the market. There is the potential for gain or loss from changes in market prices. Within this area can be included sector and specific entity risk, which refer to adverse movements in a sector or in a specific entity's prices caused by factors unique to the sector or the entity itself.
Liquidity risk
One type of liquidity risk is that market positions cannot be or cannot easily be unwound due to inadequate market depth or because of disruptions in the market place, known as market liquidity. The other type is known as funding liquidity and refers to the risk that funds are unable to be raised to meet payment obligations on settlement date or in the event of margin calls.
Credit risk
Credit risk is the risk that a debtor will not or cannot perform a contracted obligation, negating a transaction or denying revenue. This risk is particularly relevant to derivatives dealings.

A risk that effects all aspects of business is that of non-fulfillment by a trading partner of its obligations on due date or at all. In relation to loans, bonds and currency trading, the counterparty must repay the full amount of the investment. The amount of risk relates to the principal amount. However, derivatives derive their value from some underlying index or asset and their credit risk relates not to the principal amount, but
to the replacement cost. This replacement value fluctuates. Therefore, for derivative dealers, counterparty credit risk is very significant.

Credit risk needs to be assessed prior to entering into a transaction with a particular counterparty. Assessment of this risk would take into account that party’s capital adequacy, debt/equity ratio, its assets/liabilities ratio, its earnings ratio and the types of assets it holds and liabilities incurred. Credit risk can be controlled by evaluating the counterparty both before and at settlement and by setting credit limits for each
counterparty with which the firm conducts business. Credit exposure should be monitored continuously and constantly compared with approved limits. An
independent credit risk management team could perform these functions.

Settlement Risk

Settlement risk is the risk that payment is not made in time for the settlement of a transaction. Settlement risk is the risk that a settlement in a transfer system does not take place as expected, usually because one party defaults in its clearing obligations. It comprises both liquidity and credit risks. In this context the liquidity risk is that a
counterparty will not settle for full value on the due date and so the shortfall must be financed at short notice. Credit risk, in this context, arises when a counterparty does not meet the obligation because it is insolvent.

Settlement risk affects all types of assets and instruments which must be transferred within a system from one party to another. Settlement risk is most prominent in currency trading.

An example of settlement risk is the failure of Bankhaus Herstatt in 1974.
Counterparties of the bank had paid Deutschemarks during the day believing they would receive US dollars later in the same day in New York. However, the bank’s banking licence was withdrawn and all outgoing US dollar payments were suspended. The counterparties were left fully exposed to the value of the Deutschemarks which they had paid earlier in the day. This type of settlement risk, where a party in a foreign exchange trade does not receive the currency it has bought, although it has already paid, is also called foreign exchange settlement or cross-currency settlement risk.

Appendix 2 to the Basel Committee Report entitled Supervisory Guidance for Managing Settlement Risk in Foreign Exchange Transactions (1999) contains a summary of best practices for controlling settlement risk.
In the context of settlement of securities traded on a stock exchange, the 1987 sharemarket crash prompted the creation of the delivery-versus-payment system (whereby both parties receive irrevocable funds or transfer of title simultaneously) in conjunction with automated clearing systems and central securities depositories, as best way of eliminating principal risk.
settlement process needs to be monitored on a daily basis with daily reporting of overdue payments to management.

