Description
THE
ESSENTIALS OF
RISK
MANAGEMENT
This page intentionally left blank
THE
ESSENTIALS OF
RISK
MANAGEMENT
SECOND EDITION
MICHEL CROUHY, DAN GALAI, ROBERT MARK
New York Chicago San Francisco Athens
London Madrid Mexico City Milan
New Delhi Singapore Sydney Toronto
Copyright © 2014 by McGraw-Hill Education. All rights reserved. Except as permited under the United States
Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any
means, or stored in a database or retrieval system, without the prior written permission of the publisher.
ISBN: 978-0-07-182115-5
MHID: 0-07-182115-5
The material in this eBook also appears in the print version of this title: ISBN: 978-0-07-181851-3,
MHID: 0-07-181851-0.
eBook conversion by codeMantra
Version 1.0
All trademarks are trademarks of their respective owners. Rather than put a trademark symbol after every
occurrence of a trademarked name, we use names in an editorial fashion only, and to the benefit of the
trademark owner, with no intention of infringement of the trademark. Where such designations appear in this
book, they have been printed with initial caps.
McGraw-Hill Education eBooks are available at special quantity discounts to use as premiums and sales
promotions or for use in corporate training programs. To contact a representative, please visit the Contact Us
page at www.mhprofessional.com.
This publication is designed to provide accurate and authoritative information in regard to the subject matter
covered. It is sold with the understanding that neither the author nor the publisher is engaged in rendering
legal, accounting, securities trading, or other professional services. If legal advice or other expert assistance is
required, the services of a competent professional person should be sought.
—From a Declaration of Principles Jointly Adopted by a Committee of the
American Bar Association and a Committee of Publishers and Associations
TERMS OF USE
This is a copyrighted work and McGraw-Hill Education and its licensors reserve all rights in and to the work.
Use of this work is subject to these terms. Except as permitted under the Copyright Act of 1976 and the right
to store and retrieve one copy of the work, you may not decompile, disassemble, reverse engineer, reproduce,
modify, create derivative works based upon, transmit, distribute, disseminate, sell, publish or sublicense the
work or any part of it without McGraw-Hill Education’s prior consent. You may use the work for your own
noncommercial and personal use; any other use of the work is strictly prohibited. Your right to use the work
may be terminated if you fail to comply with these terms.
THE WORK IS PROVIDED “AS IS.” McGRAW-HILL EDUCATION AND ITS LICENSORS MAKE
NO GUARANTEES OR WARRANTIES AS TO THE ACCURACY, ADEQUACY OR COMPLETENESS
OF OR RESULTS TO BE OBTAINED FROM USING THE WORK, INCLUDING ANY INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK VIA HYPERLINK OR OTHERWISE, AND
EXPRESSLY DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING BUT NOT
LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR
PURPOSE. McGraw-Hill Education and its licensors do not warrant or guarantee that the functions contained
in the work will meet your requirements or that its operation will be uninterrupted or error free. Neither
McGraw-Hill Education nor its licensors shall be liable to you or anyone else for any inaccuracy, error or
omission, regardless of cause, in the work or for any damages resulting therefrom. McGraw-Hill Education
has no responsibility for the content of any information accessed through the work. Under no circumstances shall McGraw-Hill Education and/or its licensors be liable for any indirect, incidental, special, punitive,
consequential or similar damages that result from the use of or inability to use the work, even if any of them
has been advised of the possibility of such damages. This limitation of liability shall apply to any claim or
cause whatsoever whether such claim or cause arises in contract, tort or otherwise.
CONTENTS
Foreword
vii
Foreword
xi
I ntroduction to the Second Edition:
Reforming Risk Management for the Post-Crisis Era
xv
1. Risk Management: A Helicopter View
1
1.1 Typology of Risk Exposures
23
2. Corporate Risk Management: A Primer
45
3. Banks and Their Regulators:
The Post-Crisis Regulatory Framework
67
3.1 Basel I
117
3.2 The 1996 Market Risk Amendment
125
3.3 Basel II and Minimum Capital Requirements for Credit Risk 131
3.4 Basel 2.5: Enhancements to the Basel II Framework
137
3.5 Contingent Convertible Bonds
143
4. Corporate Governance and Risk Management
151
5. A User-Friendly Guide to the Theory of Risk and Return
183
6. Interest Rate Risk and Hedging with Derivative Instruments
203
7. Measuring Market Risk: Value-at-Risk,
Expected Shortfall, and Similar Metrics
233
8. Asset/Liability Management
265
9. Credit Scoring and Retail Credit Risk Management
305
10. Commercial Credit Risk and the Rating
of Individual Credits
333
10.1 Definitions of Key Financial Ratios
363
v
vi • Contents
11. Quantitative Approaches to Credit
Portfolio Risk and Credit Modeling
11.1 The Basic Idea of the Reduced Form Model
12. The Credit Transfer Markets—and Their Implications
12.1 Why the Rating of CDOs by
Rating Agencies Was Misleading
13. Counterparty Credit Risk: CVA, DVA, and FVA
14. Operational Risk
15. Model Risk
16. Stress Testing and Scenario Analysis
16.1 The 2013 Dodd-Frank Severely Adverse Scenarios
17. Risk Capital Attribution and
Risk-Adjusted Performance Measurement
Epilogue: Trends in Risk Management
Index
365
407
411
467
471
499
529
555
581
583
609
619
FOREWORD
The world changed after the global financial crisis of 2007–2009, and the
change was especially dramatic for banks. The second edition of this book
is therefore very welcome and helps to clarify both the implications of
the crisis for risk management and the far-reaching process of regulatory
change that will come into full force over the next few years.
Banks are reforming their risk management processes, but the challenge goes much deeper. Banks must rethink their business models and
even question the reason for their existence. Do they exist to take proprietary risks (on or off their balance sheet) or to provide a focused set of
services and skills to their customers and business partners?
At Natixis, our business adopts the latter model. We have recently
completed an aggressive push to adapt to post-crisis regulatory constraints,
end our proprietary activities, reduce our risk profile, and refocus on
our three core businesses: wholesale banking, investment solutions, and
specialized financial services.
The far higher capital costs under Basel III are likely to shift many
other banks toward a more service-based business model with less risk
retained. The new regulations are also obliging banks to change their funding strategies—e.g., by making use of new funding tools in addition to
reformed approaches to securitization and traditional funding avenues.
This change of philosophy may mean developing trusted partnerships
with different kinds of financial institutions, such as insurance companies
and pension funds, that can absorb the risks that banks no longer wish to
carry on their balance sheets—a process that Natixis has already begun.
As banks change their approach, they must also take a fresh look at
their corporate governance. The crisis showed that banks had been driven
vii
viii • Foreword
by too simplistic a notion of growth and short-term profitability. Going
forward, firms must build a wider and longer-term view of stakeholder
interests—e.g., by defining long-term risk appetites explicitly and connecting these securely to strategic and operational decisions. Ensuring the
right kind of growth will require many of the best-practice mechanisms of
corporate governance discussed in this book.
The crisis also showed that banks need to pay more than lip service
to the concept of enterprise risk management. They must improve their
understanding of how a wide range of risks—credit, market, liquidity,
operational, reputation, and more—can interact with and exacerbate
each other in a bank’s portfolios and business models when the financial
system is under strain.
In turn, this requires the development of new risk management
methodologies and bankwide infrastructures—for example, in the area
of macroeconomic stress testing. One of the accomplishments of this book
is that it helps set out these new methodologies and explains their strengths
and also their limitations. The authors believe that financial institutions
must not rely on any single risk measure, new or old. Risk measurement
and management methodologies are there to help decision makers, not to
supply simplistic answers.
It is critical that institutions (as well as regulators) develop a better
understanding of the interconnected nature of the global financial system.
As this book explains in its various chapters, systemic risks, counterparty
interconnections, liquidity risks, credit risks, and market risks all feed on
one another in a crisis. Understanding how risks concentrate during good
times and then spread through systemic interconnections during bad times
needs to become part of the philosophy of bank risk management. Without
this understanding, it is difficult for financial institutions to resist activities
that boost growth and profitability in the short term, but that may create
unsustainable levels of risk in the longer term.
The global economy is trying to find a path toward sustainable growth
at the same time that developed nations have begun to unwind the unprecedented support given to economies and banking systems during the
crisis years. This will give rise to many challenges as well as opportunities.
Natixis plays a frontline role in financing the real economy, but we know
that this must be built on solid risk-managed foundations.
Foreword • ix
In this sense, the book supports the business philosophy we are
developing at Natixis. We believe that long-term success comes to institutions and economies that can deliver growth while managing downside
risks through both improved risk management and the careful selection of
fundamental business models.
Laurent Mignon
Chief Executive Officer of Natixis
September 13, 2013
This page intentionally left blank
FOREWORD
I think that the concept of the Crouhy, Galai, and Mark book, The Essen-
tials of Risk Management, Second Edition, is brilliant. In my career as an
academic and in investment management, I found that there is too large
a separation between the technocrats who build risk-management models
and systems and those who should be using them. In addition, the model
builders seem to me to be too far from economics, understanding what
risk management can and cannot do and how to structure the risk management problem. Crouhy, Galai, and Mark bridge that gap. They bring the
academic research together with applications and implementation. If riskmanagement model builders come to appreciate the economics underlying
the models, they would be better prepared to build risk-management tools
that have real value for banks and other entities. And, as the authors bring
up time and again, board members of corporations must also become as
familiar with the models and their underlying economics to ask the correct
follow-up questions.
Risk management is often described as being an independent activity of the firm, different from generating returns. Most macro and micro
models in economics start from a framework of certainty and add an error
term, a risk term to represent uncertainty. When describing predicted
actions that arise from these models, the error or uncertainty term disappears because the modelers assume that it’s best to take expectations as
their best guess as to future outcomes.
In both cases, however, this is incorrect. Risk management is part
of an optimization program, the tradeoffs between risk and return. As
described in the book, the three tools of risk management are (a) reserves,
(b) diversification, and (c) insurance. With greater reserves against adverse
xi
xii • Foreword
outcomes, the risk of the firm or the bank is reduced. Greater reserves,
however, imply lower returns. And, the dynamics of the reserve need to be
known. For example, if a bank needs capital or liquidity reserves to shield
it against shock, is the reserve static or can it be used, and how is it to be
used at time of shock? If it is a reserve that must always be at a static level,
it is not a reserve at all. These are important optimization and planning
questions under uncertainty. With more diversification, the bank reduces
idiosyncratic risks and retains systematic risks, which it might also transfer
to the market.
Diversification has benefits. But, if a bank earns profits because its
clients want particular services such as mortgages, it might want to concentrate and make money by taking on additional idiosyncratic risk, for
it is not possible to diversify away all risks and still earn abnormal profits.
The bank must respond to its client’s demands and, as a result, take on
idiosyncratic risks. The same is true of insurance. Unlike car insurance,
wherein, say, the value of the car is knowable over the year, and the amount
of the insurance is easy to ascertain, as the book describes, the bank might
not know how much insurance is necessary and when it might need the
insurance. Nor does it know the dynamics of the insurance plan as prices
change in the market.
That is why risk management is integrated into an optimization system where there always are tradeoffs between risk and return. To ignore
risk considerations is inappropriate; to concentrate on risk is inappropriate. The boards of banks or corporations are responsible to understand and
challenge the optimization problem. Likewise, modelers must also understand the economic tradeoffs. Prior to the financial crisis of 2008, many
banks organized their risk management activities in line and not circle
form. That is, the risk department was separate and below the production
department. The risk management systems of the future must be designed
such that the optimization problem is the center focus. This involves deciding on the level of capital employed not only for working capital, or physical investment capital, or human capital but also the amount of risk capital in deciding on the profitability of various business lines and how they
coordinate with each other.
Risk management involves measurement and model building. This
book provides us with a description of many of the problems in building
Foreword • xiii
models and in providing the inputs to the models. But, once the senior
management and the modelers understand the issues, they will change
their focus and address the modeling and measurement issues. For example, there are three major problems in the model building/data provision
or calibration of the model framework: (1) using historical data to calibrate
the model, (2) assuming the spatial relationships will remain unchanged,
such as how particular assets are grouped together into clusters or how
clusters move together, and, (3) assuming that once the model is built and
calibrated that others don’t reverse engineer the model and its calibration
and game against those using the model. There are myriad examples and
applications of each of these, or these in combination with each other in
this book. For example, the rating agencies used historical data to calibrate the likelihood of declines in housing price such that homeowners
would default on their mortgages. Unfortunately they used too short a time
period and assumed incorrectly that the best prediction of the future would
be provided from these short-period data inputs. They also assumed that
homeowners default on their mortgages randomly, while ignoring the possibility that the independent clusters of possible mortgage defaults that
they assumed existed would become one cluster during a crisis such as
the 2008 financial crisis. Moreover, once they provided their ratings on
complicated mortgage structured products, market participants reverse
engineered how they rated mortgage products and gamed against them by
putting lower and lower quality mortgages into structures to pass just the
ratings level that they wanted to attain. These three lessons are pervasive
in risk management and are illustrated brilliantly in one form or the other
over and over again in this book.
