Risk Management in the Financial Services industry An Overview Presented By

Risk Management in theFinancial Services industry

An Overview

Presented By:Arjun C. Marphatia

E-mail: arjunmarphatia@mumbai.tcs.co.inNishant Tiwari

Email: Nishant_Tiwari@mumbai.tcs.co.in

Risk Management in Financial Services Industry: An Overview – Arjun C Marphatia & Nishant Tiwari

Executive Summary

Today financial services companies operate in increasingly complex, competitive and global markets. Theability to manage risks across geographies, products, asset classes, customer segments and functionaldepartments is of paramount importance. The inability to manage these risks can cause irreparabledamage. Convergence, consolidation, globalization and shifting regulations have posed innumerable andhitherto unprecedented challenges for the financial services industry.

A research report from Tower Group believes that the new standards will require sizable investments ininformation technology. This will be particularly true of larger institutions that have complex organizationsand have shown a stronger appetite for risk. The report predicts that investment in comprehensivetechnology developments for risk management in the financial services industry will outpace otherinformation technology spending and will amount to an estimated total of US$21 billion in 2005.In additionto enhancing traditional risk management systems, FSIs will have to align their IT investments in a mannerthat maximizes business value by reducing capital requirements and lowering the overall exposure.The objective of this paper is to give an overview of risk management in the financial services industry. Thispaper defines the major risks from the perspective of financial services industry, the components ofEnterprise wide risk management and the role of technology in risk management. This paper also looks atthe qualitative and quantitative sides of risk management and defines a risk management framework basedon both these aspects.

Risk Management in Financial Services Industry: An Overview – Arjun C Marphatia & Nishant Tiwari

TABLE OF CONTENTSINTRODUCTION...........................................................................................................4OVERVIEW OF RISK MANAGEMENT...........................................................................6

WHAT IS RISK?..............................................................................................................................................................6TYPES OF RISKS............................................................................................................................................................7COMPONENTS OF ENTERPRISE RISK MANAGEMENT................................................................................................................8RISK MANAGEMENT FRAMEWORK......................................................................................................................................9Quantitative Side......................................................................................................................................................9Limitations of VaR...................................................................................................................................................10Qualitative Side......................................................................................................................................................11

ROLE OF TECHNOLOGY IN RISK MANAGEMENT.....................................................13

DATA AGGREGATION.....................................................................................................................................................13RISK ANALYSIS.............................................................................................................................................................15AUTOMATED OVERSIGHT................................................................................................................................................15

TRENDS IN RISK MANAGEMENT..............................................................................16

SHIFTING RISK MARKET.................................................................................................................................................16OPERATIONAL RISK MANAGEMENT...................................................................................................................................17INTEGRATION WITH OTHER SYSTEMS...............................................................................................................................17

COMPONENTS OF RISK MANAGEMENT SOFTWARE...............................................19CONCLUSION...........................................................................................................19

Risk Management in Financial Services Industry: An Overview – Arjun C Marphatia & Nishant Tiwari

Introduction

The last twenty years have been marked by substantial financial deregulation. Accompanying thisderegulation has been a plethora of methodologies and technologies for managing the risks/rewardscreated by this deregulation.

The art of managing risk is more challenging than ever. Risk managers face a wide range of demands,from working with multiple variables to finding technology solutions that generate comprehensive riskanalysis. Real-time access to accurate, updated market information is a critical component in the process.Even more critical is a highly flexible and parameterizable framework that can quickly integrate into acompany's existing infrastructure.

Over the past decade or so, the markets have seen one debacle after another, each of which has broughtits own set of lessons from some of which the markets have learned and from many of which the marketsstill need to learn!

Enterprise risk management is about optimizing the process with which risks are taken and managed. Ithas become a burning issue because organizations have started suffering huge losses- often from the risksthey never should have taken in the first place. Examples include:

Orange County (November 1994): Orange County’s investment pool lost $1.7 billion from the structurednotes and leveraged repo positions. The treasurer took positions from oversight from the county’s five-person board of supervisors. Members of the board of supervisors claim that they did not receive criticalinformation that would have indicated the risks taken.