Operational risk
Operational risk is the risk that deficiencies in the effectiveness and accuracy of a firm’s information systems or internal controls result in material loss. There is the potential for gain or loss arising from a procedural or operational failure. Care must be taken to ensure that all transactions are authorised and that decisions are implemented on a basis which is consistent with the rationale for the initial decision.
This risk goes to the heart of the organisational structure and encompasses delegation of functions and a clear definition of relationships between professionals within an organisation.
Contingency plans, in particular a disaster recovery plan, should be in place to ensure that business continuity is not impaired by any failure in the systems in use.
An example of operational risk and its consequences is Daiwa Bank. In 1995, it was discovered that in the New York branch 0 Daiwa Bank, a bond trader concealed USS1 .1 billion in trading losses. The losses were the result of 11 years of unauthorised trading in US Government securities which were able to be concealed in the accounting books because the trader controlled both front and back-office activities.
The incident subsequently raised Japan’s fund-raising costs as it suggested other concerns about Japanese banks’ risk management systems. It is alleged that the cause of the loss was due to loose risk management system and inadequate inspections by Japan’s monetary authorities. The incident highlighted the urgent requirement for effective, independent control on trading activities and stricter trading guidelines.
Daiwa Bank’s auditing system was criticised for not focusing on a risk control environment for a transaction in a specific instrument, and the guidelines for weak auditing procedures. Rather, the auditing system tended to focus on issues such as whether a document had all the appropriate signatures.
Another example of deficiencies in internal control is Societe Generale where its trader, Jerome Kerviel had created large fraudulent position beyond his authority causing the bank to lose €4.9 billion (an equivalent of US$7.2 billion at the exchange rate at that time).
Reputation risk
Reputation risk is essentially the risk that an organisation’s reputation or good name in the market (or with the regulators) will be jeopardised or impacted by a certain activity or behaviour undertaken or blow suffered. This is the risk that business line dealings may result in litigation by counterparties or precipitate investigations by regulatory authorities. Reputation risk may lead to a decline in business resulting from the integrity of the organisation being called into question following publicity associated with the litigation or investigation.
It is important to recognise that adverse publicity, whether true or not, about a firm’s people or practices can impact harshly and quickly on earnings and customer base.
This can result from the actions of just one staff member, even if they did not have the endorsement of the firm, although often the market or regulators will view a renegade operator’s activities as being tolerated (at worst) or inadequately controlled (at best) by the organisation. The Bernard Madoff case is an example of an individual unethical behavior resulting in a significant problem. Another good example is the

Nick Leeson/Barings case where there was a combination of organisational control
breakdowns and individual unethical behaviour which led to the collapse of Barings.

in considering reputation risk, consider this question and answer which appeared in
an article entitled, ‘Ethics is good business’ in Buildings: The Facilities and Construction
and Management Magazine, September 1997:
In today’s society, the survival of a business often depends on whether it has a good name. And whether it will earn a good reputation largely depends on its ethics. To illustrate that point, Jeffrey W. Land… poses this question: If you had to do business with one of two companies with equal qualifications, but one had conducted business unethically in a situation five years ago and one had not, which would you choose? I think you’d have to go with the one that didn’t have a track record of a problem
Legal risk

This is risk arising from a legal or compliance failure. There are essentially two categories of legal risk: the risk that you are not complying with your legal obligations and the risk that the legal rights you have assumed will not be wholly enforceable. An example is that a contract is not legally enforceable or correctly documented. This can
lead to a firm being unable to recover losses from a counterparty. This most often occurs when a counterparty acts outside its authority when entering into a transaction, particularly in relation to derivatives. The case of Hazel! v Hammersmith & Fulham 1.13C [1991] 2 WLR 372 is an example of a counterparty not having legal power or .authority to enter into the transaction or arrangement. In that case, it was held that swap transactions which were entered into by a local government authority were
outside of its powers (ultra vires). As a result, the bank counterparties were unable to enforce them. See Appendix 2 for a detailed explanation of the Hazell v Hammersmith case.

Another example of legal risk is the risk of a withdrawn licence to operate in the market because of a breach of licence conditions.

Legal risk can also arise in cross-border securities dealings which may be subject to
dual regulation by exchanges or regulators. The requirements may be conflicting in
different jurisdictions. If this forms a part of a firm’s business, then overseas or global
market initiatives will need to be monitored and adopted to the extent appropriate
within the compliance framework. An example of this was the publication in 1993 of the Group of Thirty (G30) recommendations in its study, Derivatives: Practices and Principles. These recommendations have largely been endorsed by financial markets globally and have addressed senior management responsibilities, market and credit risk measurement and management policies, use of master agreements, accounting and disclosure practices.
Ethical Risk

The definition of ethics and the identification of ethical issues or risks is a highly specialised area of research and thought beyond the scope of this forum. However, the consideration of relevant ethical issues and risks should always form part of any comprehensive risk management system.