There are decisions that should be made, in part, proactively and decisions that should be made, in part, reactively. Risk management includes
an understanding of how to plan to respond to changes in the opportunity
set and to changes in the costs of adjusting assets and to financing activities. There is a value in planning for uncertainty. Ignoring risk might supply large short-term profits but at the expense of survivorship of the business, for not setting aside sufficient risk capital threatens survivorship of
the business. And understanding includes evaluating the returns and risks
of embedded and explicit options.
xiv • Foreword
All risk management systems require a careful combination of academic modeling and research with practical applications. Academic
research highlighted in this book has made a major contribution to
risk management techniques. Practice must be aware of the underlying
assumptions of these models and in what situations they apply or don’t
apply and adjust them accordingly. Practical applications include understanding data issues in providing inputs to these risk models and in
calibrating them consistent with underlying economics. The 2008 crisis
highlighted once again the importance of risk management. I believe that
all board members must become as conversant in risk management as in
return generation. That will become a prerequisite for board participation.
This book highlights the importance of these issues.
Myron S. Scholes, Frank E. Buck Professor of Finance, Emeritus, Stanford
University Graduate School of Business; 1997 recipient of the Nobel Prize
in Economics
November, 2013
INTRODUCTION TO THE
SECOND EDITION:
REFORMING RISK
MANAGEMENT FOR THE
POST-CRISIS ERA
Half a dozen years and more have passed since the start of the global
financial crisis of 2007–2009,1 and even the European sovereign debt crisis
of 2010 is fading into history. In neither case can we be sure that the crises are fully resolved, and their aftershocks and ramifications continue to
shape our world. However, enough time may have elapsed for us to absorb
the main lessons of the crisis years and to begin to understand the implications of the still unfolding reforms of the world’s financial industries.
In this new edition of The Essentials of Risk Management, we have
revisited each chapter in light of what has been learned from risk management failures during the crisis years, and in this Introduction we pick out
key trends in risk management since we published the first edition in 2006.
However, we have also tried to prevent the book as a whole from
becoming too dominated by the extraordinary events of 2007–2009 and
the immediate succeeding years. Some of the lessons learned in those years
were lessons that earlier crises had already taught risk managers, and that
Throughout this book, we’ve used the phrase “financial crisis of 2007–2009” to define, reasonably precisely, the banking and financial system crisis of that period. Others choose to
use the term “global financial crisis,” or GFC.
1
xv
xvi • Introduction to the Second Edition
were covered in some detail in the first edition of the book—even if some
firms found it hard to put them into practice. The crisis years also spawned
a series of fundamental reforms of the regulation of financial institutions,
and one thing we can be sure of in risk management is that major structural change creates new business environments, which in turn transform
business behavior and risk.
One of the curses of risk management is that it perennially tries to
micromanage the last crisis rather than applying the first principles of risk
management to forestall the next—a trap we have tried to avoid.
We hope this book contributes to the attempt to strengthen the overall framework of risk management by encouraging the right mix of theoretical expertise, knowledge of recent and past events, and curiosity about
what might be driving risk trends today.
***
The financial crisis that started in the summer of 2007 was the culmination of an exceptional boom in credit growth and leverage in the
financial system that had been building since the previous credit crisis in
2001–2002, stimulated by an accommodative monetary policy. The boom
was fed by an extended period of benign economic and financial conditions,
including low real interest rates and abundant liquidity, which encouraged
borrowers, investors, and intermediaries to increase their exposure in
terms of risk and leverage. The boom years were also marked by a wave of
financial innovations related to securitization, which expanded the capacity of the financial system to generate credit assets but outpaced its capacity
to manage the associated risks.2
The crisis uncovered major fault lines in business practices and market dynamics: failures of risk management and poorly aligned compensation
systems in financial institutions, failures of transparency and disclosure, and
many more. In the years following the crisis, many areas of weakness have
begun to be addressed through regulation and from the very top of financial
institutions (the board of directors and the management committee) down
to business line practices, including the misalignment of incentives between
the business and its shareholders, bondholders, and investors. Below, we
Securitization and structured credit products are discussed in Chapter 12.
2
Introduction to the Second Edition • xvii
summarize some of the major problem areas uncovered by the global financial crisis; the rest of the book addresses these issues in more detail.
Governance and Risk Culture
Risk management has many different components, but the essence of what
went wrong in the run-up to the 2007–2009 financial crisis had more to do
with the lack of solid corporate governance structures for risk management
than with the technical deficiencies of risk measurement and stress testing.
In the boom period, risk management was marginalized in many financial
institutions. The focus on deal flow, business volume, earnings, and compensation schemes drove firms increasingly to treat risk management as a
source of information, not as an integral part of business decision making.
Decisions were taken on risk positions without the debate that needed to
happen. To some degree, this is a matter of risk culture, but it also has to do
with governance structures inside organizations:
• The role of the board must be strengthened. Strengthening board
oversight of risk does not diminish the fundamental responsibility of management for the risk management process. Instead, it
should make sure that risk management receives some enhanced
attention in terms of oversight and, hopefully, a longer-term and
wider perspective. Chapter 4 on corporate governance elaborates
on the role and obligations of the board.
• Risk officers must be re-empowered. Some firms distinguish between
a “risk control” function, responsible for quantitative measures,
and a “risk management” function, which has a more strategic focus.
Either way, it is no longer appropriate for risk management to be only
an “after the fact” monitoring function. It needs to be included in
the development of the firm’s strategy and business model. Chief risk
officers (CROs) should not be just risk managers but also proactive
risk strategists. With the strength of regulators and an angry public
behind them, risk managers presently wield some clout. The trick
will be to make sure this lasts in periods of recovery (or growing corporate frustration with unexciting returns). Chapter 4 elaborates on
the role of the CRO in a best-practice institution.
xviii • Introduction to the Second Edition
Inadequate Execution of the Originate-to-Distribute
Business Model
One common view is that the crisis was caused by the originate-todistribute (OTD) model of securitization, through which lower quality
loans were transformed into highly rated securities. To some extent, this
characterization is unfortunately true.
The OTD model of securitization reduced incentives for the originator of the loan to monitor the creditworthiness of the borrower,
because the originator had little or no skin in the game. In the securitization food chain for U.S. mortgages, intermediaries in the chain made
fees while transferring credit into an investment product with such an
opaque structure that even the most sophisticated investors had no real
idea what they were holding.
Although the pre-crisis OTD model of securitization, and its lack
of checks and balances, was clearly an important factor, the huge losses
that affected banks, especially investment banks, mainly occurred because
financial institutions did not follow the business model of securitization.
Rather than acting as intermediaries by transferring the risk from mortgage lenders to capital market investors, these institutions themselves took
on the role of investors. Chapter 12 elaborates on this issue.
Poor Underwriting Standards
The OTD model generated a huge demand for loans to feed the securitization machine, and this in itself contributed to a lowering of underwriting
standards. But benign macroeconomic conditions and low default rates
also gave rise to complacency and an erosion of sound practices in the
world’s financial industries. Across a range of credit segments, business
volumes grew much more quickly than investment in the supporting infrastructure of controls and documentation. The demand for high-yielding
assets encouraged a loosening of credit standards and, particularly in the
U.S. subprime mortgage market, not just lax but fraudulent practices proliferated from late 2004. Chapter 9 elaborates further on the issue of retail
risk management.
Introduction to the Second Edition • xix
Shortcomings in Firms’ Risk Management Practices
The crisis highlighted the risk of model error when making risk assessments. The risk control/risk management function must become more
transparent about the limitations of risk metrics and models used to make
important decisions in the firm. Models are powerful tools, but they necessarily involve simplifications and assumptions; they must be approached
critically and with a heavy dash of expert judgment. When risk metrics,
models, and ratings become ends in themselves, they become obstacles
to true risk identification. This applies also to the post-crisis rash of new
models and risk assessment procedures. Chapter 15 analyzes the problems
associated with model risk.
• Stress testing and scenario analysis. Stress testing, discussed in
Chapter 16, is now a formal requirement of Basel III and the
Dodd-Frank Act and has become a much more prominent part
of the risk manager’s toolkit. Properly applied, stress testing is a
critical diagnostic and risk identification tool, but it can be counterproductive if it becomes too mechanical or consumes resources
unproductively. It is important to approach stress testing as one
aspect of a multifaceted risk analysis program. In particular, stress
testing must be carefully designed to gauge the business strengths
and weaknesses of each individual firm; it cannot follow a “one size
fits all” approach. Firms need to ensure that stress testing methodologies and policies are consistently applied throughout the firm,
take into account multiple risk factors, and adequately deal with
correlations between risk factors. Results must have a meaningful
impact on business decisions.
• Concentration risk. Firms need to improve their firmwide management of concentration risks, embracing not only large risks
from individual borrowers but also concentrations in sectors, geographic regions, economic factors, counterparties, and financial
guarantors. For example, a concentrated exposure to one (exotic)
product can give rise to major losses during a market shock if
liquidity dries up and it becomes impossible to rebalance a hedging position in a timely fashion.
xx • Introduction to the Second Edition
• Counterparty credit risk. The subprime crisis highlighted several
shortcomings of over-the-counter (OTC) trading in credit derivatives, most notably the treatment of counterparty credit risk. The
primary issue is that collateral and margin requirements are set
bilaterally in OTC trading and do not take account of the risk
imposed on the rest of the system (e.g., as experienced following the failures of Lehman Brothers and the quasi-bankruptcies
of Bear Stearns, AIG, and others). Counterparty credit risk is
discussed in Chapter 13.
Overreliance on Misleading Ratings from Rating
Agencies
Credit rating agencies were at the center of the 2007–2009 crisis, as many
investors had relied on their ratings to assess the risk of mortgage bonds,
asset-backed commercial paper issued by structured investment vehicles, and
the monolines that insured municipal bonds and structured credit products.
Money market funds are restricted to investing in AAA-rated
assets, while pension funds and municipalities are restricted to investing in investment-grade assets.3 In the low interest rate environment of
the period before the crisis, many of these conservative investors invested
in assets that were complex and contained exposure to subprime assets,
mainly because these instruments were given an investment-grade rating or higher while promising a yield above that of traditional assets, such
as corporate and Treasury bonds, with an equivalent rating. Chapter 10
discusses ratings and the controversial role of the rating agencies.
Poor Investor Due Diligence
Many investors placed excessive reliance on credit ratings, neither questioning the methodologies of the credit rating agencies nor fully understanding the risk characteristics of rated products. Also, many investors
Most of the US$2.5 trillion sitting in money market funds is traditionally invested in such
assets as U.S. Treasury bills, certificates of deposit, and short-term commercial debt.
3
Introduction to the Second Edition • xxi
erroneously took comfort from the belief that insurance companies conducted a thorough investigation into the assets they insured.4
Going forward, institutional investors will have to upgrade their risk
infrastructure in order to assess risk independently of external rating agencies. If institutions are not willing or able to do this, they should probably
refrain from investing in complex structured products.
For U.S. retail investors who lack the knowledge and the tools to
evaluate and make decisions about financial products, the Dodd-Frank
Act creates the Bureau of Consumer Financial Protection (BCFP) as an
independent bureau within the Federal Reserve System. However, it is
by no means certain that more vigilant consumer protection would have
prevented the speculative frenzy in the housing market in the run-up to
the financial crisis. In Chapter 3, we discuss the Dodd-Frank Act in more
detail.
Incentive Compensation Distortions
Incentive compensation should align compensation with long-term shareholder interests and risk-adjusted return on capital. Over the two decades
before the 2007–2009 financial crisis, bankers and traders had increasingly
been rewarded with bonuses tied to short-term profits, giving them an
incentive to take excessive risks, leverage up their investments, and sometimes bet the entire bank on astonishingly reckless investment strategies.
More on this topic in Chapter 4 and Chapter 17, where we discuss the
RAROC (risk-adjusted return on capital) approach.
Weaknesses in Disclosure
Weaknesses in public disclosures by financial institutions, particularly
concerning the type and magnitude of risks associated with on- and offbalance-sheet exposures, damaged market confidence during the 2007–
2009 financial crisis. This remains a significant challenge to the world’s
Floyd Norris, “Insurer’s Maneuver Wins a Pass in Court,” New York Times, Business
Section, March 8, 2013.
4
xxii • Introduction to the Second Edition
financial industries. The need to disclose more information is a requirement of Basel II/III, discussed in Chapter 3.
Valuation Problems in a Mark-to-Market World
Fair value/mark-to-market accounting has generally proven highly valuable in promoting transparency and market discipline and is an effective
and reliable accounting method for securities in liquid markets. However,
in secondary markets that may have no or severely limited liquidity, it can
create serious valuation problems and can also increase the uncertainties
around any valuations. Chapter 3 and the appendix to Chapter 1 elaborate
further on this issue.
Liquidity Risk Management
During the boom years, many banks and other financial institutions
allowed themselves to become vulnerable to any prolonged disruption in
their funding markets. However, the 2007�����������������������������
–����������������������������
2009 financial crisis demonstrated, once and for all, how extraordinarily dysfunctional the interbank
funding market can become in times of uncertainty.
Liquidity risk is not a new threat: it lay behind the failure of LTCM
(Long Term Capital Management) in August 1998, discussed in Chapter 15,
and a number of historical bank failures. In the post-crisis era, however,
risk managers will need to be wary of overdependence on any single form
of funding, including access to securities markets, in their day-to-day
liquidity risk management, stress testing, and contingency planning. As we
discuss in Chapter 3, Basel III has introduced a new liquidity framework to
address liquidity risk. Banks will have to satisfy two liquidity ratios—i.e.,
a liquidity coverage ratio (LCR) and a net stable funding ratio (NSFR).