? Baring Bank (February 1995): Baring Plc. Lost $1.5 billion because a Singapore based trader, Nick

Leeson, took unauthorized futures and options positions linked to the Nikkei 225 and Japanesegovernment bonds. At the height of his activities, Leeson controlled 49% of open interest in the Nikkei225 March 95 contract. Despite having to finance margin calls as the bank lost money, the Barings’board and management claim to have been unaware of Leeson’s activities.

Risk Management in Financial Services Industry: An Overview – Arjun C Marphatia & Nishant Tiwari

? Sumitomo Corp. (June 1996): Sumitomo’s head copper trader, Yasuo Hamanaka- popularly known

as “Mr. Copper”, disguised losses totaling $1.8 billion over a ten year period. During that time,Hamanaka performed as much as $20 billion of unauthorized trades a year. He was able to hide hisactivities because he headed his section and had trade confirmations sent directly to himself,bypassing the back office.

All these examples illustrate two common characteristics. Each one:? Was directly caused by the actions of one single individual

? Could easily have been prevented through appropriate oversight.

Risk Management in Financial Services Industry: An Overview – Arjun C Marphatia & Nishant Tiwari

Overview of Risk Management

What is Risk?

Risk is exposure to uncertainty.

Thus, risk has two components: Uncertainty and Exposure to that uncertainty.

For example, if a man jumps out of an airplane with a parachute on his back, he may be uncertain as towhether or not the chute will open. He is taking a risk because he is exposed to that uncertainty. If thechute fails to open, he will suffer personally.

In this example, a typical spectator on the ground would not be taking risk. They may be equally uncertainas to whether the chute will open, but they have no personal exposure to that uncertainty. Exceptions mightinclude:

? A spectator to whom the man jumping from the plane owes money? A spectator who is a member of the man’s family

Such spectators do face risk because they may suffer financially and/or emotionally should the man’s chutefail to open they are exposed to the uncertainty. The financial services industry is primarily concerned withfinancial risk which is financial exposure to uncertainty

Risk Management in Financial Services Industry: An Overview – Arjun C Marphatia & Nishant Tiwari

Types Of Risks

Some of the most significant risks which organizations face are highly subjective. These include:? Credit Risk: Credit risk is risk resulting from uncertainty in a counterparty’s ability or willingness tomeet its contractual obligations. Examples include:

? A broker executes a trade on the behalf of an investor. If the investor is a margin client, it ispossible that he might fail to make the payment on the settlement day. Thus the broker faces creditrisk.

A housing finance company extends a housing loan to a client. Because the client could fail to make timelyprincipal or interest payments, the housing finance company faces a credit risk.

? Operational Risk: During the 1990s, financial institutions started to focus attention on the risksassociated with their back office operations—what came to be called operational risks. Having alreadyfocused on managing market and credit risks, a number of institutions broadly defined operational riskas all risks other than market or credit risks. Others have defined operational risk more narrowly as riskassociated with human or technology failure. Under either definition, some examples of operationalfailures are:

? A broker’s back office fails to catch a discrepancy between a reported trade and a confirmation fromthe counterparty. Ultimately, the trade could be disputed, causing a loss.? A trading floor burns down. (This happened to Crédit Lyonnais in 1996.)

? Before the compulsory dematerialization, a broker could suffer losses due to bad delivery resultingfrom the signature difference and/or fake certificates.

Risk Management in Financial Services Industry: An Overview – Arjun C Marphatia & Nishant Tiwari

? Market Risk: Market risk is the financial risk of uncertainty in the future market value of a portfolio of

assets and/or liabilities.

Institutions can actually reduce these risks simply by researching them. A brokerage firm can reducemarket risk by being knowledgeable about the markets it operates in.

One of the fundamental challenges of enterprise risk management is the fact that individuals who take riskson behalf of an organization are not always the same people who suffer the ultimate consequences ofthose risks.

Components of Enterprise risk management

Corporate Governance: It is the responsibility of the top management to ensure that an effective riskmanagement program is in place. This includes:

? Defining organization’s risk appetite in terms of loss tolerance, risk-to-capital leverage and target debtrating.

? Ensuring that the organization has required risk management skills and risk absorption capability tosupport its business strategy.

? Establishing an organisation structure and defining the roles and responsibilities for risk management.? Implementing an integrated risk measurement and management framework for credit, market andoperational risk.