In its simplest form, in the context of this course, ethical risk is the risk an organisation faces that they or their representatives, will engage in conduct or activities which are unethical. Where such conduct is in fact ethical but gives the appearance of being unethical, this falls more squarely into the category of reputation risk. The question as to to what would be considered unethical as opposed to ethical behaviour can be highly subjective and dependent upon a wide range of factors.
Self-assessment Exercise
If the Memorandum of Articles of Association of a firm allows it to borrow and raise money in such manner as the firm thinks fit, which of the following is the MOST important type of risk that the firm should consider?
A. Ethical risk
B. Legal risk
C. Market risk
D. Credit risk

Analysis and assessment of risk
An efficient system of internal controls will not eliminate risk completely, but will help a firm detect and quantify inherent risks in a timely manner. In so doing, the firm then gains valuable time to plan and respond to the risk.

In order to manage risk, the risk must first be identified and understood. An assessment of the risk needs to be weighed against the costs of non-compliance in deciding what measures will be implemented or action taken. Some risks can be difficult to define, measure or quantify but risk management requires that they be identified and assessed as much as possible, in the context of their materiality, probability and the potential consequences. This is referred to as risk-based compliance. Having identified and assessed the risk and decided upon a method for its management, it must then be monitored.

1.6 Systemic risk
Regulation is aimed at minimising the risk of default by one institution leading to defaults in the entire market or other markets or both. This risk is known as systemic risk, which has been defined by the Bank of International Settlements as “the risk that a disruption, whether at a firm, a market segment or across markets, will cause widespread difficulties at other firms, in other market segments or in the financial system as a whole”.

The concern for systemic stability arises from the speed at which the capital markets function today and the size of the funds involved. The symbiotic relationship that evolved from these two elements has caused a higher possibility of a system-wide domino effect in the event of default by an element in the capital market. The maintenance of fair, efficient and safe markets will better manage systemic stability and enhance the financial integrity of the capital markets.
The increasing complexity, internationalisation and inter-linking of the financial markets has compounded the issues involved in ensuring systemic safety. Presently, it is common to have firms operating in more than one jurisdiction and selling more than one type of product.

There is the potential for systemic risk arising from the gap among markets and institutions which operate globally. The need for a reliable legal framework for international transactions is discussed in the report by the G30 on how to reduce systemic risk, entitled Global Institutions, National Supervision and Systemic Risk (1997). This report considers that in order to reduce systemic risk, an effective and comprehensive global framework of management controls needs to be developed for global institutions to manage risk.

The failure of one institution can threaten systemic safety because it could cause a complete breakdown in the financial system due to the extensive links in today’s markets. An example is the rescue by the US Federal Reserve Bank of the hedge fund Long-Term Capital Management (LTCM) in 1998. The rescue was organised for fear that the collapse of LTCM, which had market exposures of US$200 billion compared with a capital base of around US$4.8 billion, would create havoc in the financial markets. The US President’s Working Group on Financial Markets, in its report entitled
Hedge Funds, Leverage and the Lessons of Long-Term Capital Management (1999) noted:
The events in global financial markets in the summer and fall of 1998 demonstrated that excessive leverage can greatly magnify the negative effects of any event or series of events on the financial system as a whole.. .The
principal issue arising out of the events.., is how to constrain leverage. By increasing the chance that problems at one financial institution could be transmitted to other institutions, excessive leverage can increase the likelihood of a general breakdown in the functioning of financial markets.

LTCM is looked at in more detail in Topic 6. Other examples of systemic risk are the 1987 stock market crash and the 2007-2009 financial crisis, both of which are looked at in more detail in Topic 6.

The collapse of Barings in 1995, the oldest merchant bank in the United Kingdom,
was also capable of triggering a major systemic shock and consequent disruption. The main reason that it did not produce such an effect was due to the relevant regulatory bodies working together. As the primary cause of the Barings collapse was a lack of internal control systems, it illustrates the importance of strong internal risk management systems in the promotion of systemic safety.

2 Risk Management in a Fiduciary Relationship

A fiduciary is a person to whom property or power is entrusted for the benefit of
another. A fiduciary relationship exists, for example, between a fund manager and its
dents. The fiduciary relationship toward the clients also extends to the directors and
employees of the firm.