Chapter 8 discusses funding risk more broadly.
Systemic Risk
Of the many regulatory issues at stake in the post-crisis era, one is of primary
importance: systemic risk. How can we construct a system that prevents
Introduction to the Second Edition • xxiii
decisions made in a single institution, or a small group of institutions, from
plunging the world’s economies into deep recession? Somehow, the system
must be engineered to prevent one failure’s causing a chain reaction or domino
effect on other institutions that threatens the stability of the financial markets.
Systemic risk and the regulators’ efforts to prevent it is a recurring theme in the
chapters of this book, especially Chapters 3 and 13.
Procyclicality
Banks are said to behave in a procyclical fashion when their actions amplify
the momentum of the underlying economic cycle—e.g., by intensifying
lending during economic booms or imposing more stringent restrictions or
risk assessments on loans during a downturn. Procyclicality partly explains
the correlations between asset prices that we see in the financial sector. The
forces that contribute to procyclicality are the regulatory capital regime,
risk measurement techniques such as value-at-risk, loan-loss provisioning
practices, interaction between valuation and leverage, and compensationbased incentives. Basel III includes several mechanisms for mitigating procyclicality, such as a countercyclical capital cushion and reduced reliance
on cyclical VaR-based capital requirements (e.g., by expanding the role of
stress testing). Procyclicality is discussed in Chapter 3.
This page intentionally left blank
1
RISK MANAGEMENT:
A HELICOPTER VIEW 1
The future cannot be predicted. It is uncertain, and no one has ever been suc-
cessful in consistently forecasting the stock market, interest rates, exchange rates,
or commodity prices—or credit, operational, and systemic events with major
financial implications. However, the financial risk that arises from uncertainty
can be managed. Indeed, much of what distinguishes modern economies from
those of the past is the new ability to identify risk, to measure it, to appreciate its
consequences, and then to take action accordingly, such as transferring or mitigating the risk. One of the most important aspects of modern risk management
is the ability, in many instances, to price risks and ensure that risks undertaken
in business activities are correctly rewarded.
This simple sequence of activities, shown in more detail in Figure 1-1, is
often used to define risk management as a formal discipline. But it’s a sequence
that rarely runs smoothly in practice. Sometimes simply identifying a risk is the
critical problem; at other times arranging an efficient economic transfer of the risk
is the skill that makes one risk manager stand out from another. (In Chapter 2 we
discuss the risk management process from the perspective of a corporation.)
To the unwary, Figure 1-1 might suggest that risk management is a continual process of corporate risk reduction. But we mustn’t think of the modern
attempt to master risk in defensive terms alone. Risk management is really about
how firms actively select the type and level of risk that it is appropriate for them
We acknowledge the coauthorship of Rob Jameson in this chapter.
1
1
2 • The Essentials of Risk Management
FIGURE 1-1 The Risk Management Process
Identify risk
exposures
Measure and estimate
risk exposures
Find instruments and
facilities to shift
or trade risks
Assess effects
of exposures
Assess costs and
benefits of instruments
Form a risk mitigation
strategy:
• Avoid
• Transfer
• Mitigate
• Keep
Evaluate performance
to assume. Most business decisions are about sacrificing current resources for
future uncertain returns.
In this sense, risk management and risk taking aren’t opposites, but two sides
of the same coin. Together they drive all our modern economies. The capacity to
make forward-looking choices about risk in relation to reward, and to evaluate
performance, lies at the heart of the management process of all enduringly successful corporations.
Yet the rise of financial risk management as a formal discipline has been
a bumpy affair, especially over the last 15 years. On the one hand, we have
had some extraordinary successes in risk management mechanisms (e.g., the
Risk Management: A Helicopter View • 3
lack of financial institution bankruptcies in the downturn in credit quality
in 2001–2002) and we have seen an extraordinary growth in new institutions
that earn their keep by taking and managing risk (e.g., hedge funds). On the
other hand, the spectacular failure to control risk in the run-up to the 2007–2009
financial crisis revealed fundamental weaknesses in the risk management
process of many banks and the banking system as a whole.
As a result, risk management is now widely acknowledged as one of the
most powerful forces in the world’s financial markets, in both a positive and a
negative sense. A striking example is the development of a huge market for credit
derivatives, which allows institutions to obtain insurance to protect themselves
against credit default and the widening of credit spreads (or, alternatively, to get
paid for assuming credit risk as an investment). Credit derivatives can be used
to redistribute part or all of an institution’s credit risk exposures to banks, hedge
funds, or other institutional investors. However, the misuse of credit derivatives
also helped to destabilize institutions during the 2007–2009 crisis and to fuel
fears of a systemic meltdown.
Back in 2002, Alan Greenspan, then chairman of the U.S. Federal Reserve
Board, made some optimistic remarks about the power of risk management to
improve the world, but the conditionality attached to his observations proved to
be rather important:
The development of our paradigms for containing risk has emphasized dispersion of risk to those willing, and presumably able, to bear it. If risk is properly
dispersed, shocks to the overall economic system will be better absorbed and
less likely to create cascading failures that could threaten financial stability.2
In the financial crisis of 2007–2009, risk turned out to have been concentrated rather than dispersed, and this is far from the only embarrassing failure of
risk management in recent decades. Other catastrophes range from the near failure of the giant hedge fund Long-Term Capital Management (LTCM) in 1998 to
the string of financial scandals associated with the millennial boom in the equity
and technology markets (from Enron, WorldCom, Global Crossing, and Qwest
in the United States to Parmalat in Europe and Satyam in Asia).
Remarks by Chairman Alan Greenspan before the Council on Foreign Relations, Washington,
D.C., November 19, 2002.
2
4 • The Essentials of Risk Management
Unfortunately, risk management has not consistently been able to prevent market disruptions or to prevent business accounting scandals resulting
from breakdowns in corporate governance. In the case of the former problem,
there are serious concerns that derivative markets make it easier to take on large
amounts of risk, and that the “herd behavior” of risk managers after a crisis gets
underway (e.g., selling risky asset classes when risk measures reach a certain
level) actually increases market volatility.
Sophisticated financial engineering played a significant role in obscuring
the true economic condition and risk-taking of financial companies in the runup to the 2007–2009 crisis, and also helped to cover up the condition of many
nonfinancial corporations during the equity markets’ millennial boom and bust.
Alongside simpler accounting mistakes and ruses, financial engineering can
lead to the violent implosion of firms (and industries) after years of false success,
rather than the firms’ simply fading away or being taken over at an earlier point.
Part of the reason for risk management’s mixed record here lies with the
double-edged nature of risk management technologies. Every financial instrument
that allows a company to transfer risk also allows other corporations to assume
that risk as a counterparty in the same market—wisely or not. Most important,
every risk management mechanism that allows us to change the shape of cash
flows, such as deferring a negative outcome into the future, may work to the shortterm benefit of one group of stakeholders in a firm (e.g., managers) at the same
time that it is destroying long-term value for another group (e.g., shareholders
or pensioners). In a world that is increasingly driven by risk management concepts and technologies, we need to look more carefully at the increasingly fluid
and complex nature of risk itself, and at how to determine whether any change in a
corporation’s risk profile serves the interests of stakeholders. We need to make sure
we are at least as literate in the language of risk as we are in the language of reward.
The nature of risk forms the topic of our next section, and it will lead us to
the reason we’ve tried to make this book accessible to everyone, from shareholders,
board members, and top executives to line managers, legal and back-office staff,
and administrative assistants. We’ve removed from this book many of the complexities of mathematics that act as a barrier to understanding the essential principles
of risk management, in the belief that, just as war is too important to be left to the
generals, risk management has become too important to be left to the “rocket scientists” of the world of financial derivatives. This book is made suitable to students
at colleges and universities who are interested in the emerging and expanding field
of risk management in financial as well as nonfinancial corporations.
Risk Management: A Helicopter View • 5
What Is Risk?
We’re all faced with risk in our everyday lives. And although risk is an abstract
term, our natural human understanding of the trade-offs between risk and
reward is pretty sophisticated. For example, in our personal lives, we intuitively
understand the difference between a cost that’s already been budgeted for (in risk
parlance, a predictable or expected loss) and an unexpected cost (at its worst, a
catastrophic loss of a magnitude well beyond losses seen in the course of normal
daily life).
In particular, we understand that risk is not synonymous with the size of a
cost or of a loss. After all, some of the costs we expect in daily life are very large
indeed if we think in terms of our annual budgets: food, fixed mortgage payments, college fees, and so on. These costs are big, but they are not a threat to our
ambitions because they are reasonably predictable and are already allowed for in
our plans.
The real risk is that these costs will suddenly rise in an entirely unexpected
way, or that some other cost will appear from nowhere and steal the money we’ve
set aside for our expected outlays. The risk lies in how variable our costs and revenues really are. In particular, we care about how likely it is that we’ll encounter a
loss big enough to upset our plans (one that we have not defused through some
piece of personal risk management such as taking out a fixed-rate mortgage, setting aside savings for a rainy day, and so on).
This day-to-day analogy makes it easier to understand the difference
between the risk management concepts of expected loss (or expected costs) and
unexpected loss (or unexpected cost). Understanding this difference is the key
to understanding modern risk management concepts such as economic capital attribution and risk-adjusted pricing. (However, this is not the only way to
define risk, as we’ll see in Chapter 5, which discusses various academic theories
that shed more light on the definition and measurement of risk.)
One of the key differences between our intuitive conception of risk and
a more formal treatment of it is the use of statistics to define the extent and
potential cost of any exposure. To develop a number for unexpected loss, a bank
risk manager first identifies the risk factors that seem to drive volatility in any
outcome (Box 1-1) and then uses statistical analysis to calculate the probabilities of various outcomes for the position or portfolio under consideration. This
probability distribution can be used in various ways. For example, the risk manager might pinpoint the area of the distribution (i.e., the extent of loss) that the
6 • The Essentials of Risk Management
institution would find worrying, given the probability of this loss occurring (e.g.,
is it a 1 in 10 or a 1 in 10,000 chance?).
BOX 1-1 RISK FACTORS AND THE MODELING OF RISK
In order to measure risk, the risk analyst first seeks to identify the key factors
that seem likely to cause volatility in the returns from the position or portfolio
under consideration. For example, in the case of an equity investment, the
risk factor will be the volatility of the stock price (categorized in the appendix
to this chapter as a market risk), which can be estimated in various ways.
In this case, we identified a single risk factor. But the number of risk
factors that are considered in a risk analysis—and included in any risk
modeling—varies considerably depending on both the problem and the
sophistication of the approach. For example, in the recent past, bank risk
analysts might have analyzed the risk of an interest-rate position in terms
of the effect of a single risk factor—e.g., the yield to maturity of government
bonds, assuming that the yields for all maturities are perfectly correlated.
But this one-factor model approach ignored the risk that the dynamic of
the term structure of interest rates is driven by more factors—e.g., the forward rates. Nowadays, leading banks analyze their interest-rate exposures
using at least two or three factors, as we describe in Chapter 6.
Further, the risk manager must also measure the influence of the risk
factors on each other, the statistical measure of which is the “covariance.” Disentangling the effects of multiple risk factors and quantifying the influence
of each is a fairly complicated undertaking, especially when covariance alters
over time (i.e., is stochastic, in the modeler’s terminology). There is often a distinct difference in the behavior and relationship of risk factors during normal
business conditions and during stressful conditions such as financial crises.
Under ordinary market conditions, the behavior of risk factors is
relatively less difficult to predict because it does not change significantly in
the short and medium term: future behavior can be extrapolated, to some
extent, from past performance. However, during stressful conditions, the
behavior of risk factors becomes far more unpredictable, and past behavior
may offer little help in predicting future behavior. It’s at this point that statistically measurable risk threatens to turn into the kind of unmeasurable
uncertainty that we discuss in Box 1-2.
Risk Management: A Helicopter View • 7
The distribution can also be related to the institution’s stated “risk appetite”
for its various activities. For example, as we discuss in Chapter 4, the senior risk
committee at the bank might have set boundaries on the amount of risk that
the institution is willing to take by specifying the maximum loss it is willing to
tolerate at a given level of confidence, such as, “We are willing to countenance a
1 percent chance of a $50 million loss from our trading desks on any given day.”
(At this point we should explain that while some chapters of this book focus on
aspects of bank risk management—e.g., in Chapter 3 we elaborate on the regulation of risk management in banks—the risk management issues and concepts
we cover are encountered in some form by many other industries and organizations, as we highlight in Chapter 2.)
Since the 2007–2009 financial crisis, risk managers have tried to move away
from an overdependence on historical-statistical treatments of risk. For example, they have laid more emphasis on scenario analysis and stress testing, which
examine the impact or outcomes of a given adverse scenario or stress on a firm
(or portfolio). The scenario may be chosen not on the basis of statistical analysis,
but instead simply because it is both plausible and suitably severe—essentially, a
judgment call. However, it can be difficult and perhaps unwise to remove statistical approaches from the picture entirely. For example, in the more sophisticated
forms of scenario analysis, the firm will need to examine how a change in a given
macroeconomic factor (e.g., unemployment rate) leads to a change in a given
risk factor (e.g., the probability of default of a corporation). Making this link
almost inevitably means looking back to the past to examine the nature of the
statistical relationship between macroeconomic factors and risk factors, though
a degree of judgment must also be factored into the analysis.
