THE ESSENTIALS OF RISK
THE ESSENTIALS OF RISK MANAGEMENT This page intentionally left blank THE ESSENTIALS OF RISK MANAGEMENT SECOND EDITION MICHEL CROUHY, DAN GALAI, ROBERT MARK New York Chicago San Francisco Athens London Madrid Mexico City Milan New Delhi Singapore Sydney Toronto Copyright © 2014 by McGraw-Hill Education. All rights reserved. Except as permited under the United States Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher. ISBN: 978-0-07-182115-5 MHID: 0-07-182115-5 The material in this eBook also appears in the print version of this title: ISBN: 978-0-07-181851-3, MHID: 0-07-181851-0. eBook conversion by codeMantra Version 1.0 All trademarks are trademarks of their respective owners. Rather than put a trademark symbol after every occurrence of a trademarked name, we use names in an editorial fashion only, and to the benefit of the trademark owner, with no intention of infringement of the trademark. Where such designations appear in this book, they have been printed with initial caps. McGraw-Hill Education eBooks are available at special quantity discounts to use as premiums and sales promotions or for use in corporate training programs. To contact a representative, please visit the Contact Us page at www.mhprofessional.com. This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is sold with the understanding that neither the author nor the publisher is engaged in rendering legal, accounting, securities trading, or other professional services. If legal advice or other expert assistance is required, the services of a competent professional person should be sought. —From a Declaration of Principles Jointly Adopted by a Committee of the American Bar Association and a Committee of Publishers and Associations TERMS OF USE This is a copyrighted work and McGraw-Hill Education and its licensors reserve all rights in and to the work. Use of this work is subject to these terms. Except as permitted under the Copyright Act of 1976 and the right to store and retrieve one copy of the work, you may not decompile, disassemble, reverse engineer, reproduce, modify, create derivative works based upon, transmit, distribute, disseminate, sell, publish or sublicense the work or any part of it without McGraw-Hill Education’s prior consent. You may use the work for your own noncommercial and personal use; any other use of the work is strictly prohibited. Your right to use the work may be terminated if you fail to comply with these terms. THE WORK IS PROVIDED “AS IS.” McGRAW-HILL EDUCATION AND ITS LICENSORS MAKE NO GUARANTEES OR WARRANTIES AS TO THE ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE OBTAINED FROM USING THE WORK, INCLUDING ANY INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK VIA HYPERLINK OR OTHERWISE, AND EXPRESSLY DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. McGraw-Hill Education and its licensors do not warrant or guarantee that the functions contained in the work will meet your requirements or that its operation will be uninterrupted or error free. Neither McGraw-Hill Education nor its licensors shall be liable to you or anyone else for any inaccuracy, error or omission, regardless of cause, in the work or for any damages resulting therefrom. McGraw-Hill Education has no responsibility for the content of any information accessed through the work. Under no circumstances shall McGraw-Hill Education and/or its licensors be liable for any indirect, incidental, special, punitive, consequential or similar damages that result from the use of or inability to use the work, even if any of them has been advised of the possibility of such damages. This limitation of liability shall apply to any claim or cause whatsoever whether such claim or cause arises in contract, tort or otherwise. CONTENTS Foreword vii Foreword xi I ntroduction to the Second Edition: Reforming Risk Management for the Post-Crisis Era xv 1. Risk Management: A Helicopter View 1 1.1 Typology of Risk Exposures 23 2. Corporate Risk Management: A Primer 45 3. Banks and Their Regulators: The Post-Crisis Regulatory Framework 67 3.1 Basel I 117 3.2 The 1996 Market Risk Amendment 125 3.3 Basel II and Minimum Capital Requirements for Credit Risk 131 3.4 Basel 2.5: Enhancements to the Basel II Framework 137 3.5 Contingent Convertible Bonds 143 4. Corporate Governance and Risk Management 151 5. A User-Friendly Guide to the Theory of Risk and Return 183 6. Interest Rate Risk and Hedging with Derivative Instruments 203 7. Measuring Market Risk: Value-at-Risk, Expected Shortfall, and Similar Metrics 233 8. Asset/Liability Management 265 9. Credit Scoring and Retail Credit Risk Management 305 10. Commercial Credit Risk and the Rating of Individual Credits 333 10.1 Definitions of Key Financial Ratios 363 v vi • Contents 11. Quantitative Approaches to Credit Portfolio Risk and Credit Modeling 11.1 The Basic Idea of the Reduced Form Model 12. The Credit Transfer Markets—and Their Implications 12.1 Why the Rating of CDOs by Rating Agencies Was Misleading 13. Counterparty Credit Risk: CVA, DVA, and FVA 14. Operational Risk 15. Model Risk 16. Stress Testing and Scenario Analysis 16.1 The 2013 Dodd-Frank Severely Adverse Scenarios 17. Risk Capital Attribution and Risk-Adjusted Performance Measurement Epilogue: Trends in Risk Management Index 365 407 411 467 471 499 529 555 581 583 609 619 FOREWORD The world changed after the global financial crisis of 2007–2009, and the change was especially dramatic for banks. The second edition of this book is therefore very welcome and helps to clarify both the implications of the crisis for risk management and the far-reaching process of regulatory change that will come into full force over the next few years. Banks are reforming their risk management processes, but the challenge goes much deeper. Banks must rethink their business models and even question the reason for their existence. Do they exist to take proprietary risks (on or off their balance sheet) or to provide a focused set of services and skills to their customers and business partners? At Natixis, our business adopts the latter model. We have recently completed an aggressive push to adapt to post-crisis regulatory constraints, end our proprietary activities, reduce our risk profile, and refocus on our three core businesses: wholesale banking, investment solutions, and specialized financial services. The far higher capital costs under Basel III are likely to shift many other banks toward a more service-based business model with less risk retained. The new regulations are also obliging banks to change their funding strategies—e.g., by making use of new funding tools in addition to reformed approaches to securitization and traditional funding avenues. This change of philosophy may mean developing trusted partnerships with different kinds of financial institutions, such as insurance companies and pension funds, that can absorb the risks that banks no longer wish to carry on their balance sheets—a process that Natixis has already begun. As banks change their approach, they must also take a fresh look at their corporate governance. The crisis showed that banks had been driven vii viii • Foreword by too simplistic a notion of growth and short-term profitability. Going forward, firms must build a wider and longer-term view of stakeholder interests—e.g., by defining long-term risk appetites explicitly and connecting these securely to strategic and operational decisions. Ensuring the right kind of growth will require many of the best-practice mechanisms of corporate governance discussed in this book. The crisis also showed that banks need to pay more than lip service to the concept of enterprise risk management. They must improve their understanding of how a wide range of risks—credit, market, liquidity, operational, reputation, and more—can interact with and exacerbate each other in a bank’s portfolios and business models when the financial system is under strain. In turn, this requires the development of new risk management methodologies and bankwide infrastructures—for example, in the area of macroeconomic stress testing. One of the accomplishments of this book is that it helps set out these new methodologies and explains their strengths and also their limitations. The authors believe that financial institutions must not rely on any single risk measure, new or old. Risk measurement and management methodologies are there to help decision makers, not to supply simplistic answers. It is critical that institutions (as well as regulators) develop a better understanding of the interconnected nature of the global financial system. As this book explains in its various chapters, systemic risks, counterparty interconnections, liquidity risks, credit risks, and market risks all feed on one another in a crisis. Understanding how risks concentrate during good times and then spread through systemic interconnections during bad times needs to become part of the philosophy of bank risk management. Without this understanding, it is difficult for financial institutions to resist activities that boost growth and profitability in the short term, but that may create unsustainable levels of risk in the longer term. The global economy is trying to find a path toward sustainable growth at the same time that developed nations have begun to unwind the unprecedented support given to economies and banking systems during the crisis years. This will give rise to many challenges as well as opportunities. Natixis plays a frontline role in financing the real economy, but we know that this must be built on solid risk-managed foundations. Foreword • ix In this sense, the book supports the business philosophy we are developing at Natixis. We believe that long-term success comes to institutions and economies that can deliver growth while managing downside risks through both improved risk management and the careful selection of fundamental business models. Laurent Mignon Chief Executive Officer of Natixis September 13, 2013 This page intentionally left blank FOREWORD I think that the concept of the Crouhy, Galai, and Mark book, The Essen- tials of Risk Management, Second Edition, is brilliant. In my career as an academic and in investment management, I found that there is too large a separation between the technocrats who build risk-management models and systems and those who should be using them. In addition, the model builders seem to me to be too far from economics, understanding what risk management can and cannot do and how to structure the risk management problem. Crouhy, Galai, and Mark bridge that gap. They bring the academic research together with applications and implementation. If riskmanagement model builders come to appreciate the economics underlying the models, they would be better prepared to build risk-management tools that have real value for banks and other entities. And, as the authors bring up time and again, board members of corporations must also become as familiar with the models and their underlying economics to ask the correct follow-up questions. Risk management is often described as being an independent activity of the firm, different from generating returns. Most macro and micro models in economics start from a framework of certainty and add an error term, a risk term to represent uncertainty. When describing predicted actions that arise from these models, the error or uncertainty term disappears because the modelers assume that it’s best to take expectations as their best guess as to future outcomes. In both cases, however, this is incorrect. Risk management is part of an optimization program, the tradeoffs between risk and return. As described in the book, the three tools of risk management are (a) reserves, (b) diversification, and (c) insurance. With greater reserves against adverse xi xii • Foreword outcomes, the risk of the firm or the bank is reduced. Greater reserves, however, imply lower returns. And, the dynamics of the reserve need to be known. For example, if a bank needs capital or liquidity reserves to shield it against shock, is the reserve static or can it be used, and how is it to be used at time of shock? If it is a reserve that must always be at a static level, it is not a reserve at all. These are important optimization and planning questions under uncertainty. With more diversification, the bank reduces