Ma fiduciary, the firm (and its directors and staff) therefore owes various duties to its
dents, including:

a duty of loyalty;
a duty to act in good faith; and
a duty to avoid conflict of interest.

Risk management denotes the supervision of the fiduciary relationships existing within
a firm. Some of these relationships have their origins in common law, or are contained
in legislations and regulations in broad terms, such as “a duty to avoid conflict of
interest”. However, as part of managing risks in relation to fiduciary duty the specific
duties must be identified and steps must be taken to ensure that they are not breached.
The 10SCO report entitled “Market Intermediary Management of Conflicts that Arise in Securities Offerings” sets out guidelines for both the regulators and market participants when considering how to address conflicts of interest. This report can be accessed at www.iosco.orq. The Securities Commission Malaysia’s (SC) Guidelines on Market Conduct and Business Practices for Stockbrokers and Licensed Representatives also addresses conflict of interest and how to manage them.
Here are some illustrations in the context of fund management.
Fund managers usually act for several investor clients at the same time. Consequently,
a particular investment opportunity that is limited in availability (e.g. a new issue or a
discrepancy in the market price of a thinly traded security) may need to be handled
carefully to avoid an accusation that the fund manager failed to act in good faith
towards the clients. Through the markets, a client may transact with another client
under the advice of the same fund manager. Where such transactions are negotiated
off-market between two clients of the same fund manager, there is a risk of conflict
of interest which may, if unrecognised, give rise to a high risk of breach of fiduciary
obligations. To proceed with such transactions, subject to a conflict of interest, the
fund manager is duty-bound to disclose the basis of such transactions to each client.

The “duty to avoid a conflict of interest” is pertinent when a fund management
company transacts client business through a related corporation such as a stockbroker
which is a related company to the fund management company. For example, a fund
management company receiving a share commission and is remunerated or will
receive a share of commission as a result of that transaction. Such transaction should
be declared to the clients.

Another example of possible conflict of interest is the acceptance of soft commissions.
Also, share allocation offered to a fund manager for its clients should not be taken up
by the fund manager as principal (or by staff) since this would also be a conflict of
interest and a fund management company should not compete with the clients.


Self-assessment Exercise 2

Which of the following should be included in a firm’s compliance programme to manage risk?
I. Policy and process on managing conflict of interests
II. Contents of training programmes on risk management
III. Clear definition of relationships between staff within the firm
IV. Policy and process on “know your product” and “know your client”

A. I and IV only
B. II and III only
C. I, III and IV only
D. All of the above

3 Risk Management Infrastructure

3.1 Risk management infrastructure

For a firm to achieve efficient risk management, there must first exist an effective risk
management infrastructure. The core principle of this infrastructure is the separation
of powers or functions. This principle may be implemented by having the
responsibility for monitoring and controlling risk, including that of the back-office,
accounting and auditing operations, independent of those involved in the actual
trading operations. Those involved in monitoring and controlling risk must also have
the skills, expertise and access to senior levels in the firm, to act as a viable check.

The important elements that provide a strong infrastructure are prevalent in securities
laws as well as the rules:

Separation of duties

It is fundamental that the duties of monitoring and actual trading be separated and
independent of each other. As mentioned in Topic 2, The Rules of Bursa Malaysia
Securities Berhad requires a Participating Organisation to have at least three heads,
namely Head of Dealing, Head of Operations and Head of Compliance. The heads
appointed by a Participating Organisation must be approved by the SC and registered
with Bursa Malaysia Securities Berhad. In addition, the Rules of Bursa Malaysia
Securities Berhad require that the Head of Dealing holds a Capital Markets Services
Representative’s Licence for dealing in securities. The Head of Operations and Head of
Compliance, however, are not required to hold a Capital Markets Services
Representative’s Licence.

Where a firm is licensed to carry on the regulated activity of fund management, the
SC requires the firm to have a Compliance Officer who must not deal in securities,
derivatives or manage funds. This is to avoid potential conflicts of interest.