? Establishing a risk assessment and audit processes as well as benchmarking company practices toindustry best practices

Line Management: In the pursuit of new business and growth opportunities, line management must alignits business strategy with the corporate risk policy. In executing that business strategy, the risks of businesstransactions should be fully assessed and incorporated into pricing and profitability targets.

Risk Transfer: To support portfolio management objectives, risk transfer strategies should be executed tolower the cost of hedging undesirable risks. To reduce undesirable risks, management should evaluate

Risk Management in Financial Services Industry: An Overview – Arjun C Marphatia & Nishant Tiwari

derivatives, insurance and hybrid products on a consistent basis and select the most cost effectivealternative. For example, corporations such as Honeywell and Mead have executed alternative risk transfer(ART) products that combine the traditional insurance protection with financial risk protection. By bundlingvarious risks, risk managers have estimated 20-30% savings in the cost of risk transfer.

Risk Analytics: The development of advanced risk analytics has supported the quantification andmanagement of credit, market and operational risks on a more consistent basis. In addition to thequantification of risk exposures and risk-adjusted profitability, the same technique can be used to evaluaterisk transfer products such as derivatives and insurance. For example if management wants to reduce itsrisk exposure, say from a value-at-risk (VaR) of Rs.100 crore to a VaR of Rs. 50 crore, risk analytics can beused to determine the most cost effective structure to accomplish that risk objective.

Data and Technology resources: One of the greatest challenges for the enterprise risk management isthe aggregation of the underlying portfolio and market data. Portfolio data include risk positions that arecaptured in different front and back office systems. Market data include prices, volatilities and correlations.In addition to data aggregation, standards and processes must be established to improve the quality of datathat are fed into the risk system. With respect to risk technology there is no product that provides a totalsolution to enterprise risk management. Organisations are required to build or buy-and-build the requiredfunctionality.

Risk Management Framework

Measuring and monitoring risk at a firm wide level has increased the focus on quantification and the needfor a consistent firmwide approach. Apart from the quantitative components required for effective riskmanagement, policies, guidelines, limits, checks and balances are vital components of effective riskmanagement.

Quantitative Side

VaR was pioneered by major U.S. banks in the ’80s, as the derivative markets developed. The birth ofderivatives represented a new challenge for risk management because traditional measures of exposure

Risk Management in Financial Services Industry: An Overview – Arjun C Marphatia & Nishant Tiwari

were clearly inadequate. For example, two derivative contracts with the same notional value could havevery different risks. With VaR, banks had developed a general measure of economic loss that could equaterisk across products and aggregate risk on a port-folio basis.

Another important stimulus to the development of VaR was the move toward mark-to-market, both for cashinstruments and derivatives. Prior to that, the emphasis was on net interest income, where the common riskmeasure was repricing gap. As trading increased, duration analysis took over, but duration's inadequaciesled to the adoption of VaR.Definition of VaR

VaR is defined as the predicted worst-case loss at a specific confidence level (e.g., 95%) over a certainperiod of time (e.g., 1 day). For example, every afternoon, J.P. Morgan takes a snapshot of its globaltrading positions to estimate its Daily-Earnings-at-Risk (DEaR), which is a VaR measure that Morgandefines as the 95% confidence worst-case loss over the next 24 hours due to adverse market movements.The elegance of the VaR solution is that it works on multiple levels, from the position-specific micro level tothe portfolio-based macro level. VaR has become a common language for communication about aggregaterisk taking, both within an organization and outside (e.g., with analysts, regulators, rating agencies, andshareholders). Virtually all major financial institutions have adopted VaR as a cornerstone of day-to-day riskmeasurement.Limitations of VaR

Var is not a panacea for all risk management and measurement issues. Many of the financial losses werecaused by failures that a VaR measurement system would not have prevented. Numbers do not tell thewhole story. Time series does not include all the market information, because market efficiency is notperfect. For example, in 1993, the US fed fund rates were flat, at 3% for the whole year. If one uses onlyhistorical price data of US short term debt securities, VaR will tell that there is very little risk in US interestrate market, since the historical standard deviation of the price series had been heading lower and lower asthe Federal Reserve held the short term interest rates fixed. In February 1994, fixed income markets blewup! If in addition to historical price data , the analysis had included factors like inflation, employment, growthand other macroeconomic factors, one would have heard a lot of noise coming and known that there was apotential storm brewing.