The use of statistical, economic, and stress testing concepts can make risk
management sound pretty technical. But the risk manager is simply doing more
formally what we all do when we ask ourselves in our personal lives, “How bad,
within reason, might this problem get?” The statistical models can also help in
pricing risk, or pricing the instruments that help to eliminate or mitigate the
risks.
What does our distinction between expected loss and unexpected loss
mean in terms of running a financial business, such as a specific banking business line? Well, the expected credit loss for a credit card portfolio, for example,
refers to how much the bank expects to lose, on average, as a result of fraud and
defaults by cardholders over a period of time, say one year. In the case of large
and well-diversified portfolios (i.e., most consumer credit portfolios), expected
8 • The Essentials of Risk Management
loss accounts for almost all the losses that are incurred in normal times. Because
it is, by definition, predictable, expected loss is generally viewed as one of the
costs of doing business, and ideally it is priced into the products and services
offered to the customer. For credit cards, the expected loss is recovered by charging the businesses a certain commission (2 to 4 percent) and by charging a spread
to the customer on any borrowed money, over and above the bank’s funding cost
(i.e., the rate the bank pays to raise funds in the money markets and elsewhere).
The bank recovers mundane operating costs, such as the salaries it pays tellers,
in much the same way.
The level of loss associated with a large standard credit card portfolio is
relatively predictable because the portfolio is made up of numerous bite-sized
exposures and the fortunes of most customers, most of the time, are not closely
tied to one another. On the whole, you are not much more likely to lose your
job today because your neighbor lost hers last week. There are some important
exceptions to this, of course. During a prolonged and severe recession, your
fortunes may become much more correlated with those of your neighbor, particularly if you work in the same industry and live in a particularly vulnerable
region. Even in the relatively good times, the fortunes of small local banks, as
well as their card portfolios, are somewhat driven by socioeconomic characteristics, as we discuss in Chapter 9.
A corporate loan portfolio, however, tends to be much “lumpier” than
a retail portfolio (i.e., there are more big loans). Furthermore, if we look at
industry data on commercial loan losses over a period of decades, it’s much
more apparent that in some years losses spike upward to unexpected loss
levels, driven by risk factors that suddenly begin to act together. For example,
the default rate for a bank that lends too heavily to the technology sector will
be driven not just by the health of individual borrowers, but by the business
cycle of the technology sector as a whole. When the technology sector shines,
making loans will look risk-free for an extended period; when the economic
rain comes, it will soak any banker that has allowed lending to become too
concentrated among similar or interrelated borrowers. So, correlation risk—the
tendency for things to go wrong together—is a major factor when evaluating
the risk of this kind of portfolio.
The tendency for things to go wrong together isn’t confined to the clustering of defaults among a portfolio of commercial borrowers. Whole classes of risk
Risk Management: A Helicopter View • 9
factors can begin to move together, too. In the world of credit risk, real estate–
linked loans are a famous example of this: they are often secured with real estate
collateral, which tends to lose value at exactly the same time that the default rate
for property developers and owners rises. In this case, the “recovery-rate risk” on
any defaulted loan is itself closely correlated with the “default-rate risk.” The two
risk factors acting together can sometimes force losses abruptly skyward.
In fact, anywhere in the world that we see risks (and not just credit risks)
that are lumpy (i.e., in large blocks, such as very large loans) and that are driven
by risk factors that under certain circumstances can become linked together (i.e.,
that are correlated), we can predict that at certain times high “unexpected losses”
will be realized. We can try to estimate how bad this problem is by looking at
the historical severity of these events in relation to any risk factors that we define
and then examining the prevalence of these risk factors (e.g., the type and concentration of real estate collateral) in the particular portfolio under examination.
A detailed discussion of the problem of assessing and measuring the credit
risk associated with commercial loans, and with whole portfolios of loans, takes
up most of Chapters 10 and 11 of this book. But our general point immediately
explains why bankers became so excited about new credit risk transfer technologies such as credit derivatives, described in detail in Chapter 12. These bankers
weren’t looking to reduce predictable levels of loss. Instead, the new instruments
seemed to offer ways to put a cap on the problem of high unexpected losses and
all the capital costs and uncertainty that these bring.
The conception of risk as unexpected loss underpins two key concepts
that we’ll deal with in more detail later in this book: value-at-risk (VaR) and
economic capital. VaR, described and analyzed in Chapter 7, is a statistical
measure that defines a particular level of loss in terms of its chances of occurrence (the “confidence level” of the analysis, in risk management jargon). For
example, we might say that our options position has a one-day VaR of $1 million
at the 99 percent confidence level, meaning that our risk analysis shows that
there is only a 1 percent probability of a loss that is greater than $1 million on
any given trading day.
In effect, we’re saying that if we have $1 million in liquid reserves, there’s
little chance that the options position will lead to insolvency. Furthermore,
because we can estimate the cost of holding liquid reserves, our risk analysis
gives us a pretty good idea of the cost of taking this risk.
10 • The Essentials of Risk Management
Under the risk paradigm we’ve just described, risk management becomes
not the process of controlling and reducing expected losses (which is essentially
a budgeting, pricing, and business efficiency concern), but the process of understanding, costing, and efficiently managing unexpected levels of variability in
the financial outcomes for a business. Under this paradigm, even a conservative
business can take on a significant amount of risk quite rationally, in light of
•• Its confidence in the way it assesses and measures the unexpected loss
levels associated with its various activities
•• The accumulation of sufficient capital or the deployment of other risk
management techniques to protect against potential unexpected loss levels
•• Appropriate returns from the risky activities, once the costs of risk capital and risk management are taken into account
•• Clear communication with stakeholders about the company’s target risk
profile (i.e., its solvency standard once risk-taking and risk mitigation
are accounted for)
This takes us back to our assertion that risk management is not just a
defensive activity. The more accurately a business understands and can measure
its risks against potential rewards, its business goals, and its ability to withstand
unexpected but plausible scenarios, the more risk-adjusted reward the business
can aggressively capture in the marketplace without driving itself to destruction.
As Box 1-2 discusses, it’s important in any risk analysis to acknowledge that some factors that might create volatility in outcomes simply can’t be
measured—even though they may be very important. The presence of this kind
of risk factor introduces an uncertainty that needs to be made transparent, and
perhaps explored using the kind of worst-case scenario analysis we describe in
Chapter 16. Furthermore, even when statistical analysis of risk can be conducted,
it’s vital to make explicit the robustness of the underlying model, data, and risk
parameter estimation—a topic that we treat in detail in Chapter 15, “Model Risk.”
The Conflict of Risk and Reward
In financial markets, as well as in many commercial activities, if one wants to
achieve a higher rate of return on average, one often has to assume more risk.
But the transparency of the trade-off between risk and return is highly variable.
Risk Management: A Helicopter View • 11
BOX 1-2 RISK, UNCERTAINTY . . . AND TRANSPARENCY ABOUT THE
DIFFERENCE
In this chapter, we discuss risk as if it were synonymous with uncertainty.
In fact, since the 1920s and a famous dissertation by Chicago economist
Frank Knight,1 thinkers about risk have made an important distinction
between the two: variability that can be quantified in terms of probabilities
is best thought of as “risk,” while variability that cannot be quantified at all
is best thought of simply as “uncertainty.”
In a speech some years ago,2 Mervyn King, then governor of the Bank
of England, usefully pointed up the distinction using the example of the
pensions and insurance industries. Over the last century, these industries
have used statistical analysis to develop products (life insurance, pensions, annuities, and so on) that are important to us all in looking after
the financial well-being of our families. These products act to “collectivize”
the financial effects of any one individual’s life events among any given
generation.
Robust statistical tools have been vital in this collectivization of risk
within a generation, but the insurance and investment industries have not
found a way to put a robust number on key risks that arise between generations, such as how much longer future generations might live and what this
might mean for life insurance, pensions, and so on. Some aspects of the
future remain not just risky, but uncertain. Statistical science can help us to
only a limited degree in understanding how sudden advances in medical
science or the onset of a new disease such as AIDS might drive longevity
up or down.
As King pointed out in his speech, “No amount of complex demographic modeling can substitute for good judgment about those unknowns.”
Frank H. Knight, Risk, Uncertainty and Profit, Boston, MA: Hart, Schaffner & Marx;
Houghton Mifflin Company, 1921.
1
2
Mervyn King, “What Fates Impose: Facing Up to Uncertainty,” Eighth British Academy Annual Lecture, December 2004.
12 • The Essentials of Risk Management
Indeed, attempts to forecast changes in longevity over the last 20 years
have all fallen wide of the mark (usually proving too conservative).3
As this example helps make clear, one of the most important things
that a risk manager can do when communicating a risk analysis is to be
clear about the degree to which the results depend on statistically measurable risk, and the degree to which they depend on factors that are entirely
uncertain at the time of the analysis—a distinction that may not be obvious to the reader of a complex risk report at first glance.
In his speech, King set out two principles of risk communication for
public policy makers that could equally well apply to senior risk committees at corporations looking at the results of complex risk calculations:
First, information must be provided objectively and placed in context so
that risks can be assessed and understood. Second, experts and policy
makers must be open about the extent of our knowledge and our ignorance. Transparency about what we know and what we don’t know, far
from undermining credibility, helps to build trust and confidence.
We can’t measure uncertainties, but we can still assess and manage them through
worst-case scenarios, risk transfer, and so on. Indeed, a market is emerging that may help
institutions to manage the financial risks of increased longevity. In 2003, reinsurance companies and banks began to issue financial instruments with returns linked to the aggregate
longevity of specified populations, though the market for instruments that can help to
manage longevity risk is still relatively immature.
3
In some cases, relatively efficient markets for risky assets help to make clear
the returns that investors demand for assuming risk. For example, Figure 6-1,
in Chapter 6, illustrates the risk/return relationship in the U.S. bond markets,
showing the spreads for government bonds and corporate bonds of different ratings and maturities since 2007.
Even in the bond markets, the “price” of credit risk implied by these numbers
for a particular counterparty is not quite transparent. Though bond prices are a
pretty good guide to relative risk, various additional factors, such as liquidity risk
and tax effects, confuse the price signal (as we discuss in Chapter 11). Moreover,
investors’ appetite for assuming certain kinds of risk varies over time. Sometimes
the differential in yield between a risky and a risk-free bond narrows to such an
extent that commentators talk of an “irrational” price of credit. That was the case
Risk Management: A Helicopter View • 13
during the period from early 2005 to mid-2007, until the eruption of the subprime
crisis. With the eruption of the crisis, credit spreads moved up dramatically, and
reached a peak following the collapse of Lehman Brothers in September 2008.
However, in the case of risks that are not associated with any kind of
market-traded financial instrument, the problem of making transparent the
relationship between risk and reward is even more profound. A key objective of risk management is to tackle this issue and make clear the potential for
large losses in the future arising from activities that generate an apparently
attractive stream of profits in the short run.
Ideally, discussions about this kind of trade-off between future profits and
opaque risks would be undertaken within corporations on a basis that is rational
for the firm as a whole. But organizations with a poor risk management and risk
governance culture sometimes allow powerful business leaders to exaggerate the
potential returns while diminishing the perceived potential risks. When rewards
are not properly adjusted for economic risk, it’s tempting for the self-interested
to play down the potential for unexpected losses to spike somewhere in the
economic cycle and to willfully misunderstand how risk factors sometimes
come together to give rise to severe correlation risks. Management itself might
be tempted to leave gaps in risk measurement that, if mended, would disturb
the reported profitability of a business franchise. (The run-up to the 2007–2009
financial crisis provided many examples of such behavior.)
This kind of risk management failure can be hugely exacerbated by the
compensation incentive schemes of the companies involved. In many firms
across a broad swathe of industries, bonuses are paid today on profits that may
later turn out to be illusory, while the cost of any associated risks is pushed,
largely unacknowledged, into the future.
We can see this general process in the banking industry in every credit cycle
as banks loosen rules about the granting of credit in the favorable part of the
cycle, only to stamp on the credit brakes as things turn sour. The same dynamic
happens whenever firms lack the discipline or means to adjust their present
performance measures for an activity to take account of any risks incurred. For
example, it is particularly easy for trading institutions to move revenues forward
through either a “mark-to-market” or a “market-to-model” process. This process
employs estimates of the value the market puts on an asset to record profits on the
income statement before cash is actually generated; meanwhile, the implied cost
of any risk can be artificially reduced by applying poor or deliberately distorted
risk measurement techniques.
14 • The Essentials of Risk Management
This collision between conflicts of interest and the opaque nature of risk
is not limited solely to risk measurement and management at the level of the
individual firm. Decisions about risk and return can become seriously distorted
across whole financial industries when poor industry practices and regulatory
rules allow this to happen—famous examples being the U.S. savings and loan
crisis in the 1980s and early 1990s (see Box 8-1) and the more recent subprime
crisis. History shows that industry regulators can also be drawn into the deception. When the stakes are high enough, regulators all around the world have
colluded with local banking industries to allow firms to misrecord and misvalue
risky assets on their balance sheets, out of fear that forcing firms to state their
true condition will prompt mass insolvencies and a financial crisis.