System adequacy

There must be an adequate system for data capture to be used for evaluation and
management of risk. Under the Rules of Bursa Malaysia Securities Berhad, all trading
of securities on the stock market maintained by Bursa Malaysia shall be effected
through the Automated Trading System (ATS). ATS serve as data capture for trades
executed by a Participating Organisation. Once integrated into a Participating
Organisation’s back-office-system, the data shall be arranged for specific purposes
and used for data evaluation. For example, the Rules of Bursa Malaysia Securities
Berhad states that a client’s outstanding balance in its margin account shall not
exceed 200% of the Effective Shareholders’ Funds of the Participating Organisation.
The data captured in the ATS once integrated into the Participating Organisations’s
back-office system is then arranged to create a compilation of clients balances that
can be viewed via the back-office system to manage the counterparty risk on a real-
time basis. At the end of the trading day, a report can be generated from the back-
office system, which can be used to evaluate the trading pattern of a particular client
with a view to prevent other risks, such as market, credit and settlement risks.

Limit structure

                 One  of the most  important safety nets against risk is the limit set against a firm. In all 
                 rules, there will be either a minimum capital adequacy requirement or adjusted net 
                 capital or shareholders fund  requirement that the firm must maintain. The limit 
                 structure ensures firms do not participate in activities that are beyond their financial 
                 capability or breach any statutory limit. In challenging times, the limit protects the firm 
                 from  the  "domino" effect. 

                 Reporting 

                 Reporting  by both the internal auditors and external auditors may be used as a tool to 
                 assess  the risk taken and the policies implemented by the firm. By having a structured 
                 line of reporting, errors can be minimised. Reporting is also a way for Risk Managers 
                 to highlight to the Compliance Officer  and senior management  possible default in the 
                 system. 

                   Reporting requirements can be either internal or external. Internally, firms should 
                   ensure adequate reporting is done at the appropriate management  levels regularly in 
                   relation to financial and operational resources and efficient procedures necessary for 
                   the proper conduct of its business. Efficient procedures would simply mean the need 
                   of the firm to maintain comprehensive policies and procedures for each department, 
                   specifying, for example, the line of reporting and duties of personnel involved. 

                   External reporting requirements may arise from regulations or rules imposed by the 
                   regulators, for example the Rules of Bursa Malaysia Securities Berhad requires a 
                   Participating Organisation to submit to Bursa Malaysia the capital adequacy ratio 
                   report within such time as the Bursa Malaysia may from time to time stipulate. In 
                   addition to the above-mentioned financial reporting requirement, this obligation 
                   serves as a tool for Bursa Malaysia to manage risk of the stockbroking company's 
                   inadequate financial standing as required under the Rules of Bursa Malaysia Securities 
                   Berhad. 

                   Disclosure 

                   In Derivatives: Practices and Principles, a report by G30 (1993), recommendation 20 
                   suggests that firms active in derivatives trading should publicly report: 

                   •     information  about   management's attitude to financial risks, how instruments 
                         were used and   how risks were monitored and controlled; 

                 •     a statement  of their accounting policies; 

                •     analysis of positions on the balance sheet date; 

                •     analysis of the credit risk inherent in those positions; and 

                •     additional information about the extent of their activities in financial 
                       instruments. 

                In Malaysia, the SC had in December   2012 introduced the Guidelines on Sales 
               Practices for Unlisted Capital Market Products to ensure protection of investors' rights 
                and interests. One of the requirements of the Guidelines is to prepare a Product 
                Highlights Sheet (PHS) which is a disclosure document that contains clear and concise 

information of the salient features of the unlisted capital market product The PHS seeks to facilitate an investor’s understanding of the product and also promote competition by enabling product comparisons to be undertaken by an investor.

Risk control assessments and disclosure

From time to time, the level of risk will change. In addition, new risks will emerge. With the globalisation of the market, we are faced with time lag risk and knowledge liisk. Therefore, there must be a risk control assessment, to ensure all the mechanisms
and tools of risk management are working properly, and that it fulfills its functions
adequately. A risk control assessment may highlight a problem to the risk manager
and indicate a need for a tune-up in the risk management system. Risk control
sment also provides senior management with feedback on how effective their
s are. From the regulatory perspective, risk control assessment provides
ation to set the limit for the market and to assess the vulnerability of the
market.

   technological  advances are being implemented and utilised in markets globally, 
 with them a  new range of risk arises. A prime example of such a risk is the Year 
   (Y2K) bug scare. Product innovation and improved   communications systems 
   be understood and   managed appropriately and actively. Particularly with the 

advent of trading and marketing over the Internet, close attention must be paid to the
mpanying legal risk of breaching:

   licensing requirements in other jurisdictions; 

   copyright and trademark  protections; 

   privacy laws (Banking & Financial Institutions Act 1989, Personal Data 
   Protection Act 2010); 

   legislative or regulatory prohibitions within certain jurisdictions; 

   marketing  and advertising standards (which can and do vary significantly 
   between   jurisdictions; and 
  • security requirements (ensuring information cannot be altered or tampered
    with).