Risk Management in Financial Services Industry: An Overview – Arjun C Marphatia & Nishant Tiwari

Qualitative Side

A calculation like VaR is necessary but not sufficient to assess the risk of complex instruments or complexarbitrage strategies. Qualitative input is just as important. In fact, the two must be used in tandem for bestresults. Appropriate policies, procedures, limits, controls as well as checks are essential. A critical focalpoint of effective risk management practice is the proper allocation of responsibilities among front, mid andback office as well as high-level risk oversight functions. The aim of a risk manager is not to nullify risk butrather to increase adequate risk-adjusted returns and to reduce as much as possible what he or she cannotcontrol and is beyond risk management.

To compensate for the limitations of VaR, firms must design and implement risk management add-ons toaddress the inherent weaknesses. Most users combine VaR with stress testing to address questions suchas “How much do I expect to lose the other 1% of the time?” As no risk measurement model is withoutlimitations or implied assumptions, it is helpful to understand what will happen should some of theunderlying assumptions break down. Stress testing is the catchall term for doing a series of scenario orwhat if analyases to investigate the effect of violating some of the basic assumptions underlying the riskmodel. As with VaR, the quality of the answer depends on the inputs, including the financial engineer’sability to select appropriate scenarios. Events such as the European currency crisis, the Gulf War andSeptember 11 demonstrated that predicting factors such as maximum volatility is difficult and thatcorrelation can change substantially during extreme market moves.Performance evaluation

To date, trading and position taking talent have been rewarded to a significant extent on the basis of totalreturns. Given the high rewards bestowed on outstanding trading talent this may bias the tradingprofessionals towards taking excessive risks. The interest of the firm or capital provider may be getting outof line with the interest of the risk taking individual unless the risks are properly measured and returns areadjusted for the amount of risk effectively taken.

To do this correctly one needs a standard measure of risks. Ideally risk taking should be evaluated on thebasis of three interlinked measures: revenues, volatility of revenues, and risks.

Risk Management in Financial Services Industry: An Overview – Arjun C Marphatia & Nishant Tiwari

The firm or the capital provider has to do a trade off between the risk, expected revenues and the volatilityof the revenues. Thus, instead of measuring the performance based only on revenues, the performanceshould be measured based on the targeted risk ratio, efficiency ratio and sharpe ratio.

RiskRisk RatioEfficiencyRatioRevenuesSharpe RatioVolatility ofRevenuesRisk Management in Financial Services Industry: An Overview – Arjun C Marphatia & Nishant Tiwari

Role of Technology in Risk Management

For many institutions such as banks, investment management firms, insurance companies, brokeragefirms, technology is a critical component of any risk management initiative. For institutions which relyheavily on technology, there is always a risk technology becoming the focus of risk management. It isimportant to recognize that the risk management is primarily about people – how they think and how theyinteract with one another. Technology is just a tool. In the wrong hands, it is useless, but appliedappropriately, it can transform an organization. A good approach would be to start by planning a riskmanagement strategy focussing on procedural and cultural issues of risk management. Once a strategy isformulated, then one can determine how and where technology needs to be incorporated or where it canenhance strategy. Technology can reshape corporate cultures and facilitate innovative procedures. Here ishow…

Data Aggregation

Information is to the very basis of risk management. This is critical in today’s age of information overload.However, before it can be processed, analyzed or acted upon, the right information must first be madeavailable at the right time to the systems and individuals who need it. In each of the examples given in theintroduction, the debacle could have been prevented if the decision-makers had the right information at theright time!

Automation can play a valuable role by reducing or eliminating the need for manual intervention inprocesses such as deal capture, confirmations, reporting , funds transfer and most importantly monitoringof limits. This, however, is just one of the benefits of automated transaction processing and generating datafor control and reporting.

Managing such risks as organization’s total yield curve exposure, or its total credit exposure to acounterparty is impossible without comprehensive information about those exposures.

Risk Management in Financial Services Industry: An Overview – Arjun C Marphatia & Nishant Tiwari

Before an enterprise can attempt to manage risk on an enterprise wide basis, it first must collect andcommunicate all necessary information relating to those risks. Consider the example of a Securities firmwhich has just two trading desks. For these desks to cooperate in managing risks, there would be just oneline of communication. Suppose, however, that the securities firm has not two but ten desks. In this case,the line of communications needed would be forty five. Trying to manage risk across forty five lines wouldbecome a monumental task. Add to this the differing conventions that might exist on each bench, the needto coordinate desks in multiple time zones, and the task of also communicating with the back office, salesand risk management – the problem becomes insurmountable. Exhibit 1 and 2 illustrate the complexityinvolved in communicating between multiple desks.

