FRM Part 1

Book 1 – Foundations of Risk Management

THE GOVERNANCE OF RISK MANAGEMENT

 Learning Objectives
After completing this reading you should be able to:
 Explain changes in corporate risk governance that occurred
as a result of the 2007-2009 financial crisis.
 Compare and contrast best practices in corporate governance
with those of risk management.
 Assess the role and responsibilities of the board of directors in
risk governance.
 Evaluate the relationship between a firm's risk appetite and its
business strategy, including the role of incentives.
 Illustrate the interdependence of functional units within a firm as
it relates to risk management.
 Assess the role and responsibilities of a firm's audit committee.
Link Between Corporate Governance and
Risk Management
 Corporate governance refers to the system of rules, practices, and
controls put in place by a firm to ensure accountability, transparency, and
achievement of long-term goals (value).
 Risk management is a critical part of corporate governance.
o It’s important for firms to come up with clear rules, regulations, and
procedures that govern all risk management activities.
o Failure of the risk management function is almost always blamed on
improper governance.
 Recent corporate failures including the 2007/2009 financial crisis have
largely been attributed to a lack of transparency and breakdown in the
transmission of relevant information to decision makers (board of
directors)

B.O.D. CEO B.O.D. Chair CRO

A Case of Corporate Governance Failure:
Barings Bank
Failure of Barings Bank (1995)
 Nick Leeson, a derivatives trader, was given too much freedom by the
management such that he could identify potential trades and unilaterally
execute them.
 At one point, he executed speculative trades worth more than $7 billion
dollars in a matter of hours. Leeson lost, and the bank collapsed!
 How did he do it?
o After a series of eye-watering profits soon after his appointment,
Leeson instilled confidence in the management who turned a blind eye
to his subsequent dealings.
o There were no checks and balances within the department; Leeson
ran both the front and back offices; he confirmed and settled trades
transacted by the front office - which he himself passed! He was
therefore able to hide what he wanted.
 Corporate Governance and Risk
Management are Inseparable
 From a corporate governance perspective, the board has a primary
objective to prioritize and look after the interests of shareholders.
o With that comes the need to identify the risks the business needs to
assume so as to generate a return for the shareholders.
 The board also has to look after the interests of debt holders.
o While appraising any capital project, the board needs to assess the
project’s riskiness and the probability of insolvency, which could be
detrimental to debt holders.
 Recent events have served to align the goals of corporate governance
with those of risk management, giving rise to “risk governance.”
o For instance, firms worldwide have adopted a governance structure
where the CEO and board chairman are two separate offices. The aim
is to further strengthen the independence of the board such that
members can evaluate the risk profiles of projects presented to them
without bias or compromise
 Risk Governance
The responsibilities of the board of directors
 Steer the firm according to the interests of the shareholders.
 Look after the interests of other stakeholders such as debt holders while
developing strategies at the corporate level.
 Ensure the sustainability of projects/profits.
 Keep an eye on agency risks i.e. conflict of interests between the
management and stakeholders.

Governance roles should be independent of executive roles, i.e. the board

and the CEO should act independently of each other.

There’s a global push to have firms appoint chief risk officers (CROs) who
attend board meetings and report directly to the board
 Risk Governance
Board members must understand business
strategies and associated risks
 The risks associated with business activities should be made
transparent to the stakeholders.
 An appropriate risk appetite should be set for the firm and the board
should oversee the managerial activities and strategy formulation
process.
 Risk management has to be part of business planning.
 Risks associated with every target should be properly assessed to see
if they fit into the firm’s risk appetite.
 Risk Governance
The risk management compass
 For every risk, a firm has four basic choices:

Mitigate Preventive/detective
measures

Accept Transfer

Insurance/outsourcing

Reject
 Risk Governance
Key points
Risk management strategies should be directed to impact economic
performance rather than accounting performance.
 Policies, directives, and infrastructure related to risk management should
be properly placed in a firm.
 Align risk and reward:
 The board should make sure that staff get rewarded according to
their risk-adjusted performance.
 This checks fraud related to financial manipulation and stock price
boosting.
 The board should check the quality and reliability of information about
risks.
 Risk Governance
Key points
 The board should be educated on risk management and should be
able to determine the appropriate risk appetite for the firm.
o There should also be an assessment of risk metrics over a specified
time horizon that the board may set.
 Some technical sophistication is required to build clear strategies and
directives in relation to key risk disciplines.
o A risk committee of the board should be qualified enough to handle
these technicalities.
o The risk committee should be separate from the audit committee on
grounds of difference in skills and responsibilities.
Role of Audit Committee of the
Board
 The audit committee’s responsibility is to look into the accuracy of
financial and regulatory reporting of the firm and the quality of
processes that underlie such activities.
o The members should ideally be nonexecutives so as to keep the
audit committee clear from executive influence.
o The audit committee should interact with the management
productively and should keep all channels of communication open.
 The audit committee verifies the activities of the firm to see if the
reports outline the same.
 It ensures that a bank complies with standards in regulatory, risk
management, legal and compliance activities.
 The Role of Risk Advisory
Director
 Presence of nonexecutives without any risk management expertise
in the board may create an environment where decisions are made in a
manner not so well thought-out.
 For this reason, there should be a risk management specialist – a risk
advisory director – on the board.
 The risk advisory director should:

Oversee development of risk management policies and reports

Oversee financial reporting and the dealings between the firm and its associates

Ensure compliance with regulatory requirements

Participate in risk committee meetings to provide independent review of risk reports.