Till Guldimann in his article entitled ‘Changing industry, changing risks’, Risk, August
1998 p. 85, discusses risk in this ever-changing environment. The example he provides
is the malfunctioning of the US Galaxy IV satellite on 20 May 1998 which:

   ...for some — traders, investors, risk managers and a host of other market 
   participants — 20 May  was a painful and  costly day that most had not 
   anticipated. The lesson? That often, the most dangerous risks are those we 
   never even think about. 20  May was  an early warning signal for those who are 
   on the lookout for risks, a search that must be unceasing for all of today's 
   financial market participants. In general, the financial markets have made 
   tremendous  progress in the past decade or so in dissecting, quantifying and, 
   ultimately  managing risks. But a rapidly evolving global industry, linked by 
   technology and characterised by non-stop  innovation, is constantly creating 
   new risks. And these demand  new   ways of thinking. 

He concludes by noting that:

                       There is no way to eliminate risk without eliminating opportunity: the challenge 
                       is to balance risk and reward, and in the face of new trends and new risks, that 
                       requires new ways of understanding  and  managing  risks. 

                Here  are a few suggested ways to deal with three core risks: 

                •      Accelerating trading volumes — Firms should  re-engineer their trading and 
                       processing activities: adopt straight-through processes, contract off-site back- 
                       up systems and  monitor  processing-performance statistics as part of a 
                       continuous improvement   programme.    Many  firms are already doing this. 

                •      Information network dependence    — Firms should  have  back-up systems, 
                       analyse exposures to potential points of failure (such as a computer server) and 
                       design computer disaster recovery plans. 

                       Liquidity dependence -- Firms should stress-test risk model assumptions and 
                       monitor liquidity levels constantly (trading volumes and bid-offer spreads). 
                       Liquidity rarely evaporates overnight, and successful firms will be alert to early 
                       warning signs of its deterioration. 


                4           Tools for   Risk  Management 


                In general, most firms institute particular groups with responsibility for monitoring and 
                reporting on risks. The main control groups are typically: 

                •      Compliance:  Acts as a control group to ensure that business dealings are 
                       conducted  in accordance with regulatory  requirements and to minimise legal 
                       risk. 

                •      Risk     management control: This control group calculates sensitivity of 
                       exposure (i.e. risk of profit or loss) to potential market movements in the 
                       various markets. 

                •      Credit: This control group assesses the creditworthiness of counterparties and 
                       clients and sets monetary limits on business dealings that may be entered into 
                       with these counterparties. 

                •      Internal audit: This control function reviews internal accounting controls, 
                       settlement processes and computer  systems to limit the potential for fraud or 
                       inadequate books  and  records. 

                The ambit  of the regulation which impacts the securities industry is rapidly expanding 
                and  becoming increasingly more complex.   One of the tools for managing risk is to 
                remain up-to-date on all of the sources of obligations with which the firm needs to 
                comply. This would include legislation, exchange rules, policies and guidelines. 
                Legislation in this context also refers to any legislation which affects the firm's 
                business  whether relating to, for example, consumer protection, taxation, accounting 
                records or  employment. 


Reviews

One of the important tools for risk management is the review of activities within the
firm. These reviews of, for example, clients’ accounts and transactions can highlight
areas of risk such as an undue concentration of certain types of transactions for a
particular client, margin rule issues either as to limit or frequent margin calls, unusual
patterns of trading, or other indicators of an increase in risk exposure of an account.
Reviews may help to reduce the likelihood of errors and breakdowns in controls,
improve the control of risk and the effectiveness of limit systems and prevent unsound
marketing practices and the premature adoption of new products or lines of business.