Source: Enterprise Risk Management by Glyn A. Holton

Risk Management in Financial Services Industry: An Overview – Arjun C Marphatia & Nishant Tiwari

Today, technology makes it possible to effectively communicate information – across desks, acrossdepartments and across globe. This technology is called data aggregation.

Risk Analysis

“How much risk are we taking?” This question is so simple – and yet so profound.

In one form or another, it underlies enterprise risk management. In the past, organizations would look atProfit & Loss statement to answer the question. Volatile profits meant high risk. A problem, however, is thatprofit & loss is a retrospective and historic indicator of risk. Indeed, for many risks, profit & loss statementmay reveal little or no information.

In order to manage risks, organizations need to be able to measure those risks prospectively. They need toknow, based on their current position, how much risk are they taking. Organizations are addressing thischallenge with statistical risk measures. For market risk, value at risk is being used. For credit exposure,measures such as expected exposure or maximum exposure are being used.

Institutions are turning to more powerful systems to support their risk analysis. Distributed systems whichrun the simulation simultaneously on multiple systems offer much potential. When these are used incombination with the latest simulation techniques, many sophisticated forms of statistical risk analysis canbe performed in near real time.

Automated Oversight

With the statistical risk measures and the ability to assign a precise number to risks, oversight can beautomated. The process starts by assigning each department, each desk and each trader explicit authorityto take specific risks. For example a foreign exchange trader who trades in three different currencies, mightbe given a risk limit for each currency. The risk management system would track the trader’s value at riskarising from exposure to each of the currencies to ensure that the trader remains within the pre determined

Risk Management in Financial Services Industry: An Overview – Arjun C Marphatia & Nishant Tiwari

limits. In addition to trader specific limits, there would be overall limits for each desk and total limits for theentire trading operation.

When a limit structure is supported by risk measurement technology risk oversight becomes automated. If atrader exceeds the limits, it is immediately reported to the manager. In this way a clear standard is set forappropriate behaviour. The managemr is thus alerted and can take immediate steps to reduce theexposure and mitigate the risk.

Trends in Risk Management

Today risk managers are struggling to understand, and even quantify, the impact of waves of mergers,acquisitions, restructuring, and competition that are sweeping their organizations. The Internet isincreasingly becoming the environment of choice for extending risk management systems where they areneeded.

Operational risk management, an emerging discipline, attempts to quantify risks not only in products, butalso in processes, technology, organizations, and strategic opportunities. For example, organizations nowrely heavily on computer systems, which are vulnerable to power failures, network outages, operator errors,hacking, software glitches, etc. While there are numerous software packages that track and measureissues such as creditworthiness and financial risks, solutions addressing wider operational risks are alsobeginning to appear on the market.

Shifting Risk Market

As the market shifts to include new tools and new platforms, many executives believe that their riskmanagement systems are inadequate. Systems may be incomplete, inflexible, and not easily analyzed,with too slow response times. Today's derivatives software is based on spreadsheets and relationaldatabases and may be difficult to adapt to market variables.

Risk Management in Financial Services Industry: An Overview – Arjun C Marphatia & Nishant Tiwari

Operational Risk Management

Early adopters in the financial services industry are now looking to incorporate operational risk tools intotheir risk management systems, extending the discipline of risk management to every business unit. Tomeet this need, leading risk management software vendors are incorporating operational risk componentsinto their offerings. Most provide tools to measure the impact of transaction processing errors, businesscontinuity strategies, and business processes and controls.

In some respects, risk managers may increasingly borrow techniques and methodologies from otherindustries. Many of the software tools available for risk management in other industries may be useful infinancial organizations. These tools include collaborative applications, project management software, andasset management systems.