idiosyncratic risks and retains systematic risks, which it might also transfer to the market. Diversification has benefits. But, if a bank earns profits because its clients want particular services such as mortgages, it might want to concentrate and make money by taking on additional idiosyncratic risk, for it is not possible to diversify away all risks and still earn abnormal profits. The bank must respond to its client’s demands and, as a result, take on idiosyncratic risks. The same is true of insurance. Unlike car insurance, wherein, say, the value of the car is knowable over the year, and the amount of the insurance is easy to ascertain, as the book describes, the bank might not know how much insurance is necessary and when it might need the insurance. Nor does it know the dynamics of the insurance plan as prices change in the market. That is why risk management is integrated into an optimization system where there always are tradeoffs between risk and return. To ignore risk considerations is inappropriate; to concentrate on risk is inappropriate. The boards of banks or corporations are responsible to understand and challenge the optimization problem. Likewise, modelers must also understand the economic tradeoffs. Prior to the financial crisis of 2008, many banks organized their risk management activities in line and not circle form. That is, the risk department was separate and below the production department. The risk management systems of the future must be designed such that the optimization problem is the center focus. This involves deciding on the level of capital employed not only for working capital, or physical investment capital, or human capital but also the amount of risk capital in deciding on the profitability of various business lines and how they coordinate with each other. Risk management involves measurement and model building. This book provides us with a description of many of the problems in building Foreword • xiii models and in providing the inputs to the models. But, once the senior management and the modelers understand the issues, they will change their focus and address the modeling and measurement issues. For example, there are three major problems in the model building/data provision or calibration of the model framework: (1) using historical data to calibrate the model, (2) assuming the spatial relationships will remain unchanged, such as how particular assets are grouped together into clusters or how clusters move together, and, (3) assuming that once the model is built and calibrated that others don’t reverse engineer the model and its calibration and game against those using the model. There are myriad examples and applications of each of these, or these in combination with each other in this book. For example, the rating agencies used historical data to calibrate the likelihood of declines in housing price such that homeowners would default on their mortgages. Unfortunately they used too short a time period and assumed incorrectly that the best prediction of the future would be provided from these short-period data inputs. They also assumed that homeowners default on their mortgages randomly, while ignoring the possibility that the independent clusters of possible mortgage defaults that they assumed existed would become one cluster during a crisis such as the 2008 financial crisis. Moreover, once they provided their ratings on complicated mortgage structured products, market participants reverse engineered how they rated mortgage products and gamed against them by putting lower and lower quality mortgages into structures to pass just the ratings level that they wanted to attain. These three lessons are pervasive in risk management and are illustrated brilliantly in one form or the other over and over again in this book. There are decisions that should be made, in part, proactively and decisions that should be made, in part, reactively. Risk management includes an understanding of how to plan to respond to changes in the opportunity set and to changes in the costs of adjusting assets and to financing activities. There is a value in planning for uncertainty. Ignoring risk might supply large short-term profits but at the expense of survivorship of the business, for not setting aside sufficient risk capital threatens survivorship of the business. And understanding includes evaluating the returns and risks of embedded and explicit options. xiv • Foreword All risk management systems require a careful combination of academic modeling and research with practical applications. Academic research highlighted in this book has made a major contribution to risk management techniques. Practice must be aware of the underlying assumptions of these models and in what situations they apply or don’t apply and adjust them accordingly. Practical applications include understanding data issues in providing inputs to these risk models and in calibrating them consistent with underlying economics. The 2008 crisis highlighted once again the importance of risk management. I believe that all board members must become as conversant in risk management as in return generation. That will become a prerequisite for board participation. This book highlights the importance of these issues. Myron S. Scholes, Frank E. Buck Professor of Finance, Emeritus, Stanford University Graduate School of Business; 1997 recipient of the Nobel Prize in Economics November, 2013 INTRODUCTION TO THE SECOND EDITION: REFORMING RISK MANAGEMENT FOR THE POST-CRISIS ERA Half a dozen years and more have passed since the start of the global financial crisis of 2007–2009,1 and even the European sovereign debt crisis of 2010 is fading into history. In neither case can we be sure that the crises are fully resolved, and their aftershocks and ramifications continue to shape our world. However, enough time may have elapsed for us to absorb the main lessons of the crisis years and to begin to understand the implications of the still unfolding reforms of the world’s financial industries. In this new edition of The Essentials of Risk Management, we have revisited each chapter in light of what has been learned from risk management failures during the crisis years, and in this Introduction we pick out key trends in risk management since we published the first edition in 2006. However, we have also tried to prevent the book as a whole from becoming too dominated by the extraordinary events of 2007–2009 and the immediate succeeding years. Some of the lessons learned in those years were lessons that earlier crises had already taught risk managers, and that Throughout this book, we’ve used the phrase “financial crisis of 2007–2009” to define, reasonably precisely, the banking and financial system crisis of that period. Others choose to use the term “global financial crisis,” or GFC. 1 xv xvi • Introduction to the Second Edition were covered in some detail in the first edition of the book—even if some firms found it hard to put them into practice. The crisis years also spawned a series of fundamental reforms of the regulation of financial institutions, and one thing we can be sure of in risk management is that major structural change creates new business environments, which in turn transform business behavior and risk. One of the curses of risk management is that it perennially tries to micromanage the last crisis rather than applying the first principles of risk management to forestall the next—a trap we have tried to avoid. We hope this book contributes to the attempt to strengthen the overall framework of risk management by encouraging the right mix of theoretical expertise, knowledge of recent and past events, and curiosity about what might be driving risk trends today. *** The financial crisis that started in the summer of 2007 was the culmination of an exceptional boom in credit growth and leverage in the financial system that had been building since the previous credit crisis in 2001–2002, stimulated by an accommodative monetary policy. The boom was fed by an extended period of benign economic and financial conditions, including low real interest rates and abundant liquidity, which encouraged borrowers, investors, and intermediaries to increase their exposure in terms of risk and leverage. The boom years were also marked by a wave of financial innovations related to securitization, which expanded the capacity of the financial system to generate credit assets but outpaced its capacity to manage the associated risks.2 The crisis uncovered major fault lines in business practices and market dynamics: failures of risk management and poorly aligned compensation systems in financial institutions, failures of transparency and disclosure, and many more. In the years following the crisis, many areas of weakness have begun to be addressed through regulation and from the very top of financial institutions (the board of directors and the management committee) down to business line practices, including the misalignment of incentives between the business and its shareholders, bondholders, and investors. Below, we Securitization and structured credit products are discussed in Chapter 12. 2 Introduction to the Second Edition • xvii summarize some of the major problem areas uncovered by the global financial crisis; the rest of the book addresses these issues in more detail. Governance and Risk Culture Risk management has many different components, but the essence of what went wrong in the run-up to the 2007–2009 financial crisis had more to do with the lack of solid corporate governance structures for risk management than with the technical deficiencies of risk measurement and stress testing. In the boom period, risk management was marginalized in many financial institutions. The focus on deal flow, business volume, earnings, and compensation schemes drove firms increasingly to treat risk management as a source of information, not as an integral part of business decision making. Decisions were taken on risk positions without the debate that needed to happen. To some degree, this is a matter of risk culture, but it also has to do with governance structures inside organizations: • The role of the board must be strengthened. Strengthening board oversight of risk does not diminish the fundamental responsibility of management for the risk management process. Instead, it should make sure that risk management receives some enhanced attention in terms of oversight and, hopefully, a longer-term and wider perspective. Chapter 4 on corporate governance elaborates on the role and obligations of the board. • Risk officers must be re-empowered. Some firms distinguish between a “risk control” function, responsible for quantitative measures, and a “risk management” function, which has a more strategic focus. Either way, it is no longer appropriate for risk management to be only an “after the fact” monitoring function. It needs to be included in the development of the firm’s strategy and business model. Chief risk officers (CROs) should not be just risk managers but also proactive risk strategists. With the strength of regulators and an angry public behind them, risk managers presently wield some clout. The trick will be to make sure this lasts in periods of recovery (or growing corporate frustration with unexciting returns). Chapter 4 elaborates on the role of the CRO in a best-practice institution. xviii • Introduction to the Second Edition Inadequate Execution of the Originate-to-Distribute Business Model One common view is that the crisis was caused by the originate-todistribute (OTD) model of securitization, through which lower quality loans were transformed into highly rated securities. To some extent, this characterization is unfortunately true. The OTD model of securitization reduced incentives for the originator of the loan to monitor the creditworthiness of the borrower, because the originator had little or no skin in the game. In the securitization food chain for U.S. mortgages, intermediaries in the chain made fees while transferring credit into an investment product with such an opaque structure that even the most sophisticated investors had no real idea what they were holding. Although the pre-crisis OTD model of securitization, and its lack of checks and balances, was clearly an important factor, the huge losses that affected banks, especially