In addition, the regulator may also require the setting up of a specific risk
management department. For instance, the Rules of Bursa Malaysia Securities Berhad
requires Participating Organisations to ensure the proper discharge of risk
management functions and that the risk management functions reports to the risk
management committee.

For fund management companies, the SC requires that the Board of Directors
establish a risk management framework that commensurate with the fund
management company’s business. A fund management company’s risk management
framework must include:

  • continuously identifying, assessing and monitoring the fund management
    company’s risks;
  • managing and monitoring risks assumed by the fund management company on
    behalf of its clients; and
  • mitigation actions to address such risks.

Market risk management

When establishing a system to measure market risk, there are a number of risk factors
which must be taken into account. A system needs to be sufficiently broad to take
account of all inherent risks. Some considerations to bear in mind are contained in a
paper published by the Basel Committee entitled, An Internal Model-Based Approach
to Market Risk Capital Requirements (1995).

Market risk may be managed through the use of the following three components:

  • mark-to-market valuation, which will reflect the current value of cash flows and
    provide information about market risk and appropriate hedging actions;
  • stress simulations of market portfolios taking into account extreme market
    movements with the results being evaluated and contingency plans developed;
    and
  • risk limits, applied by using a consistent measure of market risk and compared
    regularly with predetermined market risk limits.

Liquidity risk management

               In order to control liquidity risk, the firm's liquidity demands for a particular period 
               need to be  assessed as does the amount  to be raised in the markets by the firm for 
               funding  and   managing this exposure. 

               Credit risk  management 

               Credit risk management   needs to address procedures for estimating potential future 
               credit exposures, setting limits on counterparty credit exposures, limiting the 
               concentration of credit exposures to particular counterparties or a particular market, 
               policies on the use of collateral and valuation practices for derivatives and collateral. 
               The   Long-Term Capital Management   (LTCM)  case clearly demonstrates that collateral 
               cannot  be a substitute for a comprehensive assessment of a counterparty. The Basel 
               Committee's   paper, Sound Practices for Banks Interactions with Highly Leveraged 
               Institutions (1999) which was prompted   by LTCM's near collapse, states that "there 
               had  not  been an appropriate balance among  the key elements of the credit risk 
               management     process with an over reliance in collateralisation of market-to-market 
               procedures". 

               Credit risk is most efficiently managed by an independent credit risk management 
               team   with responsibility for: 

               (i)    approving credit  exposure management   standards; 

               (ii)   setting credit limits and monitoring their utilisation; 

               (iii)  reviewing credit and concentration of credit risk; and 

               (iv)   reviewing and monitoring risk reduction arrangements. 

               In relation to transactions on the Bursa Malaysia; credit risk management would 
               include  complying with  the relevant Rules of Bursa Malaysia Securities Berhad in 
               relation to exposure to a single client, direct exposure to debt securities and single 
               equity and  proper mechanisms   for monitoring these requirements. Similarly, the Bursa 
               Malaysia Derivatives Berhad has rules on margin with limits imposed on a firm's 
               exposure which  also require monitoring  to ensure compliance with the limits. 

               Operational   risk management 

               In  managing operational risk, the following tools can be utilised: 

               •      segregation of operational duties, exposure reporting and risk monitoring from 
                      dealing and marketing to ensure  internal control is exercised over transaction 
                      entry into the database, numbering of transactions, time and date notation, 
                      confirmation  and settlement process; 

               •      reconciliation of front and back-office databases on a regular basis, including 
                      position data verification, transaction by transaction detail, and profit and loss 
                      figures; 

               •      confirmation, maintenance  and safeguarding of  documentation;   and 

               •      periodic review of procedures, documentation  requirements,  data processing 
                      systems and other operational practices. 

The Basel Committee’s Risk Management Guidelines for Derivatives (1994) describes
operational, legal and liquidity risks and suggests risk management practices for each
as part of an internal compliance and control programme. While concentrating on
derivatives, these guidelines are still relevant to the operational risks associated with
other products.