Basel III VaR IFRS9 Sarbanes - Oxley

Role of Risk Management
Committee of the Board

 Independently review different forms of

risks like liquidity risk, market risk, etc. and
the policies related to them.
 Approve individual credits
 Monitor portfolios and major trends in the
market as well as breakdowns in the
industry, liquidity crunch, etc.
 Report to the board about matters related
to risk levels, credits and also provide
opportunities for direct interaction with the
external auditor, management committees,
etc.
Roles and Responsibilities in
Practice
How risk governance mechanisms work
 A recommendation about the risk appetite of the firm is given to the risk
committee of the board, by the senior risk committee. The senior risk committee
determines the financial and non-financial risks in line with the risk appetite. The
risk committee of the board approves the risk appetite for the bank. It also
delegates authority to the senior risk committee.
 The senior risk committee documents and enforces policies pertaining to
risks and delegates business level risk limits to the chief risk officer. It delegates
to the CRO the authority to approve excess risks in various lines of business. It
reviews and approves the risk limits of all the business units in the bank.
 The CRO frames the bank’s risk management strategy and risk methodologies
and is responsible for the infrastructure for corporate risk governance. He monitors
the risk limits for all the business units and communicates the decisions and
viewpoint of the board across the organization. He delegates some of the risk
management responsibilities to the heads of business units.
>>
Roles and Responsibilities in
Practice
How risk governance mechanisms work
 The business risk committee may be constituted at major business
levels to look into the decisions and strategies of businesses so that they
are in line with the risk appetite of the firm. It sets out strategies and
directives for business-level risk management and review.
 In a bank, the operation function is important for risk management as
its function incorporates booking and settling trades and reconciliation
of front and back ends. The finance function of banks frames the
policy related to valuation and finance and also ensures the reliability
and integrity of P&L reports.

Senior Management
• Approves business plans and targets
• Sets risk tolerance
• Establishes policy
• Ensures performance
Risk Management
• Develops risk policies
• Monitors compliance to limits
• Manages Risk Committee process
• Vets models and spreadsheets
• Provides independent view on risk
• Supports business needs
FIGURE 1 Interdependence for managing risk
Trading Room Management
• Establishes and manages risk
exposure
• Ensures timely, accurate, and
complete deal capture
• Signs off on official P&L
Operations
• Books and settles trades
• Reconciles front- and back-office
positions
• Prepares and decomposes daily P&L
• Provides independent mark-to-
market
Finance
• Develops valuation policy
• Ensures integrity of P&L
• Manages business planning process
• Supports business needs
 Risk Committee of the Approves market risk tolerance each year
Board

Delegates authority to Senior

Risk Committee
(holds say 25% in reserve)

Senior Risk Committee Step 1 : Approves market risk tolerance, stress and performance limits
each year; reviews business unit mandates and new business initiatives

Senior Risk Committee Step 2: Delegates authority to the CAO and holds additional authority in
reserves approved by the risk committee of the board

Delegates authority to CRO

(holds say 15% in reserve)

CRO Responsible for independent monitoring of limits; may order positions

reduced for market, credit, or operational concerns

Delegates Authority to Heads

of Business
(holds say 10% in reserve)

Heads of Business Share responsibility for risk of all trading activities

Delegates to Business Unit

Manager

Business Unit Manager Responsible for risk and performance of the business Must ensure limits
are delegated to traders

FIGURE 3 Delegation process for market risk authorities

 The Role of Audit Function
The audit function
 Is responsible for an independent assessment of the framework and
implementation of risk management.
 Reports to the board about the strategies of business managers and
executives
 Monitors the adequacy and reliability of the documentation
 Examines the integrity and independence of position data and that of
management information system
 Reviews the design of financial rates database, which is used to generate
parameters for VaR models, and things like risk management system
upgrade
 Evaluates the design and conceptual soundness of risk metrics and
measures, and that of stress testing methodologies.
 Conclusion
 It is not possible to control the financial health of a firm without an
excellent risk management function and appropriate risk metric.
o As can be seen from the subprime crisis in the United States.
 To be on the safe side, every firm must have clear risk management
policies such that everyone understands their role, and directives have a
clear pathway.
 The risk committees should participate in framing risk management
methodologies and they should have appropriate knowledge of risks &
metrics.
 Economic capital can be used to set risk limits and they can also be
used to determine the profitability of various business lines.
 Compensation schemes should be aligned with risk management.
 Book 1 – Foundations of Risk Management

THE GOVERNANCE OF RISK MANAGEMENT

Learning Objectives Recap:
 Explain changes in corporate risk governance that occurred as a
result of the 2007-2009 financial crisis.
 Compare and contrast best practices in corporate governance with
those of risk management.
 Assess the role and responsibilities of the board of directors in risk
governance.
 Evaluate the relationship between a firm's risk appetite and its
business strategy, including the role of incentives.
 Illustrate the interdependence of functional units within a firm as it
relates to risk management.
 Assess the role and responsibilities of a firm's audit committee.
ANALYST