investment banks, mainly occurred because financial institutions did not follow the business model of securitization. Rather than acting as intermediaries by transferring the risk from mortgage lenders to capital market investors, these institutions themselves took on the role of investors. Chapter 12 elaborates on this issue. Poor Underwriting Standards The OTD model generated a huge demand for loans to feed the securitization machine, and this in itself contributed to a lowering of underwriting standards. But benign macroeconomic conditions and low default rates also gave rise to complacency and an erosion of sound practices in the world’s financial industries. Across a range of credit segments, business volumes grew much more quickly than investment in the supporting infrastructure of controls and documentation. The demand for high-yielding assets encouraged a loosening of credit standards and, particularly in the U.S. subprime mortgage market, not just lax but fraudulent practices proliferated from late 2004. Chapter 9 elaborates further on the issue of retail risk management. Introduction to the Second Edition • xix Shortcomings in Firms’ Risk Management Practices The crisis highlighted the risk of model error when making risk assessments. The risk control/risk management function must become more transparent about the limitations of risk metrics and models used to make important decisions in the firm. Models are powerful tools, but they necessarily involve simplifications and assumptions; they must be approached critically and with a heavy dash of expert judgment. When risk metrics, models, and ratings become ends in themselves, they become obstacles to true risk identification. This applies also to the post-crisis rash of new models and risk assessment procedures. Chapter 15 analyzes the problems associated with model risk. • Stress testing and scenario analysis. Stress testing, discussed in Chapter 16, is now a formal requirement of Basel III and the Dodd-Frank Act and has become a much more prominent part of the risk manager’s toolkit. Properly applied, stress testing is a critical diagnostic and risk identification tool, but it can be counterproductive if it becomes too mechanical or consumes resources unproductively. It is important to approach stress testing as one aspect of a multifaceted risk analysis program. In particular, stress testing must be carefully designed to gauge the business strengths and weaknesses of each individual firm; it cannot follow a “one size fits all” approach. Firms need to ensure that stress testing methodologies and policies are consistently applied throughout the firm, take into account multiple risk factors, and adequately deal with correlations between risk factors. Results must have a meaningful impact on business decisions. • Concentration risk. Firms need to improve their firmwide management of concentration risks, embracing not only large risks from individual borrowers but also concentrations in sectors, geographic regions, economic factors, counterparties, and financial guarantors. For example, a concentrated exposure to one (exotic) product can give rise to major losses during a market shock if liquidity dries up and it becomes impossible to rebalance a hedging position in a timely fashion. xx • Introduction to the Second Edition • Counterparty credit risk. The subprime crisis highlighted several shortcomings of over-the-counter (OTC) trading in credit derivatives, most notably the treatment of counterparty credit risk. The primary issue is that collateral and margin requirements are set bilaterally in OTC trading and do not take account of the risk imposed on the rest of the system (e.g., as experienced following the failures of Lehman Brothers and the quasi-bankruptcies of Bear Stearns, AIG, and others). Counterparty credit risk is discussed in Chapter 13. Overreliance on Misleading Ratings from Rating Agencies Credit rating agencies were at the center of the 2007–2009 crisis, as many investors had relied on their ratings to assess the risk of mortgage bonds, asset-backed commercial paper issued by structured investment vehicles, and the monolines that insured municipal bonds and structured credit products. Money market funds are restricted to investing in AAA-rated assets, while pension funds and municipalities are restricted to investing in investment-grade assets.3 In the low interest rate environment of the period before the crisis, many of these conservative investors invested in assets that were complex and contained exposure to subprime assets, mainly because these instruments were given an investment-grade rating or higher while promising a yield above that of traditional assets, such as corporate and Treasury bonds, with an equivalent rating. Chapter 10 discusses ratings and the controversial role of the rating agencies. Poor Investor Due Diligence Many investors placed excessive reliance on credit ratings, neither questioning the methodologies of the credit rating agencies nor fully understanding the risk characteristics of rated products. Also, many investors Most of the US$2.5 trillion sitting in money market funds is traditionally invested in such assets as U.S. Treasury bills, certificates of deposit, and short-term commercial debt. 3 Introduction to the Second Edition • xxi erroneously took comfort from the belief that insurance companies conducted a thorough investigation into the assets they insured.4 Going forward, institutional investors will have to upgrade their risk infrastructure in order to assess risk independently of external rating agencies. If institutions are not willing or able to do this, they should probably refrain from investing in complex structured products. For U.S. retail investors who lack the knowledge and the tools to evaluate and make decisions about financial products, the Dodd-Frank Act creates the Bureau of Consumer Financial Protection (BCFP) as an independent bureau within the Federal Reserve System. However, it is by no means certain that more vigilant consumer protection would have prevented the speculative frenzy in the housing market in the run-up to the financial crisis. In Chapter 3, we discuss the Dodd-Frank Act in more detail. Incentive Compensation Distortions Incentive compensation should align compensation with long-term shareholder interests and risk-adjusted return on capital. Over the two decades before the 2007–2009 financial crisis, bankers and traders had increasingly been rewarded with bonuses tied to short-term profits, giving them an incentive to take excessive risks, leverage up their investments, and sometimes bet the entire bank on astonishingly reckless investment strategies. More on this topic in Chapter 4 and Chapter 17, where we discuss the RAROC (risk-adjusted return on capital) approach. Weaknesses in Disclosure Weaknesses in public disclosures by financial institutions, particularly concerning the type and magnitude of risks associated with on- and offbalance-sheet exposures, damaged market confidence during the 2007– 2009 financial crisis. This remains a significant challenge to the world’s Floyd Norris, “Insurer’s Maneuver Wins a Pass in Court,” New York Times, Business Section, March 8, 2013. 4 xxii • Introduction to the Second Edition financial industries. The need to disclose more information is a requirement of Basel II/III, discussed in Chapter 3. Valuation Problems in a Mark-to-Market World Fair value/mark-to-market accounting has generally proven highly valuable in promoting transparency and market discipline and is an effective and reliable accounting method for securities in liquid markets. However, in secondary markets that may have no or severely limited liquidity, it can create serious valuation problems and can also increase the uncertainties around any valuations. Chapter 3 and the appendix to Chapter 1 elaborate further on this issue. Liquidity Risk Management During the boom years, many banks and other financial institutions allowed themselves to become vulnerable to any prolonged disruption in their funding markets. However, the 2007����������������������������� –���������������������������� 2009 financial crisis demonstrated, once and for all, how extraordinarily dysfunctional the interbank funding market can become in times of uncertainty. Liquidity risk is not a new threat: it lay behind the failure of LTCM (Long Term Capital Management) in August 1998, discussed in Chapter 15, and a number of historical bank failures. In the post-crisis era, however, risk managers will need to be wary of overdependence on any single form of funding, including access to securities markets, in their day-to-day liquidity risk management, stress testing, and contingency planning. As we discuss in Chapter 3, Basel III has introduced a new liquidity framework to address liquidity risk. Banks will have to satisfy two liquidity ratios—i.e., a liquidity coverage ratio (LCR) and a net stable funding ratio (NSFR). Chapter 8 discusses funding risk more broadly. Systemic Risk Of the many regulatory issues at stake in the post-crisis era, one is of primary importance: systemic risk. How can we construct a system that prevents Introduction to the Second Edition • xxiii decisions made in a single institution, or a small group of institutions, from plunging the world’s economies into deep recession? Somehow, the system must be engineered to prevent one failure’s causing a chain reaction or domino effect on other institutions that threatens the stability of the financial markets. Systemic risk and the regulators’ efforts to prevent it is a recurring theme in the chapters of this book, especially Chapters 3 and 13. Procyclicality Banks are said to behave in a procyclical fashion when their actions amplify the momentum of the underlying economic cycle—e.g., by intensifying lending during economic booms or imposing more stringent restrictions or risk assessments on loans during a downturn. Procyclicality partly explains the correlations between asset prices that we see in the financial sector. The forces that contribute to procyclicality are the regulatory capital regime, risk measurement techniques such as value-at-risk, loan-loss provisioning practices, interaction between valuation and leverage, and compensationbased incentives. Basel III includes several mechanisms for mitigating procyclicality, such as a countercyclical capital cushion and reduced reliance on cyclical VaR-based capital requirements (e.g., by expanding the role of stress testing). Procyclicality is discussed in Chapter 3. This page intentionally left blank 1 RISK MANAGEMENT: A HELICOPTER VIEW 1 The future cannot be predicted. It is uncertain, and no one has ever been suc- cessful in consistently forecasting the stock market, interest rates, exchange rates, or commodity prices—or credit, operational, and systemic events with major financial implications. However, the financial risk that arises from uncertainty can be managed. Indeed, much of what distinguishes modern economies from those of the past is the new ability to identify risk, to measure it, to appreciate its consequences, and then to take action accordingly, such as transferring or mitigating the risk. One of the most important aspects of modern risk management is the ability, in many instances, to price risks and ensure that risks undertaken in business activities are correctly rewarded. This simple sequence of activities, shown in more detail in Figure 1-1, is often used to define risk management as a formal discipline. But it’s a sequence that rarely runs smoothly in practice. Sometimes simply identifying a risk is the critical problem; at other times arranging an efficient economic transfer of the risk is the skill that makes one risk manager stand out from another. (In Chapter 2 we discuss the risk management process from the perspective of a corporation.) To the unwary, Figure 1-1 might suggest that risk management is a continual process of corporate risk reduction. But we mustn’t think of the modern attempt to master risk in defensive terms alone. Risk management is really about how firms actively select the type and level of risk that it is appropriate for them We acknowledge the coauthorship of Rob Jameson in this chapter. 