market risk computations (e.g. delta, gamma, vega, rho, theta) thrown out by models werequestionable. But how many practitioners in the bank knew this?
Assuming high negative gamma risk
In the business of derivatives, negative gamma risk can be a scary experience. Gamma is the rate of change in the delta of an option instrument. Delta is just the price change of the option compared tothe price of the underlying.When gamma is positive, this means that as the price of the underlying moves in your favour, therate at which you profit will accelerate, i.e. the delta is increasing. When the underlying movesagainst you, the rate at which you lose will decelerate. When gamma is negative, this means that therate at which you profit will DECELERATE as the stock price continues to move in your favour, but therate at which you lose will ACCELERATE as the stock price makes continued moves against you.Markets can turn the corner suddenly and become very volatile. Short positions tend to suffer hugenegative gamma in volatile markets. The problem is not with the computation or knowledge of thenegative gamma, but more that risk managers are unable to tell when negative gamma will shoot upin volatile markets. When the markets do turn suddenly and negative gamma rise suddenly, riskmanagers often end up instructing for positions to be liquidated at a major loss. To make mattersworse in volatile times, another risk, liquidity, makes getting rid of positions even more difficult.
So, what does the auditor do
Do not discourage such risks
It is a mistake to conclude that taking complicated risk and assuming negative gamma inpositions is bad and should be avoided at all costs. This is part and parcel of any growingfinancial market. The answer is in managing the risks around the positions, so that whenthings do falter (and they do), the safety net is ready. Regulators, especially in Asia (andMalaysia), who have been shying away from “complicated” derivatives, are slowly realisingthis and starting to liberalise their markets.
Understand the business well
The auditor can start by taking a good look of the type of derivative business that the bankengages in. Questions in his mind would be like: what kind of risk is being taken; are all typesof risk being considered; does any ambiguity exist in computation of any risk (for example,there is still no market standard for correlated default risk); and the risk trends. A detailassessment of the IT environment for risk computations and reports is critical too as riskmanagers depend entirely on data processing and models.It is always useful to review off-balance sheet structures with risk management personnel toassess what risk they carry and if all the risks are captured and accounted for.
Review stress testing and scenario analysis
The auditor should also review for scenario analysis and stress testing. The focus is not theperformance of the tests but that right parameters are stressed and the scenarios are