Perhaps, in these cases, regulators think they are doing the right thing in
safeguarding the financial system, or perhaps they are just desperate to postpone
any pain beyond their term of office (or that of their political masters). For our
purposes, it’s enough to point out that the combination of poor standards of risk
measurement with a conflict of interest is extraordinarily potent at many levels—both inside the company and outside.
The Danger of Names
So far, we’ve been discussing risk in terms of its expected and unexpected nature.
We can also divide up our risk portfolio according to the type of risk that we
are running. In this book, we follow the latest regulatory approach in the global
banking industry to highlight three major broad risk categories that are controllable and manageable:
Market risk is the risk of losses arising from changes in market risk
factors. Market risk can arise from changes in interest rates, foreign
exchange rates, or equity and commodity price factors.3
Credit risk is the risk of loss following a change in the factors that drive
the credit quality of an asset. These include adverse effects arising from
credit grade migration, including default, and the dynamics of recovery
rates.
The definition and breakdown of market risk into these four broad categories is consistent with
the accounting standards of IFRS and GAPP in the United States.
3
Risk Management: A Helicopter View • 15
Operational risk refers to financial loss resulting from a host of potential operational breakdowns that we can think in terms of risk of loss
resulting from inadequate or failed internal processes, people, and
systems, or from external events (e.g., frauds, inadequate computer systems, a failure in controls, a mistake in operations, a guideline that has
been circumvented, or a natural disaster).
Understanding the various types of risk is important, beyond the banking industry, because each category demands a different (but related) set of risk
management skills. The categories are often used to define and organize the risk
management functions and risk management activities of a corporation. We’ve
added an appendix to this chapter that offers a longer and more detailed family
tree of the various types of risks faced by corporations, including key additional
risks such as liquidity risk and strategic risk. This risk taxonomy can be applied
to any corporation engaged in major financial transactions, project financing,
and providing customers with credit facilities.
The history of science, as well as the history of management, tells us
that classification schemes like this are as valuable as they are dangerous.
Giving a name to something allows us to talk about it, control it, and assign
responsibility for it. Classification is an important part of the effort to make
an otherwise ill-defined risk measurable, manageable, and transferable. Yet
the classification of risk is also fraught with danger because as soon as we
define risk in terms of categories, we create the potential for missed risks and
gaps in responsibilities—for being blindsided by risk as it flows across our
arbitrary dividing lines.
For example, a sharp peak in market prices will create a market risk for an
institution. Yet the real threat might be that a counterparty to the bank that is
also affected by the spike in market prices will default (credit risk), or that some
weakness in the bank’s systems will be exposed by high trading volumes (operational risk). If we think of price volatility in terms of market risk alone, we are
missing an important factor.
We can see the same thing happening from an organizational perspective.
While categorizing risks helps us to organize risk management, it fosters the
creation of “silos” of expertise that are separated from one another in terms of
personnel, risk terminology, risk measures, reporting lines, systems and data,
and so on. The management of risk within these silos may be quite efficient in
16 • The Essentials of Risk Management
terms of a particular risk, such as market or credit risk, or the risks run by a
particular business unit. But if executives and risk managers can’t communicate
with one another across risk silos, they probably won’t be able to work together
efficiently to manage the risks that are most important to the institution as a
whole.
Some of the most exciting recent advances in risk management are really
attempts to break down this natural organizational tendency toward silo risk
management. In the past, risk measurement tools such as VaR and economic
capital have evolved, in part, to facilitate integrated measurement and management of the various risks (market, credit, and operational) and business
lines. More recently, the trend toward worst-case scenario analysis is really
an attempt to look at the effect of macroeconomic scenarios on a firm across
its business lines and, often, across various types of risk (market, credit,
and so on).
We can also see in many industries a much more broadly framed trend
toward what consultants have labeled enterprisewide risk management, or
ERM. ERM is a concept with many definitions. Basically, though, ERM is
a deliberate attempt to break through the tendency of firms to operate in
risk management silos and to ignore enterprisewide risks, and an attempt to
take risk into consideration in business decisions much more explicitly than
has been done in the past. There are many potential ERM tools, including
conceptual tools that facilitate enterprisewide risk measurement (such as
economic capital and enterprisewide stress testing), monitoring tools that
facilitate enterprisewide risk identification, and organizational tools such as
senior risk committees with a mandate to look at all enterprisewide risks.
Through an ERM program, a firm limits its exposures to a risk level agreed
upon by the board and provides its management and board of directors
with reasonable assurances regarding the achievement of the organization’s
objectives.
As a trend, ERM is clearly in tune with a parallel drive toward the unification of risk, capital, and balance sheet management in financial institutions.
Over the last 10 years, it has become increasingly difficult to distinguish risk
management tools from capital management tools, since risk, according to
the unexpected loss risk paradigm we outlined earlier, increasingly drives the
allocation of capital in risk-intensive businesses such as banking and insurance.
Risk Management: A Helicopter View • 17
Similarly, it has become difficult to distinguish capital management tools from
balance sheet management tools, since risk/reward relationships increasingly
drive the structure of the balance sheet.
A survey in 2011 by management consultant Deloitte found that the
adoption of ERM has increased sharply over the last few years: “Fifty-two
percent of institutions reported having an ERM program (or equivalent),
up from 36 percent in 2008. Large institutions are more likely to face complex and interconnected risks, and among institutions with total assets of
$100 billion or more, 91 percent reported either having an ERM program in
place or [being] in the process of implementing one.”4 But we shouldn’t get
too carried away here. ERM is a goal, but most institutions are a long way
from fully achieving the goal.
Numbers Are Dangerous, Too
Once we’ve put boundaries around our risks by naming and classifying them,
we can also try to attach meaningful numbers to them. A lot of this book is
about this problem. Even if our numbers are only judgmental rankings of risks
within a risk class (Risk No. 1, Risk Rating 3, and so on), they can help us make
more rational in-class comparative decisions. More ambitiously, if we can assign
absolute numbers to some risk factor (a 0.02 percent chance of default versus a
0.002 percent chance of default), then we can weigh one decision against another
with some precision. And if we can put an absolute cost or price on a risk
(ideally using data from markets where risks are traded or from some internal
“cost of risk” calculation based on economic capital), then we can make truly
rational economic decisions about assuming, managing, and transferring risks.
At this point, risk management decisions become fungible with many other
kinds of management decision in the running of an enterprise.
But while assigning numbers to risk is incredibly useful for risk management and risk transfer, it’s also potentially dangerous. Only some kinds
of numbers are truly comparable, but all kinds of numbers tempt us to make
comparisons. For example, using the face value or “notional amount” of a bond
Deloitte, Global Risk Management Survey, seventh edition, 2011, p. 14.
4
18 • The Essentials of Risk Management
to indicate the risk of a bond is a flawed approach. As we explain in Chapter 7,
a million-dollar position in a par value 10-year Treasury bond does not represent
at all the same amount of risk as a million-dollar position in a 4-year par value
Treasury bond.
Introducing sophisticated models to describe risk is one way to defuse
this problem, but this has its own dangers. Professionals in the financial markets invented the VaR framework as a way of measuring and comparing risk
across many different markets. But as we discuss in Chapter 7, the VaR measure
works well as a risk measure only for markets operating under normal conditions and only over a short period, such as one trading day. Potentially, it’s a very
poor and misleading measure of risk in abnormal markets, over longer time
periods, or for illiquid portfolios.
Also, VaR, like all risk measures, depends for its integrity on a robust control environment. In recent rogue-trading cases, hundreds of millions of dollars
of losses have been suffered by trading desks that had orders not to assume VaR
exposures of more than a few million dollars. The reason for the discrepancy
is nearly always that the trading desks have found some way of circumventing
trading controls and suppressing risk measures. For example, a trader might falsify transaction details entered into the trade reporting system and use fictitious
trades to (supposedly) balance out the risk of real trades, or tamper with the
inputs to risk models, such as the volatility estimates that determine the valuation and risk estimation for an options portfolio.
The likelihood of this kind of problem increases sharply when those
around the trader (back-office staff, business line managers, even risk managers)
don’t properly understand the critical significance of routine tasks, such as an
independent check on volatility estimates, for the integrity of key risk measures.
Meanwhile, those reading the risk reports (senior executives, board members)
often don’t seem to realize that unless they’ve asked key questions about the
integrity of controls, they might as well tear up the risk report.
As we try to base our risk evaluations on past data and experience, we
should recall that all statistical estimation is subject to estimation errors, and
these can be substantial when the economic environment changes. In addition
we must remember that human psychology interferes with risk assessment.
Professor Daniel Kahneman, the Nobel laureate in Economics, warns us that
people tend to misassess extreme probabilities (very small ones as well as very
Risk Management: A Helicopter View • 19
large ones). Kahneman also points out that people tend to be risk-averse in the
domain of gains and risk-seeking in the domain of losses.5
While the specialist risk manager’s job is an increasingly important one, a
broad understanding of risk management must also become part of the wider
culture of the firm.
The Risk Manager’s Job
There are many aspects of the risk manager’s role that are open to confusion.
First and foremost, a risk manager is not a prophet! The role of the risk manager
is not to try to read a crystal ball, but to uncover the sources of risk and make
them visible to key decision makers and stakeholders in terms of probability. For
example, the risk manager’s role is not to produce a point estimate of the U.S.
dollar/euro exchange rate at the end of the year; but to produce a distribution
estimate of the potential exchange rate at year-end and explain what this might
mean for the firm (given its financial positions). These distribution estimates can
then be used to help make risk management decisions, and also to produce riskadjusted metrics such as risk-adjusted return on capital (RAROC).
As this suggests, the risk manager’s role is not just defensive—firms need
to generate and apply information about balancing risk and reward if they are
to compete effectively in the longer term (see Chapter 17). Implementing the
appropriate policies, methodologies, and infrastructure to risk-adjust numbers
and improve forward-looking business decisions is an increasingly important
element of the modern risk manager’s job.
But the risk manager’s role in this regard is rarely easy—these risk and
profitability analyses aren’t always accepted or welcomed in the wider firm when
they deliver bad news. Sometimes the difficulty is political (business leaders
want growth, not caution), sometimes it is technical (no one has found a bestpractice way to measure certain types of risk, such as reputation or franchise
risk), and sometimes it is systemic (it’s hard not to jump over a cliff on a business
idea if all your competitors are doing that too).
Daniel Kahneman, Thinking, Fast and Slow, Farrar, Straus and Giroux, 2011.
5
20 • The Essentials of Risk Management
This is why defining the role and reporting lines of risk managers within
the wider organization is so critical. It’s all very well for the risk manager to
identify a risk and measure its potential impact—but if risk is not made transparent to key stakeholders, or those charged with oversight on their behalf, then
the risk manager has failed. We discuss these corporate governance issues in
more detail in Chapter 4.
Perhaps the trickiest balancing act over the last few years has been trying
to find the right relationship between business leaders and the specialist risk
management functions within an institution. The relationship should be close,
but not too close. There should be extensive interaction, but not dominance.
There should be understanding, but not collusion. We can still see the tensions
in this relationship across any number of activities in risk-taking organizations—between the credit analyst and those charged with business development in commercial loans, between the trader on the desk and the market risk
management team, and so on. Where the balance of power lies will depend
significantly on the attitude of senior managers and on the tone set by the
board. It will also depend on whether the institution has invested in the analytical and organizational tools that support balanced, risk-adjusted decisions.
As the risk manager’s role is extended, we must increasingly ask difficult
questions: “What are the risk management standards of practice” and “Who is
checking up on the risk managers?” Out in the financial markets, the answer is
hopefully the regulators. Inside a corporation, the answer includes the institution’s audit function, which is charged with reviewing risk management’s actions
and its compliance with an agreed-upon set of policies and procedures (Chapter
4). But the more general answer is that risk managers will find it difficult to make
the right kind of impact if the firm as a whole lacks a healthy risk culture, including a good understanding of risk management practices, concepts, and tools.
The Past, the Future—and This Book’s Mission
We can now understand better why the discipline of risk management has had
such a bumpy ride across many industries over the last decade (see Box 1-3). The
reasons lie partly in the fundamentally elusive and opaque nature of risk—if it’s
not unexpected or uncertain, it’s not risk! As we’ve seen, “risk” changes shape
according to perspective, market circumstances, risk appetite, and even the classification schemes that we use.
Risk Management: A Helicopter View • 21
BOX 1-3 UPS AND DOWNS IN RISK MANAGEMENT
Ups
•• Dramatic explosion in the adoption of sophisticated risk management processes, driven by an expanding skill base and falling cost
of risk technologies
•• Increase in the skill levels and associated compensation of risk
management personnel as sophisticated risk techniques have been
adopted to measure risk exposures
•• Birth of new risk management markets in credit, commodities,
weather derivatives, and so on, representing some of the most
innovative and potentially lucrative financial markets in the world
•• Birth of global risk management industry associations as well as a
dramatic rise in the number of global risk management personnel
•• Extension of the risk measurement frontier out from traditional
measured risks such as market risk toward credit and operational
risks
•• Cross fertilization of risk management techniques across diverse
industries from banking to insurance, energy, chemicals, and
aerospace
•• Ascent of risk managers in the corporate hierarchy to become
chief risk officers, to become members of the top executive team
(e.g., part of the management committee), and to report to both
the CEO and the board of the company
Downs
•• The financial crisis of 2007–2009 revealed significant weaknesses
in managing systemic and cyclical risks.