1 1 2 • The Essentials of Risk Management FIGURE 1-1 The Risk Management Process Identify risk exposures Measure and estimate risk exposures Find instruments and facilities to shift or trade risks Assess effects of exposures Assess costs and benefits of instruments Form a risk mitigation strategy: • Avoid • Transfer • Mitigate • Keep Evaluate performance to assume. Most business decisions are about sacrificing current resources for future uncertain returns. In this sense, risk management and risk taking aren’t opposites, but two sides of the same coin. Together they drive all our modern economies. The capacity to make forward-looking choices about risk in relation to reward, and to evaluate performance, lies at the heart of the management process of all enduringly successful corporations. Yet the rise of financial risk management as a formal discipline has been a bumpy affair, especially over the last 15 years. On the one hand, we have had some extraordinary successes in risk management mechanisms (e.g., the Risk Management: A Helicopter View • 3 lack of financial institution bankruptcies in the downturn in credit quality in 2001–2002) and we have seen an extraordinary growth in new institutions that earn their keep by taking and managing risk (e.g., hedge funds). On the other hand, the spectacular failure to control risk in the run-up to the 2007–2009 financial crisis revealed fundamental weaknesses in the risk management process of many banks and the banking system as a whole. As a result, risk management is now widely acknowledged as one of the most powerful forces in the world’s financial markets, in both a positive and a negative sense. A striking example is the development of a huge market for credit derivatives, which allows institutions to obtain insurance to protect themselves against credit default and the widening of credit spreads (or, alternatively, to get paid for assuming credit risk as an investment). Credit derivatives can be used to redistribute part or all of an institution’s credit risk exposures to banks, hedge funds, or other institutional investors. However, the misuse of credit derivatives also helped to destabilize institutions during the 2007–2009 crisis and to fuel fears of a systemic meltdown. Back in 2002, Alan Greenspan, then chairman of the U.S. Federal Reserve Board, made some optimistic remarks about the power of risk management to improve the world, but the conditionality attached to his observations proved to be rather important: The development of our paradigms for containing risk has emphasized dispersion of risk to those willing, and presumably able, to bear it. If risk is properly dispersed, shocks to the overall economic system will be better absorbed and less likely to create cascading failures that could threaten financial stability.2 In the financial crisis of 2007–2009, risk turned out to have been concentrated rather than dispersed, and this is far from the only embarrassing failure of risk management in recent decades. Other catastrophes range from the near failure of the giant hedge fund Long-Term Capital Management (LTCM) in 1998 to the string of financial scandals associated with the millennial boom in the equity and technology markets (from Enron, WorldCom, Global Crossing, and Qwest in the United States to Parmalat in Europe and Satyam in Asia). Remarks by Chairman Alan Greenspan before the Council on Foreign Relations, Washington, D.C., November 19, 2002. 2 4 • The Essentials of Risk Management Unfortunately, risk management has not consistently been able to prevent market disruptions or to prevent business accounting scandals resulting from breakdowns in corporate governance. In the case of the former problem, there are serious concerns that derivative markets make it easier to take on large amounts of risk, and that the “herd behavior” of risk managers after a crisis gets underway (e.g., selling risky asset classes when risk measures reach a certain level) actually increases market volatility. Sophisticated financial engineering played a significant role in obscuring the true economic condition and risk-taking of financial companies in the runup to the 2007–2009 crisis, and also helped to cover up the condition of many nonfinancial corporations during the equity markets’ millennial boom and bust. Alongside simpler accounting mistakes and ruses, financial engineering can lead to the violent implosion of firms (and industries) after years of false success, rather than the firms’ simply fading away or being taken over at an earlier point. Part of the reason for risk management’s mixed record here lies with the double-edged nature of risk management technologies. Every financial instrument that allows a company to transfer risk also allows other corporations to assume that risk as a counterparty in the same market—wisely or not. Most important, every risk management mechanism that allows us to change the shape of cash flows, such as deferring a negative outcome into the future, may work to the shortterm benefit of one group of stakeholders in a firm (e.g., managers) at the same time that it is destroying long-term value for another group (e.g., shareholders or pensioners). In a world that is increasingly driven by risk management concepts and technologies, we need to look more carefully at the increasingly fluid and complex nature of risk itself, and at how to determine whether any change in a corporation’s risk profile serves the interests of stakeholders. We need to make sure we are at least as literate in the language of risk as we are in the language of reward. The nature of risk forms the topic of our next section, and it will lead us to the reason we’ve tried to make this book accessible to everyone, from shareholders, board members, and top executives to line managers, legal and back-office staff, and administrative assistants. We’ve removed from this book many of the complexities of mathematics that act as a barrier to understanding the essential principles of risk management, in the belief that, just as war is too important to be left to the generals, risk management has become too important to be left to the “rocket scientists” of the world of financial derivatives. This book is made suitable to students at colleges and universities who are interested in the emerging and expanding field of risk management in financial as well as nonfinancial corporations. Risk Management: A Helicopter View • 5 What Is Risk? We’re all faced with risk in our everyday lives. And although risk is an abstract term, our natural human understanding of the trade-offs between risk and reward is pretty sophisticated. For example, in our personal lives, we intuitively understand the difference between a cost that’s already been budgeted for (in risk parlance, a predictable or expected loss) and an unexpected cost (at its worst, a catastrophic loss of a magnitude well beyond losses seen in the course of normal daily life). In particular, we understand that risk is not synonymous with the size of a cost or of a loss. After all, some of the costs we expect in daily life are very large indeed if we think in terms of our annual budgets: food, fixed mortgage payments, college fees, and so on. These costs are big, but they are not a threat to our ambitions because they are reasonably predictable and are already allowed for in our plans. The real risk is that these costs will suddenly rise in an entirely unexpected way, or that some other cost will appear from nowhere and steal the money we’ve set aside for our expected outlays. The risk lies in how variable our costs and revenues really are. In particular, we care about how likely it is that we’ll encounter a loss big enough to upset our plans (one that we have not defused through some piece of personal risk management such as taking out a fixed-rate mortgage, setting aside savings for a rainy day, and so on). This day-to-day analogy makes it easier to understand the difference between the risk management concepts of expected loss (or expected costs) and unexpected loss (or unexpected cost). Understanding this difference is the key to understanding modern risk management concepts such as economic capital attribution and risk-adjusted pricing. (However, this is not the only way to define risk, as we’ll see in Chapter 5, which discusses various academic theories that shed more light on the definition and measurement of risk.) One of the key differences between our intuitive conception of risk and a more formal treatment of it is the use of statistics to define the extent and potential cost of any exposure. To develop a number for unexpected loss, a bank risk manager first identifies the risk factors that seem to drive volatility in any outcome (Box 1-1) and then uses statistical analysis to calculate the probabilities of various outcomes for the position or portfolio under consideration. This probability distribution can be used in various ways. For example, the risk manager might pinpoint the area of the distribution (i.e., the extent of loss) that the 6 • The Essentials of Risk Management institution would find worrying, given the probability of this loss occurring (e.g., is it a 1 in 10 or a 1 in 10,000 chance?). BOX 1-1 RISK FACTORS AND THE MODELING OF RISK In order to measure risk, the risk analyst first seeks to identify the key factors that seem likely to cause volatility in the returns from the position or portfolio under consideration. For example, in the case of an equity investment, the risk factor will be the volatility of the stock price (categorized in the appendix to this chapter as a market risk), which can be estimated in various ways. In this case, we identified a single risk factor. But the number of risk factors that are considered in a risk analysis—and included in any risk modeling—varies considerably depending on both the problem and the sophistication of the approach. For example, in the recent past, bank risk analysts might have analyzed the risk of an interest-rate position in terms of the effect of a single risk factor—e.g., the yield to maturity of government bonds, assuming that the yields for all maturities are perfectly correlated. But this one-factor model approach ignored the risk that the dynamic of the term structure of interest rates is driven by more factors—e.g., the forward rates. Nowadays, leading banks analyze their interest-rate exposures using at least two or three factors, as we describe in Chapter 6. Further, the risk manager must also measure the influence of the risk factors on each other, the statistical measure of which is the “covariance.” Disentangling the effects of multiple risk factors and quantifying the influence of each is a fairly complicated undertaking, especially when covariance alters over time (i.e., is stochastic, in the modeler’s terminology). There is often a distinct difference in the behavior and relationship of risk factors during normal business conditions and during stressful conditions such as financial crises. Under ordinary market conditions, the behavior of risk factors is relatively less difficult to predict because it does not change significantly in the short and medium term: future behavior can be extrapolated, to some extent, from past performance. However, during stressful conditions, the behavior of risk factors becomes far more unpredictable, and past behavior may offer little help in predicting future behavior. It’s at this point that statistically measurable risk threatens to turn into the kind of unmeasurable uncertainty that we discuss in Box 1-2. Risk Management: A Helicopter View • 7 The distribution can also be related to the institution’s stated “risk appetite” for its various activities. For example, as we discuss in Chapter 4, the senior risk committee at the bank might have set boundaries on the amount of risk that the institution is willing to take by specifying the maximum loss it is willing to tolerate at a given level of confidence, such as, “We are willing to countenance a 1 percent chance of a $50 million loss from our trading desks on any given day.” (At this point we should explain that while some chapters of this book focus on aspects of bank risk management—e.g., in Chapter 3 we elaborate on the regulation of risk management in banks—the risk management issues and concepts we cover are encountered in some form by many other industries and organizations, as we highlight in Chapter 2.) Since the 2007–2009 financial crisis, risk