Another trend reshaping the architecture of risk management packages is the rise of the Internet and WorldWide Web as an application and communications platform. Risk management applications are nowconfigured for Internet usage, and many are now being written in Java, the language that can run acrossany system attached to the Web. In addition, the Internet has increased the amount of informationresources that can be accessed by risk management professionals. Often, the Internet can be used toobtain global information updates (at no charge). Several Internet resources monitor the captive, offshoreinsurance, reinsurance, and risk financing markets.

Integration With Other Systems

Robust risk management systems require relational databases and client/server systems. Thoseinstitutions that have risk management systems in place report that more powerful database technologyand distributed computing are underpinning their systems. Many also employ data modeling. Advancedsystems--such as neural networks and knowledge-based systems--are virtually nonexistent to date, butsome early adopters are looking into these technologies. Straight-through processing capabilities,

Risk Management in Financial Services Industry: An Overview – Arjun C Marphatia & Nishant Tiwari

integrating front-office, back-office, accounting, and workflow systems have become essential features of abrokerage solution.

Accessing and analyzing huge volumes of data that arise from transactions have always been a challengefor banks. Operational database systems were not designed for tracking historical data. Data warehouseshelp risk managers address the need to be able to examine large quantities of data and do year-to-year ormonth-to-month analysis. For example, in a realtime risk management warehouse, trade transactions areentered into workstations, sent directly to the warehouse, and incorporated with data such as exchangerates or treasury yields. Data warehouse also include \"data cleansing\" technologies that remove errorsfrom historical market data and therefore improve the quality of analysis. In addition to internal companydata, a primary characteristic of risk management systems is that they also integrate the latest market andexternal data.

An illustration of the impact of technology can be seen on a typical trading floor. Until recently, traders filledout paper trade tickets that were entered into back-office accounting and control systems. A report wouldfollow. Now, with distributed computing networks, trades can immediately interface with risk managementsystems. Technology has also enabled risk managers to develop new derivatives instruments tailored tomeet the requirements of individual investors (institutional & high net worth). It also increases access toavailable information about the potential risks and returns of portfolios. In addition, a new generation of PC-based tools and applications has made it possible for smaller banks to now access the same technologiesthat formerly were only available to the largest financial institutions.

Risk Management in Financial Services Industry: An Overview – Arjun C Marphatia & Nishant Tiwari

Components of Risk Management Software

The challenge is building systems that can handle potentially thousands of computations, measuringtransactions, interest rate curves, volatility sets, and correlation sets. This requires a distributed architecturethat consists of networked workstations or servers. Add to the picture a business involving manycurrencies, many products, and clients resident in many countries.

Typically, risk management software packages include the following components:

? ? ? ? ? ? ? ? ? ?

Credit risk measures, models, and exposure simulationMarket risk measures, models, and exposure simulationFraud risk measures, models, and exposure simulationValue-at-Risk, historic simulation, and Monte Carlo simulation\"Greek\" risk calculators (beta, delta, gamma, vega, theta, rho)

Instrument coverage (such as fixed income, equities, commodities, derivatives)Modelling & Scenario generationStress testing and time simulations

APIs and toolkits for interfaces to other systemsSpreadsheet add-ins

Conclusion

Risk management is a continuously evolving mix of science and art. Losses are inevitable, but one mustkeep learning from the past. Risk itself is not bad, but risk that is misplaced, mismanaged, misunderstood,or unintended is bad. Each institution needs to assess which method best suits its objectives, its business,its view of the world and its pockets. A clear distinction should be made between risk management and risktaking. Risk management oversees and ensures the integrity of the process with which risks are taken. Tomaintain the objectivity, risk management cannot be a part of the risk taking process. Individuals whomanage risk need to be completely independent from individuals who are responsible for taking risk.

Risk Management in Financial Services Industry: An Overview – Arjun C Marphatia & Nishant Tiwari

References:

Risk Technology in new millenium : Tower group

Measuring Financial Risk in the 21st Century by Leslie Rahl & Zoubair EsseghaierRisk Management in Financial Services by Manish Misra (Vice President , Oyster solutions)Enterprise Risk Management by Glyn A. Holton (Contingency Analysis)Enterprise wide Risk Management and the role of chief risk officer by James LamA practical guide to risk management : RiskMetrics Groupwww.cmra.comwww.garp.comwww.bobsguide.comwww.wallstreetandtech.com

Disclaimer:

Some of the ideas expressed in this paper are from books, reports, presentations, discussions, periodicals and papersand other sources.