•• Firms have been tempted to over-rely on historical-statistical
measures of risk—a weakness that improved stress testing seeks
to address.
•• Risk managers continue to find it a challenge to balance their
fiduciary responsibilities against the cost of offending powerful
business heads.
22 • The Essentials of Risk Management
•• Risk managers do not generate revenue and therefore have not
yet achieved the same status as the heads of successful revenuegenerating businesses.
•• It’s proving difficult to make truly unified measurements of different kinds of risk and to understand the destructive power of risk
interactions (e.g., credit and liquidity risk).
•• Quantifying risk exposure for the whole organization can be
hugely complicated and may descend into a “box ticking” exercise.
•• The growing power of risk managers could be a negative force in
business if risk management is interpreted as risk avoidance; it’s
possible to be too risk-averse.
The reasons also lie partly in the relative immaturity of financial risk management. Practices, personnel, markets, and instruments have been evolving
and interacting with one another continually over the last couple of decades to
set the stage for the next risk management triumph—and disaster. Rather than
being a set of specific activities, computer systems, rules, or policies, risk management is better thought of as a set of concepts that allow us to see and manage
risk in a particular and dynamic way.
Perhaps the biggest task in risk management is no longer to build
specialized mathematical measures of risk (although this endeavor certainly
continues). Perhaps it is to put down deeper risk management roots in each
organization. We need to build a wider risk culture and risk literacy, in which
all the key staff members engaged in a risky enterprise understand how they
can affect the risk profile of the organization—from the back office to the
boardroom, and from the bottom to the top of the house. That’s really what
this book is about. We hope it offers both nonmathematicians as well as mathematicians an understanding of the latest concepts in risk management so that
they can see the strengths and question the weaknesses of a given decision.
Nonmathematicians must feel able to contribute to the ongoing evolution of risk management practice. Along the way, we can also hope to give those
of our readers who are risk analysts and mathematicians a broader sense of how
their analytics fit into an overall risk program, and a stronger sense that their
role is to convey not just the results of any risk analysis, but also its meaning
(and any broader lessons from an enterprisewide risk management perspective).
Appendix 1.1
TYPOLOGY OF RISK
EXPOSURES
In Chapter 1 we defined risk as the volatility of returns leading to “unexpected
losses,” with higher volatility indicating higher risk. The volatility of returns is
directly or indirectly influenced by numerous variables, which we called risk factors, and by the interaction between these risk factors. But how do we consider
the universe of risk factors in a systematic way?
Risk factors can be broadly grouped together into the following major
categories: market risk, credit risk, liquidity risk, operational risk, legal and
regulatory risk, business risk, strategic risk, and reputation risk (Figure 1A-1).1
These categories can then be further decomposed into more specific categories,
as we show in Figure 1A-2 for market risk and credit risk. Market risk and credit
risk are referred to as financial risks.
In this figure, we’ve subdivided market risk into equity price risk, interest
rate risk, foreign exchange risk, and commodity price risk in a manner that is in
line with our detailed discussion in this appendix. Then we’ve divided interest
rate risk into trading risk and the special case of gap risk; the latter relates to the
risk that arises in the balance sheet of an institution as a result of the different
sensitivities of assets and liabilities to changes of interest rates (see Chapter 8).
In theory, the more all-encompassing the categorization and the more
detailed the decomposition, the more closely the company’s risk will be captured.
Board of Governors of the Federal Reserve System, Trading and Capital Markets Activities
Manual, Washington D.C., April 2007.
1
23
24 • The Essentials of Risk Management
FIGURE 1A-1 Typology of Risks
Market risk
Credit risk
Liquidity risk
Operational risk
Risks
Legal and regulatory risk
Business risk
Strategic risk
Reputation risk
In practice, this process is limited by the level of model complexity that can be
handled by the available technology and by the cost and availability of internal
and market data.
Let’s take a closer look at the risk categories in Figure 1A-1.
FIGURE 1A-2 Schematic Presentation, by Categories, of Financial Risks
Equity price risk
Market risk
Interest rate risk
Foreign exchange risk
Trading risk
Gap risk
Commodity price risk
Financial
risks
Transaction risk
Issue risk
Portfolio
concentration
Issuer risk
Credit risk
Counterparty
credit risk
General
market risk
Specific risk
Risk Management: A Helicopter View • 25
Market Risk
Market risk is the risk that changes in financial market prices and rates will
reduce the value of a security or a portfolio. Price risk can be decomposed into
a general market risk component (the risk that the market as a whole will fall in
value) and a specific market risk component, unique to the particular financial
transaction under consideration. In trading activities, risk arises both from open
(unhedged) positions and from imperfect correlations between market positions
that are intended to offset one another.
Market risk is given many different names in different contexts. For example, in the case of a fund, the fund may be marketed as tracking the performance
of a certain benchmark. In this case, market risk is important to the extent that it
creates a risk of tracking error. Basis risk is a term used in the risk management
industry to describe the chance of a breakdown in the relationship between the
price of a product, on the one hand, and the price of the instrument used to
hedge that price exposure, on the other. Again, it is really just a context-specific
form of market risk.
There are four major types of market risk: interest rate risk, equity price
risk, foreign exchange risk, and commodity price risk.2
Interest Rate Risk
The simplest form of interest rate risk is the risk that the value of a fixed-income
security will fall as a result of an increase in market interest rates. But in complex
portfolios of interest-rate-sensitive assets, many different kinds of exposure can
arise from differences in the maturities and reset dates of instruments and cash
flows that are asset-like (i.e., “longs”) and those that are liability-like (i.e., “shorts”).
In particular, as we explain in more detail in Chapter 6, “curve” risk can
arise in portfolios in which long and short positions of different maturities are
effectively hedged against a parallel shift in yields, but not against a change in
the shape of the yield curve. Meanwhile, even when offsetting positions have
the same maturity, basis risk can arise if the rates of the positions are imperfectly correlated. For example, three-month Eurodollar instruments and threemonth Treasury bills both naturally pay three-month interest rates. However,
These four categories of market risk are, in general, consistent with accounting standards.
2
26 • The Essentials of Risk Management
these rates are not perfectly correlated with each other, and spreads between
their yields may vary over time. As a result, a three-month Treasury bill funded
by three-month Eurodollar deposits represents an imperfect offset or hedged
position (often referred to as basis risk).
Equity Price Risk
This is the risk associated with volatility in stock prices. The general market risk
of equity refers to the sensitivity of an instrument or portfolio value to a change in
the level of broad stock market indices. The specific or idiosyncratic risk of equity
refers to that portion of a stock’s price volatility determined by characteristics specific to the firm, such as its line of business, the quality of its management, or a
breakdown in its production process. According to portfolio theory, general market risk cannot be eliminated through portfolio diversification, while specific risk
can be diversified away. In Chapter 5 we discuss models for measuring equity risk.
Foreign Exchange Risk
Foreign exchange risk arises from open or imperfectly hedged positions in
particular foreign currency denominated assets and liabilities leading to fluctuations in profits or values as measured in a local currency. These positions may
arise as a natural consequence of business operations, rather than from any conscious desire to take a trading position in a currency. Foreign exchange volatility
can sweep away the return from expensive cross-border investments and at the
same time place a firm at a competitive disadvantage in relation to its foreign
competitors.3 It may also generate huge operating losses and, through the uncertainty it causes, inhibit investment. The major drivers of foreign exchange risk
are imperfect correlations in the movement of currency prices and fluctuations
in international interest rates. Although it is important to acknowledge exchange
rates as a distinct market risk factor, the valuation of foreign exchange transac-
A famous example is Caterpillar, a U.S. heavy equipment firm, which in 1987 began a $2 billion
capital investment program. A full cost reduction of 19 percent was eventually expected in 1993.
During the same period the Japanese yen weakened against the U.S. dollar by 30 percent, which
placed Caterpillar at a competitive disadvantage vis-à-vis its major competitor, Komatsu of Japan,
even after adjusting for productivity gains.
3
Risk Management: A Helicopter View • 27
tions requires knowledge of the behavior of domestic and foreign interest rates,
as well as of spot exchange rates.4
Commodity Price Risk
The price risk of commodities differs considerably from interest rate and foreign exchange risk, since most commodities are traded in markets in which the
concentration of supply is in the hands of a few suppliers who can magnify price
volatility. For most commodities, the number of market players having direct
exposure to the particular commodity is quite limited, hence affecting trading
liquidity which in turn can generate high levels of price volatility. Other fundamentals affecting a commodity price include the ease and cost of storage, which
varies considerably across the commodity markets (e.g., from gold to electricity
to wheat). As a result of these factors, commodity prices generally have higher
volatilities and larger price discontinuities (i.e., moments when prices leap from
one level to another) than most traded financial securities. Commodities can
be classified according to their characteristics as follows: hard commodities, or
nonperishable commodities, the markets for which are further divided into
precious metals (e.g., gold, silver, and platinum), which have a high price/weight
value, and base metals (e.g., copper, zinc, and tin); soft commodities, or commodities with a short shelf life that are hard to store, mainly agricultural products
(e.g., grains, coffee, and sugar); and energy commodities, which consist of oil,
gas, electricity, and other energy products.
Credit Risk
Credit risk is the risk of an economic loss from the failure of a counterparty
to fulfill its contractual obligations, or from the increased risk of default during the term of the transaction.5 For example, credit risk in the loan portfolio
This is because of the interest rate parity condition, which describes the price of a futures contract
on a foreign currency as equal to the spot exchange rate adjusted by the difference between the
local interest rate and the foreign interest rate.
4
In the following we use indifferently the term “borrower” or “counterparty” for a debtor. In
practice, we refer to issuer risk, or borrower risk, when credit risk involves a funded transaction
such as a bond or a bank loan. In derivatives markets, counterparty credit risk is the credit risk of
a counterparty for an unfunded derivatives transaction such as a swap or an option.
5
28 • The Essentials of Risk Management
of a bank materializes when a borrower fails to make a payment, either of the
periodic interest charge or the periodic reimbursement of principal on the loan
as contracted with the bank. Credit risk can be further decomposed into four
main types: default risk, bankruptcy risk, downgrade risk, and settlement risk.
Box 1A-1 gives ISDA’s definition of a credit event that may trigger a payout under
a credit derivatives contract.6
BOX 1A-1 CREDIT DERIVATIVES AND THE ISDA DEFINITION OF A
CREDIT EVENT
The spectacular growth of the market for credit default swaps (CDS) and
similar instruments since the millennium has obliged the financial markets
to become a lot more specific about what they regard as a credit event—i.e.,
the event that triggers the payment on a CDS. This event, usually a default,
needs to be clearly defined to avoid any litigation when the contract is
settled. CDSs normally contain a “materiality clause” requiring that the
change in credit status be validated by third-party evidence.
The CDS market has struggled somewhat to define the k…
Purchase answer to see full
attachment
ESSENTIALS OF
RISK
MANAGEMENT
This page intentionally left blank
THE
ESSENTIALS OF
RISK
MANAGEMENT
SECOND EDITION
MICHEL CROUHY, DAN GALAI, ROBERT MARK
New York Chicago San Francisco Athens
London Madrid Mexico City Milan
New Delhi Singapore Sydney Toronto
Copyright © 2014 by McGraw-Hill Education. All rights reserved. Except as permited under the United States
Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any
means, or stored in a database or retrieval system, without the prior written permission of the publisher.
ISBN: 978-0-07-182115-5
MHID: 0-07-182115-5
The material in this eBook also appears in the print version of this title: ISBN: 978-0-07-181851-3,
MHID: 0-07-181851-0.
eBook conversion by codeMantra
Version 1.0
All trademarks are trademarks of their respective owners. Rather than put a trademark symbol after every
occurrence of a trademarked name, we use names in an editorial fashion only, and to the benefit of the
trademark owner, with no intention of infringement of the trademark. Where such designations appear in this
book, they have been printed with initial caps.
McGraw-Hill Education eBooks are available at special quantity discounts to use as premiums and sales
promotions or for use in corporate training programs. To contact a representative, please visit the Contact Us
page at www.mhprofessional.com.
This publication is designed to provide accurate and authoritative information in regard to the subject matter
covered. It is sold with the understanding that neither the author nor the publisher is engaged in rendering
legal, accounting, securities trading, or other professional services. If legal advice or other expert assistance is
required, the services of a competent professional person should be sought.
—From a Declaration of Principles Jointly Adopted by a Committee of the
American Bar Association and a Committee of Publishers and Associations
TERMS OF USE
This is a copyrighted work and McGraw-Hill Education and its licensors reserve all rights in and to the work.
Use of this work is subject to these terms. Except as permitted under the Copyright Act of 1976 and the right
to store and retrieve one copy of the work, you may not decompile, disassemble, reverse engineer, reproduce,
modify, create derivative works based upon, transmit, distribute, disseminate, sell, publish or sublicense the
work or any part of it without McGraw-Hill Education’s prior consent. You may use the work for your own
noncommercial and personal use; any other use of the work is strictly prohibited. Your right to use the work
may be terminated if you fail to comply with these terms.