managers have tried to move away from an overdependence on historical-statistical treatments of risk. For example, they have laid more emphasis on scenario analysis and stress testing, which examine the impact or outcomes of a given adverse scenario or stress on a firm (or portfolio). The scenario may be chosen not on the basis of statistical analysis, but instead simply because it is both plausible and suitably severe—essentially, a judgment call. However, it can be difficult and perhaps unwise to remove statistical approaches from the picture entirely. For example, in the more sophisticated forms of scenario analysis, the firm will need to examine how a change in a given macroeconomic factor (e.g., unemployment rate) leads to a change in a given risk factor (e.g., the probability of default of a corporation). Making this link almost inevitably means looking back to the past to examine the nature of the statistical relationship between macroeconomic factors and risk factors, though a degree of judgment must also be factored into the analysis. The use of statistical, economic, and stress testing concepts can make risk management sound pretty technical. But the risk manager is simply doing more formally what we all do when we ask ourselves in our personal lives, “How bad, within reason, might this problem get?” The statistical models can also help in pricing risk, or pricing the instruments that help to eliminate or mitigate the risks. What does our distinction between expected loss and unexpected loss mean in terms of running a financial business, such as a specific banking business line? Well, the expected credit loss for a credit card portfolio, for example, refers to how much the bank expects to lose, on average, as a result of fraud and defaults by cardholders over a period of time, say one year. In the case of large and well-diversified portfolios (i.e., most consumer credit portfolios), expected 8 • The Essentials of Risk Management loss accounts for almost all the losses that are incurred in normal times. Because it is, by definition, predictable, expected loss is generally viewed as one of the costs of doing business, and ideally it is priced into the products and services offered to the customer. For credit cards, the expected loss is recovered by charging the businesses a certain commission (2 to 4 percent) and by charging a spread to the customer on any borrowed money, over and above the bank’s funding cost (i.e., the rate the bank pays to raise funds in the money markets and elsewhere). The bank recovers mundane operating costs, such as the salaries it pays tellers, in much the same way. The level of loss associated with a large standard credit card portfolio is relatively predictable because the portfolio is made up of numerous bite-sized exposures and the fortunes of most customers, most of the time, are not closely tied to one another. On the whole, you are not much more likely to lose your job today because your neighbor lost hers last week. There are some important exceptions to this, of course. During a prolonged and severe recession, your fortunes may become much more correlated with those of your neighbor, particularly if you work in the same industry and live in a particularly vulnerable region. Even in the relatively good times, the fortunes of small local banks, as well as their card portfolios, are somewhat driven by socioeconomic characteristics, as we discuss in Chapter 9. A corporate loan portfolio, however, tends to be much “lumpier” than a retail portfolio (i.e., there are more big loans). Furthermore, if we look at industry data on commercial loan losses over a period of decades, it’s much more apparent that in some years losses spike upward to unexpected loss levels, driven by risk factors that suddenly begin to act together. For example, the default rate for a bank that lends too heavily to the technology sector will be driven not just by the health of individual borrowers, but by the business cycle of the technology sector as a whole. When the technology sector shines, making loans will look risk-free for an extended period; when the economic rain comes, it will soak any banker that has allowed lending to become too concentrated among similar or interrelated borrowers. So, correlation risk—the tendency for things to go wrong together—is a major factor when evaluating the risk of this kind of portfolio. The tendency for things to go wrong together isn’t confined to the clustering of defaults among a portfolio of commercial borrowers. Whole classes of risk Risk Management: A Helicopter View • 9 factors can begin to move together, too. In the world of credit risk, real estate– linked loans are a famous example of this: they are often secured with real estate collateral, which tends to lose value at exactly the same time that the default rate for property developers and owners rises. In this case, the “recovery-rate risk” on any defaulted loan is itself closely correlated with the “default-rate risk.” The two risk factors acting together can sometimes force losses abruptly skyward. In fact, anywhere in the world that we see risks (and not just credit risks) that are lumpy (i.e., in large blocks, such as very large loans) and that are driven by risk factors that under certain circumstances can become linked together (i.e., that are correlated), we can predict that at certain times high “unexpected losses” will be realized. We can try to estimate how bad this problem is by looking at the historical severity of these events in relation to any risk factors that we define and then examining the prevalence of these risk factors (e.g., the type and concentration of real estate collateral) in the particular portfolio under examination. A detailed discussion of the problem of assessing and measuring the credit risk associated with commercial loans, and with whole portfolios of loans, takes up most of Chapters 10 and 11 of this book. But our general point immediately explains why bankers became so excited about new credit risk transfer technologies such as credit derivatives, described in detail in Chapter 12. These bankers weren’t looking to reduce predictable levels of loss. Instead, the new instruments seemed to offer ways to put a cap on the problem of high unexpected losses and all the capital costs and uncertainty that these bring. The conception of risk as unexpected loss underpins two key concepts that we’ll deal with in more detail later in this book: value-at-risk (VaR) and economic capital. VaR, described and analyzed in Chapter 7, is a statistical measure that defines a particular level of loss in terms of its chances of occurrence (the “confidence level” of the analysis, in risk management jargon). For example, we might say that our options position has a one-day VaR of $1 million at the 99 percent confidence level, meaning that our risk analysis shows that there is only a 1 percent probability of a loss that is greater than $1 million on any given trading day. In effect, we’re saying that if we have $1 million in liquid reserves, there’s little chance that the options position will lead to insolvency. Furthermore, because we can estimate the cost of holding liquid reserves, our risk analysis gives us a pretty good idea of the cost of taking this risk. 10 • The Essentials of Risk Management Under the risk paradigm we’ve just described, risk management becomes not the process of controlling and reducing expected losses (which is essentially a budgeting, pricing, and business efficiency concern), but the process of understanding, costing, and efficiently managing unexpected levels of variability in the financial outcomes for a business. Under this paradigm, even a conservative business can take on a significant amount of risk quite rationally, in light of •• Its confidence in the way it assesses and measures the unexpected loss levels associated with its various activities •• The accumulation of sufficient capital or the deployment of other risk management techniques to protect against potential unexpected loss levels •• Appropriate returns from the risky activities, once the costs of risk capital and risk management are taken into account •• Clear communication with stakeholders about the company’s target risk profile (i.e., its solvency standard once risk-taking and risk mitigation are accounted for) This takes us back to our assertion that risk management is not just a defensive activity. The more accurately a business understands and can measure its risks against potential rewards, its business goals, and its ability to withstand unexpected but plausible scenarios, the more risk-adjusted reward the business can aggressively capture in the marketplace without driving itself to destruction. As Box 1-2 discusses, it’s important in any risk analysis to acknowledge that some factors that might create volatility in outcomes simply can’t be measured—even though they may be very important. The presence of this kind of risk factor introduces an uncertainty that needs to be made transparent, and perhaps explored using the kind of worst-case scenario analysis we describe in Chapter 16. Furthermore, even when statistical analysis of risk can be conducted, it’s vital to make explicit the robustness of the underlying model, data, and risk parameter estimation—a topic that we treat in detail in Chapter 15, “Model Risk.” The Conflict of Risk and Reward In financial markets, as well as in many commercial activities, if one wants to achieve a higher rate of return on average, one often has to assume more risk. But the transparency of the trade-off between risk and return is highly variable. Risk Management: A Helicopter View • 11 BOX 1-2 RISK, UNCERTAINTY . . . AND TRANSPARENCY ABOUT THE DIFFERENCE In this chapter, we discuss risk as if it were synonymous with uncertainty. In fact, since the 1920s and a famous dissertation by Chicago economist Frank Knight,1 thinkers about risk have made an important distinction between the two: variability that can be quantified in terms of probabilities is best thought of as “risk,” while variability that cannot be quantified at all is best thought of simply as “uncertainty.” In a speech some years ago,2 Mervyn King, then governor of the Bank of England, usefully pointed up the distinction using the example of the pensions and insurance industries. Over the last century, these industries have used statistical analysis to develop products (life insurance, pensions, annuities, and so on) that are important to us all in looking after the financial well-being of our families. These products act to “collectivize” the financial effects of any one individual’s life events among any given generation. Robust statistical tools have been vital in this collectivization of risk within a generation, but the insurance and investment industries have not found a way to put a robust number on key risks that arise between generations, such as how much longer future generations might live and what this might mean for life insurance, pensions, and so on. Some aspects of the future remain not just risky, but uncertain. Statistical science can help us to only a limited degree in understanding how sudden advances in medical science or the onset of a new disease such as AIDS might drive longevity up or down. As King pointed out in his speech, “No amount of complex demographic modeling can substitute for good judgment about those unknowns.” Frank H. Knight, Risk, Uncertainty and Profit, Boston, MA: Hart, Schaffner & Marx; Houghton Mifflin Company, 1921. 1 2 Mervyn King, “What Fates Impose: Facing Up to Uncertainty,” Eighth British Academy Annual Lecture, December 2004. 