The Capital Adequacy Rules which require firms to have enough liquid assets are
designed to afford protection in relation to operational risk, market risk, credit risk
and other risks stemming from particular positions taken by the firm. The idea that
firms should have sufficient capital to cover operational risks is not surprising given
that operational risk has caused many organisations to lose millions.

Another necessary risk management tool in the ever increasing globalisation of
markets is the monitoring and adoption of overseas or global market initiatives. These
need to be assessed from the perspective of the firm and incorporated into the
compliance programme as appropriate and when required. An example is the Group
of Thirty (G30) recommendations in its study Derivatives: Practices and Principles. The
recommendations address market and credit risk measurement and management,
responsibilities of senior management, use of master agreements, accounting and
disclosure practices. They have largely been endorsed by financial markets globally.
Another example is the paper by the Technical Committee of the International
Organization of Securities Commissions (10SCO) in 1998 entitled Methodologies for
Determining Minimum Capital Standards for Internationally Active Securities Firms
Which Permit the Use of Models Under Prescribed Conditions.

al risk management 

This can be controlled by ensuring that a counterparty has the necessary authority to
enter into such a transaction, the contract terms are sound, all formal procedures for
documentation are complied with, all relevant documents are provided or entered
into and those documents are saved and safeguarded. In addition, as discussed above,
-there is a need to monitor regulatory and industry developments in Malaysia and in
other jurisdictions where cross-border transactions are entered into.

      Ethics of Risk Management 

s in the capital market do not exist in a risk-free and uncertainty-free environment. 
s take risks and make profits. Some firms  manage the risk taken by maximising 
r safety net, while others who wish to make higher returns on high-risked 
ucts will minimise their safety net, sometimes below the market average. One 

y risk is managed is through redistribution of risk within the firm. A common
practice is hedging. Uncertainties in the outcomes are usually reduced by formal
means. An example of this is the code of conduct or disclaimer by firms. At most
limes, the codes of conduct and disclaimers protect the firm rather than the consumer.

a worst case scenario, risk exposed to a firm is redistributed to the market and
sumer. An example of this situation is where a firm is pushing the price of equities
its own interest and later sells them off for its own profit. The activities of
ering or market manipulation are prohibited by the securities laws. However, such
ivities may be difficult to control at the global level.

Answer to Self-assessment Exercise 1

                      Answer to Self-assessment Exercise 2 



                Checklist 

                Below is a checklist of the main points covered in this topic. Use this checklist to test 
                your  learning 

                O     In the market, the evaluation of risk and the steps taken to protect a firm from 
                      risk is called "risk management". 

                O     By and large, the best risk management  systems are based  upon    common 
                      sense. 

                O     In trying to maximise profits, firms sometimes take risks beyond their capability 
                      and  this has resulted in a failure of the firm and, in some cases, has led to 
                      systemic failure. 

                O     In performing his/her functions, the Compliance Officer is also faced with a 
                      number   of risk, namely legal, reputational, operational and ethical risks. 

                O     The  possibility of systemic risk may be reduced by enhancing corporate 
                      governance  and  disclosure. 

                O     There are many  different types of risks which are relevant to a firm. 

                O     In order to manage  risk, the risk must first be identified and understood. An 
                      assessment  of the risk needs to be weighed  against the costs of non- 
                      compliance  in deciding what  measures will be implemented  or action taken. 

                O     The  concern for systemic stability arises from the speed at which the capital 
                      markets function  today and the size of the funds involved. 

                1:1   The failure of one institution can threaten systemic safety because it could 
                      cause  a complete   breakdown in the financial system due to the extensive links 
                      in today's markets. 

                O     A  fiduciary is a person to whom property or power is entrusted for the benefit 
                      of another. A fiduciary relationship exists, for example, between a fund 
                      manager  and  its client. The fiduciary relationship toward the client also extends 
                      to the directors and  employees of the firm. 

                CI    For  a firm to achieve efficient risk management there must first exist an 
                      effective risk management infrastructure. 

                O     From  the regulatory perspective, risk control assessment provides information 
                      to set the limit for the market and to assess the vulnerability of the market. 

                O     One  of the tools for  managing risk is to remain up-to-date on all of the sources 
                      of obligations with which the firm needs to comply. This would include 
                      legislation, exchange rules, policies and guidelines.