THE WORK IS PROVIDED “AS IS.” McGRAW-HILL EDUCATION AND ITS LICENSORS MAKE
NO GUARANTEES OR WARRANTIES AS TO THE ACCURACY, ADEQUACY OR COMPLETENESS
OF OR RESULTS TO BE OBTAINED FROM USING THE WORK, INCLUDING ANY INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK VIA HYPERLINK OR OTHERWISE, AND
EXPRESSLY DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING BUT NOT
LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR
PURPOSE. McGraw-Hill Education and its licensors do not warrant or guarantee that the functions contained
in the work will meet your requirements or that its operation will be uninterrupted or error free. Neither
McGraw-Hill Education nor its licensors shall be liable to you or anyone else for any inaccuracy, error or
omission, regardless of cause, in the work or for any damages resulting therefrom. McGraw-Hill Education
has no responsibility for the content of any information accessed through the work. Under no circumstances shall McGraw-Hill Education and/or its licensors be liable for any indirect, incidental, special, punitive,
consequential or similar damages that result from the use of or inability to use the work, even if any of them
has been advised of the possibility of such damages. This limitation of liability shall apply to any claim or
cause whatsoever whether such claim or cause arises in contract, tort or otherwise.
CONTENTS
Foreword
vii
Foreword
xi
I ntroduction to the Second Edition:
Reforming Risk Management for the Post-Crisis Era
xv
1. Risk Management: A Helicopter View
1
1.1 Typology of Risk Exposures
23
2. Corporate Risk Management: A Primer
45
3. Banks and Their Regulators:
The Post-Crisis Regulatory Framework
67
3.1 Basel I
117
3.2 The 1996 Market Risk Amendment
125
3.3 Basel II and Minimum Capital Requirements for Credit Risk 131
3.4 Basel 2.5: Enhancements to the Basel II Framework
137
3.5 Contingent Convertible Bonds
143
4. Corporate Governance and Risk Management
151
5. A User-Friendly Guide to the Theory of Risk and Return
183
6. Interest Rate Risk and Hedging with Derivative Instruments
203
7. Measuring Market Risk: Value-at-Risk,
Expected Shortfall, and Similar Metrics
233
8. Asset/Liability Management
265
9. Credit Scoring and Retail Credit Risk Management
305
10. Commercial Credit Risk and the Rating
of Individual Credits
333
10.1 Definitions of Key Financial Ratios
363
v
vi • Contents
11. Quantitative Approaches to Credit
Portfolio Risk and Credit Modeling
11.1 The Basic Idea of the Reduced Form Model
12. The Credit Transfer Markets—and Their Implications
12.1 Why the Rating of CDOs by
Rating Agencies Was Misleading
13. Counterparty Credit Risk: CVA, DVA, and FVA
14. Operational Risk
15. Model Risk
16. Stress Testing and Scenario Analysis
16.1 The 2013 Dodd-Frank Severely Adverse Scenarios
17. Risk Capital Attribution and
Risk-Adjusted Performance Measurement
Epilogue: Trends in Risk Management
Index
365
407
411
467
471
499
529
555
581
583
609
619
FOREWORD
The world changed after the global financial crisis of 2007–2009, and the
change was especially dramatic for banks. The second edition of this book
is therefore very welcome and helps to clarify both the implications of
the crisis for risk management and the far-reaching process of regulatory
change that will come into full force over the next few years.
Banks are reforming their risk management processes, but the challenge goes much deeper. Banks must rethink their business models and
even question the reason for their existence. Do they exist to take proprietary risks (on or off their balance sheet) or to provide a focused set of
services and skills to their customers and business partners?
At Natixis, our business adopts the latter model. We have recently
completed an aggressive push to adapt to post-crisis regulatory constraints,
end our proprietary activities, reduce our risk profile, and refocus on
our three core businesses: wholesale banking, investment solutions, and
specialized financial services.
The far higher capital costs under Basel III are likely to shift many
other banks toward a more service-based business model with less risk
retained. The new regulations are also obliging banks to change their funding strategies—e.g., by making use of new funding tools in addition to
reformed approaches to securitization and traditional funding avenues.
This change of philosophy may mean developing trusted partnerships
with different kinds of financial institutions, such as insurance companies
and pension funds, that can absorb the risks that banks no longer wish to
carry on their balance sheets—a process that Natixis has already begun.
As banks change their approach, they must also take a fresh look at
their corporate governance. The crisis showed that banks had been driven
vii
viii • Foreword
by too simplistic a notion of growth and short-term profitability. Going
forward, firms must build a wider and longer-term view of stakeholder
interests—e.g., by defining long-term risk appetites explicitly and connecting these securely to strategic and operational decisions. Ensuring the
right kind of growth will require many of the best-practice mechanisms of
corporate governance discussed in this book.
The crisis also showed that banks need to pay more than lip service
to the concept of enterprise risk management. They must improve their
understanding of how a wide range of risks—credit, market, liquidity,
operational, reputation, and more—can interact with and exacerbate
each other in a bank’s portfolios and business models when the financial
system is under strain.
In turn, this requires the development of new risk management
methodologies and bankwide infrastructures—for example, in the area
of macroeconomic stress testing. One of the accomplishments of this book
is that it helps set out these new methodologies and explains their strengths
and also their limitations. The authors believe that financial institutions
must not rely on any single risk measure, new or old. Risk measurement
and management methodologies are there to help decision makers, not to
supply simplistic answers.
It is critical that institutions (as well as regulators) develop a better
understanding of the interconnected nature of the global financial system.
As this book explains in its various chapters, systemic risks, counterparty
interconnections, liquidity risks, credit risks, and market risks all feed on
one another in a crisis. Understanding how risks concentrate during good
times and then spread through systemic interconnections during bad times
needs to become part of the philosophy of bank risk management. Without
this understanding, it is difficult for financial institutions to resist activities
that boost growth and profitability in the short term, but that may create
unsustainable levels of risk in the longer term.
The global economy is trying to find a path toward sustainable growth
at the same time that developed nations have begun to unwind the unprecedented support given to economies and banking systems during the
crisis years. This will give rise to many challenges as well as opportunities.
Natixis plays a frontline role in financing the real economy, but we know
that this must be built on solid risk-managed foundations.
Foreword • ix
In this sense, the book supports the business philosophy we are
developing at Natixis. We believe that long-term success comes to institutions and economies that can deliver growth while managing downside
risks through both improved risk management and the careful selection of
fundamental business models.
Laurent Mignon
Chief Executive Officer of Natixis
September 13, 2013
This page intentionally left blank
FOREWORD
I think that the concept of the Crouhy, Galai, and Mark book, The Essen-
tials of Risk Management, Second Edition, is brilliant. In my career as an
academic and in investment management, I found that there is too large
a separation between the technocrats who build risk-management models
and systems and those who should be using them. In addition, the model
builders seem to me to be too far from economics, understanding what
risk management can and cannot do and how to structure the risk management problem. Crouhy, Galai, and Mark bridge that gap. They bring the
academic research together with applications and implementation. If riskmanagement model builders come to appreciate the economics underlying
the models, they would be better prepared to build risk-management tools
that have real value for banks and other entities. And, as the authors bring
up time and again, board members of corporations must also become as
familiar with the models and their underlying economics to ask the correct
follow-up questions.
Risk management is often described as being an independent activity of the firm, different from generating returns. Most macro and micro
models in economics start from a framework of certainty and add an error
term, a risk term to represent uncertainty. When describing predicted
actions that arise from these models, the error or uncertainty term disappears because the modelers assume that it’s best to take expectations as
their best guess as to future outcomes.
In both cases, however, this is incorrect. Risk management is part
of an optimization program, the tradeoffs between risk and return. As
described in the book, the three tools of risk management are (a) reserves,
(b) diversification, and (c) insurance. With greater reserves against adverse
xi
xii • Foreword
outcomes, the risk of the firm or the bank is reduced. Greater reserves,
however, imply lower returns. And, the dynamics of the reserve need to be
known. For example, if a bank needs capital or liquidity reserves to shield
it against shock, is the reserve static or can it be used, and how is it to be
used at time of shock? If it is a reserve that must always be at a static level,
it is not a reserve at all. These are important optimization and planning
questions under uncertainty. With more diversification, the bank reduces
idiosyncratic risks and retains systematic risks, which it might also transfer
to the market.
Diversification has benefits. But, if a bank earns profits because its
clients want particular services such as mortgages, it might want to concentrate and make money by taking on additional idiosyncratic risk, for
it is not possible to diversify away all risks and still earn abnormal profits.
The bank must respond to its client’s demands and, as a result, take on
idiosyncratic risks. The same is true of insurance. Unlike car insurance,
wherein, say, the value of the car is knowable over the year, and the amount
of the insurance is easy to ascertain, as the book describes, the bank might
not know how much insurance is necessary and when it might need the
insurance. Nor does it know the dynamics of the insurance plan as prices
change in the market.
That is why risk management is integrated into an optimization system where there always are tradeoffs between risk and return. To ignore
risk considerations is inappropriate; to concentrate on risk is inappropriate. The boards of banks or corporations are responsible to understand and
challenge the optimization problem. Likewise, modelers must also understand the economic tradeoffs. Prior to the financial crisis of 2008, many
banks organized their risk management activities in line and not circle
form. That is, the risk department was separate and below the production
department. The risk management systems of the future must be designed
such that the optimization problem is the center focus. This involves deciding on the level of capital employed not only for working capital, or physical investment capital, or human capital but also the amount of risk capital in deciding on the profitability of various business lines and how they
coordinate with each other.
Risk management involves measurement and model building. This
book provides us with a description of many of the problems in building
Foreword • xiii
models and in providing the inputs to the models. But, once the senior
management and the modelers understand the issues, they will change
their focus and address the modeling and measurement issues. For example, there are three major problems in the model building/data provision
or calibration of the model framework: (1) using historical data to calibrate
the model, (2) assuming the spatial relationships will remain unchanged,
such as how particular assets are grouped together into clusters or how
clusters move together, and, (3) assuming that once the model is built and
calibrated that others don’t reverse engineer the model and its calibration
and game against those using the model. There are myriad examples and
applications of each of these, or these in combination with each other in
this book. For example, the rating agencies used historical data to calibrate the likelihood of declines in housing price such that homeowners
would default on their mortgages. Unfortunately they used too short a time
period and assumed incorrectly that the best prediction of the future would
be provided from these short-period data inputs. They also assumed that
homeowners default on their mortgages randomly, while ignoring the possibility that the independent clusters of possible mortgage defaults that
they assumed existed would become one cluster during a crisis such as
the 2008 financial crisis. Moreover, once they provided their ratings on
complicated mortgage structured products, market participants reverse
engineered how they rated mortgage products and gamed against them by
putting lower and lower quality mortgages into structures to pass just the
ratings level that they wanted to attain. These three lessons are pervasive
in risk management and are illustrated brilliantly in one form or the other
over and over again in this book.
There are decisions that should be made, in part, proactively and decisions that should be made, in part, reactively. Risk management includes
an understanding of how to plan to respond to changes in the opportunity
set and to changes in the costs of adjusting assets and to financing activities. There is a value in planning for uncertainty. Ignoring risk might supply large short-term profits but at the expense of survivorship of the business, for not setting aside sufficient risk capital threatens survivorship of
the business. And understanding includes evaluating the returns and risks
of embedded and explicit options.
xiv • Foreword
All risk management systems require a careful combination of academic modeling and research with practical applications. Academic
research highlighted in this book has made a major contribution to
risk management techniques. Practice must be aware of the underlying
assumptions of these models and in what situations they apply or don’t
apply and adjust them accordingly. Practical applications include understanding data issues in providing inputs to these risk models and in
calibrating them consistent with underlying economics. The 2008 crisis
highlighted once again the importance of risk management. I believe that
all board members must become as conversant in risk management as in
return generation. That will become a prerequisite for board participation.
This book highlights the importance of these issues.
Myron S. Scholes, Frank E. Buck Professor of Finance, Emeritus, Stanford
University Graduate School of Business; 1997 recipient of the Nobel Prize
in Economics
November, 2013
INTRODUCTION TO THE
SECOND EDITION:
REFORMING RISK
MANAGEMENT FOR THE
POST-CRISIS ERA
Half a dozen years and more have passed since the start of the global
financial crisis of 2007–2009,1 and even the European sovereign debt crisis
of 2010 is fading into history. In neither case can we be sure that the crises are fully resolved, and their aftershocks and ramifications continue to
shape our world. However, enough time may have elapsed for us to absorb
the main lessons of the crisis years and to begin to understand the implications of the still unfolding reforms of the world’s financial industries.
In this new edition of The Essentials of Risk Management, we have
revisited each chapter in light of what has been learned from risk management failures during the crisis years, and in this Introduction we pick out
key trends in risk management since we published the first edition in 2006.
However, we have also tried to prevent the book as a whole from
becoming too dominated by the extraordinary events of 2007–2009 and
the immediate succeeding years. Some of the lessons learned in those years
were lessons that earlier crises had already taught risk managers, and that
Throughout this book, we’ve used the phrase “financial crisis of 2007–2009” to define, reasonably precisely, the banking and financial system crisis of that period. Others choose to
use the term “global financial crisis,” or GFC.
1
xv
xvi • Introduction to the Second Edition
were covered in some detail in the first edition of the book—even if some
firms found it hard to put them into practice. The crisis years also spawned
a series of fundamental reforms of the regulation of financial institutions,
and one thing we can be sure of in risk management is that major structural change creates new business environments, which in turn transform
business behavior and risk.