12 • The Essentials of Risk Management Indeed, attempts to forecast changes in longevity over the last 20 years have all fallen wide of the mark (usually proving too conservative).3 As this example helps make clear, one of the most important things that a risk manager can do when communicating a risk analysis is to be clear about the degree to which the results depend on statistically measurable risk, and the degree to which they depend on factors that are entirely uncertain at the time of the analysis—a distinction that may not be obvious to the reader of a complex risk report at first glance. In his speech, King set out two principles of risk communication for public policy makers that could equally well apply to senior risk committees at corporations looking at the results of complex risk calculations: First, information must be provided objectively and placed in context so that risks can be assessed and understood. Second, experts and policy makers must be open about the extent of our knowledge and our ignorance. Transparency about what we know and what we don’t know, far from undermining credibility, helps to build trust and confidence. We can’t measure uncertainties, but we can still assess and manage them through worst-case scenarios, risk transfer, and so on. Indeed, a market is emerging that may help institutions to manage the financial risks of increased longevity. In 2003, reinsurance companies and banks began to issue financial instruments with returns linked to the aggregate longevity of specified populations, though the market for instruments that can help to manage longevity risk is still relatively immature. 3 In some cases, relatively efficient markets for risky assets help to make clear the returns that investors demand for assuming risk. For example, Figure 6-1, in Chapter 6, illustrates the risk/return relationship in the U.S. bond markets, showing the spreads for government bonds and corporate bonds of different ratings and maturities since 2007. Even in the bond markets, the “price” of credit risk implied by these numbers for a particular counterparty is not quite transparent. Though bond prices are a pretty good guide to relative risk, various additional factors, such as liquidity risk and tax effects, confuse the price signal (as we discuss in Chapter 11). Moreover, investors’ appetite for assuming certain kinds of risk varies over time. Sometimes the differential in yield between a risky and a risk-free bond narrows to such an extent that commentators talk of an “irrational” price of credit. That was the case Risk Management: A Helicopter View • 13 during the period from early 2005 to mid-2007, until the eruption of the subprime crisis. With the eruption of the crisis, credit spreads moved up dramatically, and reached a peak following the collapse of Lehman Brothers in September 2008. However, in the case of risks that are not associated with any kind of market-traded financial instrument, the problem of making transparent the relationship between risk and reward is even more profound. A key objective of risk management is to tackle this issue and make clear the potential for large losses in the future arising from activities that generate an apparently attractive stream of profits in the short run. Ideally, discussions about this kind of trade-off between future profits and opaque risks would be undertaken within corporations on a basis that is rational for the firm as a whole. But organizations with a poor risk management and risk governance culture sometimes allow powerful business leaders to exaggerate the potential returns while diminishing the perceived potential risks. When rewards are not properly adjusted for economic risk, it’s tempting for the self-interested to play down the potential for unexpected losses to spike somewhere in the economic cycle and to willfully misunderstand how risk factors sometimes come together to give rise to severe correlation risks. Management itself might be tempted to leave gaps in risk measurement that, if mended, would disturb the reported profitability of a business franchise. (The run-up to the 2007–2009 financial crisis provided many examples of such behavior.) This kind of risk management failure can be hugely exacerbated by the compensation incentive schemes of the companies involved. In many firms across a broad swathe of industries, bonuses are paid today on profits that may later turn out to be illusory, while the cost of any associated risks is pushed, largely unacknowledged, into the future. We can see this general process in the banking industry in every credit cycle as banks loosen rules about the granting of credit in the favorable part of the cycle, only to stamp on the credit brakes as things turn sour. The same dynamic happens whenever firms lack the discipline or means to adjust their present performance measures for an activity to take account of any risks incurred. For example, it is particularly easy for trading institutions to move revenues forward through either a “mark-to-market” or a “market-to-model” process. This process employs estimates of the value the market puts on an asset to record profits on the income statement before cash is actually generated; meanwhile, the implied cost of any risk can be artificially reduced by applying poor or deliberately distorted risk measurement techniques. 14 • The Essentials of Risk Management This collision between conflicts of interest and the opaque nature of risk is not limited solely to risk measurement and management at the level of the individual firm. Decisions about risk and return can become seriously distorted across whole financial industries when poor industry practices and regulatory rules allow this to happen—famous examples being the U.S. savings and loan crisis in the 1980s and early 1990s (see Box 8-1) and the more recent subprime crisis. History shows that industry regulators can also be drawn into the deception. When the stakes are high enough, regulators all around the world have colluded with local banking industries to allow firms to misrecord and misvalue risky assets on their balance sheets, out of fear that forcing firms to state their true condition will prompt mass insolvencies and a financial crisis. Perhaps, in these cases, regulators think they are doing the right thing in safeguarding the financial system, or perhaps they are just desperate to postpone any pain beyond their term of office (or that of their political masters). For our purposes, it’s enough to point out that the combination of poor standards of risk measurement with a conflict of interest is extraordinarily potent at many levels—both inside the company and outside. The Danger of Names So far, we’ve been discussing risk in terms of its expected and unexpected nature. We can also divide up our risk portfolio according to the type of risk that we are running. In this book, we follow the latest regulatory approach in the global banking industry to highlight three major broad risk categories that are controllable and manageable: Market risk is the risk of losses arising from changes in market risk factors. Market risk can arise from changes in interest rates, foreign exchange rates, or equity and commodity price factors.3 Credit risk is the risk of loss following a change in the factors that drive the credit quality of an asset. These include adverse effects arising from credit grade migration, including default, and the dynamics of recovery rates. The definition and breakdown of market risk into these four broad categories is consistent with the accounting standards of IFRS and GAPP in the United States. 3 Risk Management: A Helicopter View • 15 Operational risk refers to financial loss resulting from a host of potential operational breakdowns that we can think in terms of risk of loss resulting from inadequate or failed internal processes, people, and systems, or from external events (e.g., frauds, inadequate computer systems, a failure in controls, a mistake in operations, a guideline that has been circumvented, or a natural disaster). Understanding the various types of risk is important, beyond the banking industry, because each category demands a different (but related) set of risk management skills. The categories are often used to define and organize the risk management functions and risk management activities of a corporation. We’ve added an appendix to this chapter that offers a longer and more detailed family tree of the various types of risks faced by corporations, including key additional risks such as liquidity risk and strategic risk. This risk taxonomy can be applied to any corporation engaged in major financial transactions, project financing, and providing customers with credit facilities. The history of science, as well as the history of management, tells us that classification schemes like this are as valuable as they are dangerous. Giving a name to something allows us to talk about it, control it, and assign responsibility for it. Classification is an important part of the effort to make an otherwise ill-defined risk measurable, manageable, and transferable. Yet the classification of risk is also fraught with danger because as soon as we define risk in terms of categories, we create the potential for missed risks and gaps in responsibilities—for being blindsided by risk as it flows across our arbitrary dividing lines. For example, a sharp peak in market prices will create a market risk for an institution. Yet the real threat might be that a counterparty to the bank that is also affected by the spike in market prices will default (credit risk), or that some weakness in the bank’s systems will be exposed by high trading volumes (operational risk). If we think of price volatility in terms of market risk alone, we are missing an important factor. We can see the same thing happening from an organizational perspective. While categorizing risks helps us to organize risk management, it fosters the creation of “silos” of expertise that are separated from one another in terms of personnel, risk terminology, risk measures, reporting lines, systems and data, and so on. The management of risk within these silos may be quite efficient in 16 • The Essentials of Risk Management terms of a particular risk, such as market or credit risk, or the risks run by a particular business unit. But if executives and risk managers can’t communicate with one another across risk silos, they probably won’t be able to work together efficiently to manage the risks that are most important to the institution as a whole. Some of the most exciting recent advances in risk management are really attempts to break down this natural organizational tendency toward silo risk management. In the past, risk measurement tools such as VaR and economic capital have evolved, in part, to facilitate integrated measurement and management of the various risks (market, credit, and operational) and business lines. More recently, the trend toward worst-case scenario analysis is really an attempt to look at the effect of macroeconomic scenarios on a firm across its business lines and, often, across various types of risk (market, credit, and so on). We can also see in many industries a much more broadly framed trend toward what consultants have labeled enterprisewide risk management, or ERM. ERM is a concept with many definitions. Basically, though, ERM is a deliberate attempt to break through the tendency of firms to operate in risk management silos and to ignore enterprisewide risks, and an attempt to take risk into consideration in business decisions much more explicitly than has been done in the past. There are many potential ERM tools, including conceptual tools that facilitate enterprisewide risk measurement (such as economic capital and enterprisewide stress testing), monitoring tools that facilitate enterprisewide risk identification, and organizational tools such as senior risk committees with a mandate to look at all enterprisewide risks. Through an ERM program, a firm limits its exposures to a risk level agreed upon by the board and provides its management and board of directors with reasonable assurances regarding the achievement of the organization’s objectives. As a trend, ERM is clearly in tune with a parallel drive toward the unification of risk, capital, and balance sheet management in financial institutions. Over the last 10 years, it has become increasingly difficult to distinguish risk management tools from capital management tools, since risk, according to the unexpected loss risk paradigm we outlined earlier, increasingly drives the allocation of capital in risk-intensive businesses such as banking and insurance. Risk Management: A Helicopter View • 17 Similarly, it has become difficult to distinguish capital management tools from balance sheet management tools, since risk/reward relationships increasingly drive the structure of the balance sheet. A survey in 2011 by management consultant Deloitte found that the adoption of ERM has increased sharply over the last few years: “Fifty-two percent of institutions reported having an ERM program (or equivalent), up from 36 percent in 2008. Large institutions are more likely to face complex and interconnected risks, and among institutions with total assets of $100 billion or more, 91 percent reported either having an ERM program in place or [being] in the process of implementing one.”4 But we shouldn’t get too carried away here. ERM is a goal, but most institutions are a long way from fully achieving the goal. Numbers Are Dangerous, Too Once we’ve put boundaries around our risks by naming and classifying them, we can also try to attach meaningful numbers to them. A lot of this book is about this problem. Even if our numbers are only judgmental rankings of risks within a risk class (Risk No. 1, Risk Rating 3, and so on), they can help us make more rational in-class comparative decisions. More ambitiously, if we can assign absolute numbers to some risk factor (a 0.02 percent chance of default versus a 0.002 percent chance of default), then we can weigh one decision against another with some precision. And if we can put an absolute cost or price on a risk (ideally using data from markets where risks are traded or from some internal “cost of risk” calculation based on economic capital), then we can make truly rational economic decisions about assuming, managing, and transferring risks. At this point, risk management decisions become fungible with many other kinds of management decision in the running of an enterprise. But while assigning numbers to risk is incredibly useful for risk management and risk transfer, it’s also potentially dangerous. Only some kinds of numbers are truly comparable, but all kinds of numbers tempt us to make comparisons. For example, using the face value or “notional amount” of a bond Deloitte, Global Risk Management Survey, seventh edition, 2011, p. 14. 4 18 • The Essentials of Risk Management to indicate the risk of a bond is a flawed approach. As we explain in Chapter 7, a million-dollar position in a par value 10-year Treasury bond does not represent at all the same amount of risk as a million-dollar position in a 4-year par value Treasury bond. Introducing sophisticated models to describe risk is one way to defuse this problem, but this has its own dangers. Professionals in the financial markets invented the VaR framework as a way of measuring and comparing risk across many different markets. But as we discuss in Chapter 7, the VaR measure works well as a risk measure only for markets operating under normal conditions and only over a short period, such as one trading day. Potentially, it’s a very poor and misleading measure of risk in abnormal markets, over longer time periods, or for illiquid portfolios. Also, VaR, like all risk measures, depends for its integrity on a robust control environment. In recent rogue-trading cases, hundreds of millions of dollars of losses have been suffered by trading desks that had orders not to assume VaR exposures of more than a few million dollars. The reason for the discrepancy is nearly always that the trading desks have found some way of circumventing trading controls and suppressing risk measures. For example, a trader might falsify transaction details entered into the trade reporting system and use fictitious trades to (supposedly) balance out the risk of real trades, or tamper with the inputs to risk models, such as the volatility estimates that determine the valuation and risk estimation for an options portfolio. The likelihood of this kind of problem increases sharply when those around the trader (back-office staff, business line managers, even risk managers) don’t properly understand the critical significance of routine tasks, such as an independent check on volatility estimates, for the integrity of key risk measures. Meanwhile, those reading the risk reports (senior executives, board members) often don’t seem to realize that unless they’ve asked key questions about the integrity of controls, they might as well tear up the risk report. As we try to base our risk evaluations on past data and experience, we should recall that all statistical estimation is subject to estimation errors, and these can be substantial when the economic environment changes. In addition we must remember that human psychology interferes with risk assessment. Professor Daniel Kahneman, the Nobel laureate in Economics, warns us that people tend to misassess extreme probabilities (very small ones as well as very Risk Management: A Helicopter View • 19 large ones). Kahneman also points out that people tend to be risk-averse in the domain of gains and risk-seeking in the domain of losses.5 While the specialist risk manager’s job is an increasingly important one, a broad understanding of risk management must also become part of the wider culture of the firm. The Risk Manager’s Job There are many aspects of the risk manager’s role that are open to confusion. First and foremost, a risk manager is not a prophet! The role of the risk manager is not to try to read a crystal ball, but to uncover the sources of risk and make them visible to key decision makers and stakeholders in terms of probability. For example, the risk manager’s role is not to produce a point estimate of the U.S. dollar/euro exchange rate at the end of the year; but to produce a distribution estimate of the potential exchange rate at year-end and explain what this might mean for the firm (given its financial positions). These distribution estimates can then be used to help make risk management decisions, and also to produce riskadjusted metrics such as risk-adjusted return on capital (RAROC). As this suggests, the risk manager’s role is not just defensive—firms need to generate and apply information about balancing risk and reward if they are to compete effectively in the longer term (see Chapter 17). Implementing the appropriate policies, methodologies, and infrastructure to risk-adjust numbers and improve forward-looking business decisions is an increasingly important element of the modern risk manager’s job. But the risk manager’s role in this regard is rarely easy—these risk and profitability analyses aren’t always accepted or welcomed in the wider firm when they deliver bad news. Sometimes the difficulty is political (business leaders want growth, not caution), sometimes it is technical (no one has found a bestpractice way to measure certain types of risk, such as reputation or franchise risk), and sometimes it is systemic (it’s hard not to jump over a cliff on a business idea if all your competitors are doing that too). Daniel Kahneman, Thinking, Fast and Slow, Farrar, Straus and Giroux, 2011. 5 20 • The Essentials of Risk Management This is why defining the role and reporting lines of risk managers within the wider organization is so critical. It’s all very well for the risk manager to identify a risk and measure its potential impact—but if risk is not made transparent to key stakeholders, or those charged with oversight on their behalf, then the risk manager has failed. We discuss these corporate governance issues in more detail in Chapter 4. Perhaps the trickiest balancing act over the last few years has been trying to find the right relationship between business leaders and the specialist risk management functions within an institution. The relationship should be close, but not too close. There should be extensive interaction, but not dominance. There should be understanding, but not collusion. We can still see the tensions in this relationship across any number of activities in risk-taking organizations—between the credit analyst and those charged with business development in commercial loans, between the trader on the desk and the market risk management team, and so on. Where the balance of power lies will depend significantly on the attitude of senior managers and on the tone set by the board. It will also depend on whether the institution has invested in the analytical and organizational tools that support balanced, risk-adjusted decisions. As the risk manager’s role is extended, we must increasingly ask difficult questions: “What are the risk management standards of practice” and “Who is checking up on the risk managers?” Out in the financial markets, the answer is hopefully the regulators. Inside a corporation, the answer includes the institution’s audit function, which is charged with reviewing risk management’s actions and its compliance with an agreed-upon set of policies and procedures (Chapter 4). But the more general answer is that risk managers will find it difficult to make the right kind of impact if the firm as a whole lacks a healthy risk culture, including a good understanding of risk management practices, concepts, and tools. The Past, the Future—and This Book’s Mission We can now understand better why the discipline of risk management has had such a bumpy ride across many industries over the last decade (see Box 1-3). The reasons lie partly in the fundamentally elusive and opaque nature of risk—if it’s not unexpected or uncertain, it’s not risk! As we’ve seen, “risk” changes shape according to perspective, market circumstances, risk appetite, and even the classification schemes that we use. Risk Management: A Helicopter View • 21 BOX 1-3 UPS AND DOWNS IN RISK MANAGEMENT Ups •• Dramatic explosion in the adoption of sophisticated risk management processes, driven by an expanding skill base and falling cost of risk technologies •• Increase in the skill levels and associated compensation of risk management personnel as sophisticated risk techniques have been adopted to measure risk exposures •• Birth of new risk management markets in credit, commodities, weather derivatives, and so on, representing some of the most innovative and potentially lucrative financial markets in the world •• Birth of global risk management industry associations as well as a dramatic rise in the number of global risk management personnel •• Extension of the risk measurement frontier out from traditional measured risks such as market risk toward credit and operational risks •• Cross fertilization of risk management techniques across diverse industries from banking to insurance, energy, chemicals, and aerospace •• Ascent of risk managers in the corporate hierarchy to become chief risk officers, to become members of the top executive team (e.g., part of the management committee), and to report to both the CEO and the board of the company Downs •• The financial crisis of 2007–2009 revealed significant weaknesses in managing systemic and cyclical risks. •• Firms have been tempted to over-rely on historical-statistical measures of risk—a weakness that improved stress testing seeks to address. •• Risk managers continue to find it a challenge to balance their fiduciary responsibilities against the cost of offending powerful business heads. 22 • The Essentials of Risk Management •• Risk managers do not generate revenue and therefore have not yet achieved the same status as the heads of successful revenuegenerating businesses. •• It’s proving difficult to make truly unified measurements of different kinds of risk and to understand the destructive power of risk interactions (e.g., credit and liquidity risk). •• Quantifying risk exposure for the whole organization can be hugely complicated and may descend into a “box ticking” exercise. •• The growing power of risk managers could be a negative force in business if risk management is interpreted as risk avoidance; it’s possible to be too risk-averse. The reasons also lie partly in the relative immaturity of financial risk management. Practices, personnel, markets, and instruments have been evolving and interacting with one another continually over the last couple of decades to set the stage for the next risk management triumph—and disaster. Rather than being a set of specific activities, computer systems, rules, or policies, risk management is better thought of as a set of concepts that allow us to see and manage risk in a particular and dynamic way. Perhaps the biggest task in risk management is no longer to build specialized mathematical measures of risk (although this endeavor certainly continues). Perhaps it is to put down deeper risk management roots in each organization. We need to build a wider risk culture and risk literacy, in which all the key staff members engaged in a risky enterprise understand how they can affect the risk profile of the organization—from the back office to the boardroom, and from the bottom to the top of the house. That’s really what this book is about. We hope it offers both nonmathematicians as well as mathematicians an understanding of the latest concepts in risk management so that they can see the strengths and question the weaknesses of a given decision. Nonmathematicians must feel able to contribute to the ongoing evolution of risk management practice. Along the way, we can also hope to give those of our readers who are risk analysts and mathematicians a broader sense of how their analytics fit into an overall risk program, and a stronger sense that their role is to convey not just the results of any risk analysis, but also its meaning (and any broader lessons from an enterprisewide risk management perspective). Appendix 1.1 TYPOLOGY OF RISK EXPOSURES In Chapter 1 we defined risk as the volatility of returns leading to “unexpected losses,” with higher volatility indicating higher risk. The volatility of returns is directly or indirectly influenced by numerous variables, which we called risk factors, and by the interaction between these risk factors. But how do we consider the universe of risk factors in a systematic way? Risk factors can be broadly grouped together into the following major categories: market risk, credit risk, liquidity risk, operational risk, legal and regulatory risk, business risk, strategic risk, and reputation risk (Figure 1A-1).1 These categories can then be further decomposed into more specific categories, as we show in Figure 1A-2 for market risk and credit risk. Market risk and credit risk are referred to as financial risks. In this figure, we’ve subdivided market risk into equity price risk, interest rate risk, foreign exchange risk, and commodity price risk in a manner that is in line with our detailed discussion in this appendix. Then we’ve divided interest rate risk into trading risk and the special case of gap risk; the latter relates to the risk that arises in the balance sheet of an institution as a result of the different sensitivities of assets and liabilities to changes of interest rates (see Chapter 8). In theory, the more all-encompassing the categorization and the more detailed the decomposition, the more closely the company’s risk will be captured. Board of Governors of the Federal Reserve System, Trading and Capital Markets Activities Manual, Washington D.C., April 2007. 1 23 24 • The Essentials of Risk Management FIGURE 1A-1 Typology of Risks Market risk Credit risk Liquidity risk Operational risk Risks Legal and regulatory risk Business risk Strategic risk Reputation risk In practice, this process is limited by the level of model complexity that can be handled by the available technology and by the cost and availability of internal and market data. Let’s take a closer look at the risk categories in Figure 1A-1. FIGURE 1A-2 Schematic Presentation, by Categories, of Financial Risks Equity price risk Market risk Interest rate risk Foreign exchange risk Trading risk Gap risk Commodity price risk Financial risks Transaction risk Issue risk Portfolio concentration Issuer risk Credit risk Counterparty credit risk General market risk Specific risk Risk Management: A Helicopter View • 25 Market Risk Market risk is the risk that changes in financial market prices and rates will reduce the value of a security or a portfolio. Price risk can be decomposed into a general market risk component (the risk that the market as a whole will fall in value) and a specific market risk component, unique to the particular financial transaction under consideration. In trading activities, risk arises both from open (unhedged) positions and from imperfect correlations between market positions that are intended to offset one another. Market risk is given many different names in different contexts. For example, in the case of a fund, the fund may be marketed as tracking the performance of a certain benchmark. In this case, market risk is important to the extent that it creates a risk of tracking error. Basis risk is a term used in the risk management industry to describe the chance of a breakdown in the relationship between the price of a product, on the one hand, and the price of the instrument used to hedge that price exposure, on the other. Again, it is really just a context-specific form of market risk. There are four major types of market risk: interest rate risk, equity price risk, foreign exchange risk, and commodity price risk.2 Interest Rate Risk The simplest form of interest rate risk is the risk that the value of a fixed-income security will fall as a result of an increase in market interest rates. But in complex portfolios of interest-rate-sensitive assets, many different kinds of exposure can arise from differences in the maturities and reset dates of instruments and cash flows that are asset-like (i.e., “longs”) and those that are liability-like (i.e., “shorts”). In particular, as we explain in more detail in Chapter 6, “curve” risk can arise in portfolios in which long and short positions of different maturities are effectively hedged against a parallel shift in yields, but not against a change in the shape of the yield curve. Meanwhile, even when offsetting positions have the same maturity, basis risk can arise if the rates of the positions are imperfectly correlated. For example, three-month Eurodollar instruments and threemonth Treasury bills both naturally pay three-month interest rates. However, These four categories of market risk are, in general, consistent with accounting standards. 2 26 • The Essentials of Risk Management these rates are not perfectly correlated with each other, and spreads between their yields may vary over time. As a result, a three-month Treasury bill funded by three-month Eurodollar deposits represents an imperfect offset or hedged position (often referred to as basis risk). Equity Price Risk This is the risk associated with volatility in stock prices. The general market risk of equity refers to the sensitivity of an instrument or portfolio value to a change in the level of broad stock market indices. The specific or idiosyncratic risk of equity refers to that portion of a stock’s price volatility determined by characteristics specific to the firm, such as its line of business, the quality of its management, or a breakdown in its production process. According to portfolio theory, general market risk cannot be eliminated through portfolio diversification, while specific risk can be diversified away. In Chapter 5 we discuss models for measuring equity risk. Foreign Exchange Risk Foreign exchange risk arises from open or imperfectly hedged positions in particular foreign currency denominated assets and liabilities leading to fluctuations in profits or values as measured in a local currency. These positions may arise as a natural consequence of business operations, rather than from any conscious desire to take a trading position in a currency. Foreign exchange volatility can sweep away the return from expensive cross-border investments and at the same time place a firm at a competitive disadvantage in relation to its foreign competitors.3 It may also generate huge operating losses and, through the uncertainty it causes, inhibit investment. The major drivers of foreign exchange risk are imperfect correlations in the movement of currency prices and fluctuations in international interest rates. Although it is important to acknowledge exchange rates as a distinct market risk factor, the valuation of foreign exchange transac- A famous example is Caterpillar, a U.S. heavy equipment firm, which in 1987 began a $2 billion capital investment program. A full cost reduction of 19 percent was eventually expected in 1993. During the same period the Japanese yen weakened against the U.S. dollar by 30 percent, which placed Caterpillar at a competitive disadvantage vis-à-vis its major competitor, Komatsu of Japan, even after adjusting for productivity gains. 3 Risk Management: A Helicopter View • 27 tions requires knowledge of the behavior of domestic and foreign interest rates, as well as of spot exchange rates.4 Commodity Price Risk The price risk of commodities differs considerably from interest rate and foreign exchange risk, since most commodities are traded in markets in which the concentration of supply is in the hands of a few suppliers who can magnify price volatility. For most commodities, the number of market players having direct exposure to the particular commodity is quite limited, hence affecting trading liquidity which in turn can generate high levels of price volatility. Other fundamentals affecting a commodity price include the ease and cost of storage, which varies considerably across the commodity markets (e.g., from gold to electricity to wheat). As a result of these factors, commodity prices generally have higher volatilities and larger price discontinuities (i.e., moments when prices leap from one level to another) than most traded financial securities. Commodities can be classified according to their characteristics as follows: hard commodities, or nonperishable commodities, the markets for which are further divided into precious metals (e.g., gold, silver, and platinum), which have a high price/weight value, and base metals (e.g., copper, zinc, and tin); soft commodities, or commodities with a short shelf life that are hard to store, mainly agricultural products (e.g., grains, coffee, and sugar); and energy commodities, which consist of oil, gas, electricity, and other energy products. Credit Risk Credit risk is the risk of an economic loss from the failure of a counterparty to fulfill its contractual obligations, or from the increased risk of default during the term of the transaction.5 For example, credit risk in the loan portfolio This is because of the interest rate parity condition, which describes the price of a futures contract on a foreign currency as equal to the spot exchange rate adjusted by the difference between the local interest rate and the foreign interest rate. 4 In the following we use indifferently the term “borrower” or “counterparty” for a debtor. In practice, we refer to issuer risk, or borrower risk, when credit risk involves a funded transaction such as a bond or a bank loan. In derivatives markets, counterparty credit risk is the credit risk of a counterparty for an unfunded derivatives transaction such as a swap or an option. 5 28 • The Essentials of Risk Management of a bank materializes when a borrower fails to make a payment, either of the periodic interest charge or the periodic reimbursement of principal on the loan as contracted with the bank. Credit risk can be further decomposed into four main types: default risk, bankruptcy risk, downgrade risk, and settlement risk. Box 1A-1 gives ISDA’s definition of a credit event that may trigger a payout under a credit derivatives contract.6 BOX 1A-1 CREDIT DERIVATIVES AND THE ISDA DEFINITION OF A CREDIT EVENT The spectacular growth of the market for credit default swaps (CDS) and similar instruments since the millennium has obliged the financial markets to become a lot more specific about what they regard as a credit event—i.e., the event that triggers the payment on a CDS. This event, usually a default, needs to be clearly defined to avoid any litigation when the contract is settled. CDSs normally contain a “materiality clause” requiring that the change in credit status be validated by third-party evidence. The CDS market has struggled somewhat to define the k…
Collepals.com Plagiarism Free Papers
Are you looking for custom essay writing service or even dissertation writing services? Just request for our write my paper service, and we'll match you with the best essay writer in your subject! With an exceptional team of professional academic experts in a wide range of subjects, we can guarantee you an unrivaled quality of custom-written papers.
Get ZERO PLAGIARISM, HUMAN WRITTEN ESSAYS
Why Hire Collepals.com writers to do your paper?
Quality- We are experienced and have access to ample research materials.
We write plagiarism Free Content
Confidential- We never share or sell your personal information to third parties.
Support-Chat with us today! We are always waiting to answer all your questions.