One of the curses of risk management is that it perennially tries to
micromanage the last crisis rather than applying the first principles of risk
management to forestall the next—a trap we have tried to avoid.
We hope this book contributes to the attempt to strengthen the overall framework of risk management by encouraging the right mix of theoretical expertise, knowledge of recent and past events, and curiosity about
what might be driving risk trends today.
***
The financial crisis that started in the summer of 2007 was the culmination of an exceptional boom in credit growth and leverage in the
financial system that had been building since the previous credit crisis in
2001–2002, stimulated by an accommodative monetary policy. The boom
was fed by an extended period of benign economic and financial conditions,
including low real interest rates and abundant liquidity, which encouraged
borrowers, investors, and intermediaries to increase their exposure in
terms of risk and leverage. The boom years were also marked by a wave of
financial innovations related to securitization, which expanded the capacity of the financial system to generate credit assets but outpaced its capacity
to manage the associated risks.2
The crisis uncovered major fault lines in business practices and market dynamics: failures of risk management and poorly aligned compensation
systems in financial institutions, failures of transparency and disclosure, and
many more. In the years following the crisis, many areas of weakness have
begun to be addressed through regulation and from the very top of financial
institutions (the board of directors and the management committee) down
to business line practices, including the misalignment of incentives between
the business and its shareholders, bondholders, and investors. Below, we
Securitization and structured credit products are discussed in Chapter 12.
2
Introduction to the Second Edition • xvii
summarize some of the major problem areas uncovered by the global financial crisis; the rest of the book addresses these issues in more detail.
Governance and Risk Culture
Risk management has many different components, but the essence of what
went wrong in the run-up to the 2007–2009 financial crisis had more to do
with the lack of solid corporate governance structures for risk management
than with the technical deficiencies of risk measurement and stress testing.
In the boom period, risk management was marginalized in many financial
institutions. The focus on deal flow, business volume, earnings, and compensation schemes drove firms increasingly to treat risk management as a
source of information, not as an integral part of business decision making.
Decisions were taken on risk positions without the debate that needed to
happen. To some degree, this is a matter of risk culture, but it also has to do
with governance structures inside organizations:
• The role of the board must be strengthened. Strengthening board
oversight of risk does not diminish the fundamental responsibility of management for the risk management process. Instead, it
should make sure that risk management receives some enhanced
attention in terms of oversight and, hopefully, a longer-term and
wider perspective. Chapter 4 on corporate governance elaborates
on the role and obligations of the board.
• Risk officers must be re-empowered. Some firms distinguish between
a “risk control” function, responsible for quantitative measures,
and a “risk management” function, which has a more strategic focus.
Either way, it is no longer appropriate for risk management to be only
an “after the fact” monitoring function. It needs to be included in
the development of the firm’s strategy and business model. Chief risk
officers (CROs) should not be just risk managers but also proactive
risk strategists. With the strength of regulators and an angry public
behind them, risk managers presently wield some clout. The trick
will be to make sure this lasts in periods of recovery (or growing corporate frustration with unexciting returns). Chapter 4 elaborates on
the role of the CRO in a best-practice institution.
xviii • Introduction to the Second Edition
Inadequate Execution of the Originate-to-Distribute
Business Model
One common view is that the crisis was caused by the originate-todistribute (OTD) model of securitization, through which lower quality
loans were transformed into highly rated securities. To some extent, this
characterization is unfortunately true.
The OTD model of securitization reduced incentives for the originator of the loan to monitor the creditworthiness of the borrower,
because the originator had little or no skin in the game. In the securitization food chain for U.S. mortgages, intermediaries in the chain made
fees while transferring credit into an investment product with such an
opaque structure that even the most sophisticated investors had no real
idea what they were holding.
Although the pre-crisis OTD model of securitization, and its lack
of checks and balances, was clearly an important factor, the huge losses
that affected banks, especially investment banks, mainly occurred because
financial institutions did not follow the business model of securitization.
Rather than acting as intermediaries by transferring the risk from mortgage lenders to capital market investors, these institutions themselves took
on the role of investors. Chapter 12 elaborates on this issue.
Poor Underwriting Standards
The OTD model generated a huge demand for loans to feed the securitization machine, and this in itself contributed to a lowering of underwriting
standards. But benign macroeconomic conditions and low default rates
also gave rise to complacency and an erosion of sound practices in the
world’s financial industries. Across a range of credit segments, business
volumes grew much more quickly than investment in the supporting infrastructure of controls and documentation. The demand for high-yielding
assets encouraged a loosening of credit standards and, particularly in the
U.S. subprime mortgage market, not just lax but fraudulent practices proliferated from late 2004. Chapter 9 elaborates further on the issue of retail
risk management.
Introduction to the Second Edition • xix
Shortcomings in Firms’ Risk Management Practices
The crisis highlighted the risk of model error when making risk assessments. The risk control/risk management function must become more
transparent about the limitations of risk metrics and models used to make
important decisions in the firm. Models are powerful tools, but they necessarily involve simplifications and assumptions; they must be approached
critically and with a heavy dash of expert judgment. When risk metrics,
models, and ratings become ends in themselves, they become obstacles
to true risk identification. This applies also to the post-crisis rash of new
models and risk assessment procedures. Chapter 15 analyzes the problems
associated with model risk.
• Stress testing and scenario analysis. Stress testing, discussed in
Chapter 16, is now a formal requirement of Basel III and the
Dodd-Frank Act and has become a much more prominent part
of the risk manager’s toolkit. Properly applied, stress testing is a
critical diagnostic and risk identification tool, but it can be counterproductive if it becomes too mechanical or consumes resources
unproductively. It is important to approach stress testing as one
aspect of a multifaceted risk analysis program. In particular, stress
testing must be carefully designed to gauge the business strengths
and weaknesses of each individual firm; it cannot follow a “one size
fits all” approach. Firms need to ensure that stress testing methodologies and policies are consistently applied throughout the firm,
take into account multiple risk factors, and adequately deal with
correlations between risk factors. Results must have a meaningful
impact on business decisions.
• Concentration risk. Firms need to improve their firmwide management of concentration risks, embracing not only large risks
from individual borrowers but also concentrations in sectors, geographic regions, economic factors, counterparties, and financial
guarantors. For example, a concentrated exposure to one (exotic)
product can give rise to major losses during a market shock if
liquidity dries up and it becomes impossible to rebalance a hedging position in a timely fashion.
xx • Introduction to the Second Edition
• Counterparty credit risk. The subprime crisis highlighted several
shortcomings of over-the-counter (OTC) trading in credit derivatives, most notably the treatment of counterparty credit risk. The
primary issue is that collateral and margin requirements are set
bilaterally in OTC trading and do not take account of the risk
imposed on the rest of the system (e.g., as experienced following the failures of Lehman Brothers and the quasi-bankruptcies
of Bear Stearns, AIG, and others). Counterparty credit risk is
discussed in Chapter 13.
Overreliance on Misleading Ratings from Rating
Agencies
Credit rating agencies were at the center of the 2007–2009 crisis, as many
investors had relied on their ratings to assess the risk of mortgage bonds,
asset-backed commercial paper issued by structured investment vehicles, and
the monolines that insured municipal bonds and structured credit products.
Money market funds are restricted to investing in AAA-rated
assets, while pension funds and municipalities are restricted to investing in investment-grade assets.3 In the low interest rate environment of
the period before the crisis, many of these conservative investors invested
in assets that were complex and contained exposure to subprime assets,
mainly because these instruments were given an investment-grade rating or higher while promising a yield above that of traditional assets, such
as corporate and Treasury bonds, with an equivalent rating. Chapter 10
discusses ratings and the controversial role of the rating agencies.
Poor Investor Due Diligence
Many investors placed excessive reliance on credit ratings, neither questioning the methodologies of the credit rating agencies nor fully understanding the risk characteristics of rated products. Also, many investors
Most of the US$2.5 trillion sitting in money market funds is traditionally invested in such
assets as U.S. Treasury bills, certificates of deposit, and short-term commercial debt.
3
Introduction to the Second Edition • xxi
erroneously took comfort from the belief that insurance companies conducted a thorough investigation into the assets they insured.4
Going forward, institutional investors will have to upgrade their risk
infrastructure in order to assess risk independently of external rating agencies. If institutions are not willing or able to do this, they should probably
refrain from investing in complex structured products.
For U.S. retail investors who lack the knowledge and the tools to
evaluate and make decisions about financial products, the Dodd-Frank
Act creates the Bureau of Consumer Financial Protection (BCFP) as an
independent bureau within the Federal Reserve System. However, it is
by no means certain that more vigilant consumer protection would have
prevented the speculative frenzy in the housing market in the run-up to
the financial crisis. In Chapter 3, we discuss the Dodd-Frank Act in more
detail.
Incentive Compensation Distortions
Incentive compensation should align compensation with long-term shareholder interests and risk-adjusted return on capital. Over the two decades
before the 2007–2009 financial crisis, bankers and traders had increasingly
been rewarded with bonuses tied to short-term profits, giving them an
incentive to take excessive risks, leverage up their investments, and sometimes bet the entire bank on astonishingly reckless investment strategies.
More on this topic in Chapter 4 and Chapter 17, where we discuss the
RAROC (risk-adjusted return on capital) approach.
Weaknesses in Disclosure
Weaknesses in public disclosures by financial institutions, particularly
concerning the type and magnitude of risks associated with on- and offbalance-sheet exposures, damaged market confidence during the 2007–
2009 financial crisis. This remains a significant challenge to the world’s
Floyd Norris, “Insurer’s Maneuver Wins a Pass in Court,” New York Times, Business
Section, March 8, 2013.
4
xxii • Introduction to the Second Edition
financial industries. The need to disclose more information is a requirement of Basel II/III, discussed in Chapter 3.
Valuation Problems in a Mark-to-Market World
Fair value/mark-to-market accounting has generally proven highly valuable in promoting transparency and market discipline and is an effective
and reliable accounting method for securities in liquid markets. However,
in secondary markets that may have no or severely limited liquidity, it can
create serious valuation problems and can also increase the uncertainties
around any valuations. Chapter 3 and the appendix to Chapter 1 elaborate
further on this issue.
Liquidity Risk Management
During the boom years, many banks and other financial institutions
allowed themselves to become vulnerable to any prolonged disruption in
their funding markets. However, the 2007�����������������������������
–����������������������������
2009 financial crisis demonstrated, once and for all, how extraordinarily dysfunctional the interbank
funding market can become in times of uncertainty.
Liquidity risk is not a new threat: it lay behind the failure of LTCM
(Long Term Capital Management) in August 1998, discussed in Chapter 15,
and a number of historical bank failures. In the post-crisis era, however,
risk managers will need to be wary of overdependence on any single form
of funding, including access to securities markets, in their day-to-day
liquidity risk management, stress testing, and contingency planning. As we
discuss in Chapter 3, Basel III has introduced a new liquidity framework to
address liquidity risk. Banks will have to satisfy two liquidity ratios—i.e.,
a liquidity coverage ratio (LCR) and a net stable funding ratio (NSFR).
Chapter 8 discusses funding risk more broadly.
Systemic Risk
Of the many regulatory issues at stake in the post-crisis era, one is of primary
importance: systemic risk. How can we construct a system that prevents
Introduction to the Second Edition • xxiii
decisions made in a single institution, or a small group of institutions, from
plunging the world’s economies into deep recession? Somehow, the system
must be engineered to prevent one failure’s causing a chain reaction or domino
effect on other institutions that threatens the stability of the financial markets.
Systemic risk and the regulators’ efforts to prevent it is a recurring theme in the
chapters of this book, especially Chapters 3 and 13.
Procyclicality
Banks are said to behave in a procyclical fashion when their actions amplify
the momentum of the underlying economic cycle—e.g., by intensifying
lending during economic booms or imposing more stringent restrictions or
risk assessments on loans during a downturn. Procyclicality partly explains
the correlations between asset prices that we see in the financial sector. The
forces that contribute to procyclicality are the regulatory capital regime,
risk measurement techniques such as value-at-risk, loan-loss provisioning
practices, interaction between valuation and leverage, and compensationbased incentives. Basel III includes several mechanisms for mitigating procyclicality, such as a countercyclical capital cushion and reduced reliance
on cyclical VaR-based capital requirements (e.g., by expanding the role of
stress testing). Procyclicality is discussed in Chapter 3.
This page intentionally left blank
1
RISK MANAGEMENT:
A HELICOPTER VIEW 1
The future cannot be predicted. It is uncertain, and no one has ever been suc-
cessful in consistently forecasting the stock market, interest rates, exchange rates,
or commodity prices—or credit, operational, and systemic events with major
financial implications. However, the financial risk that arises from uncertainty
can be managed. Indeed, much of what distinguishes modern economies from
those of the past is the new ability to identify risk, to measure it, to appreciate its
consequences, and then to take action accordingly, such as transferring or mitigating the risk. One of the most important aspects of modern risk management
is the ability, in many instances, to price risks and ensure that risks undertaken
in business activities are correctly rewarded.
This simple sequence of activities, shown in more detail in Figure 1-1, is
often used to define risk management as a formal discipline. But it’s a sequence
that rarely runs smoothly in practice. Sometimes simply identifying a risk is the
critical problem; at other times arranging an efficient economic transfer of the risk
is the skill that makes one risk manager stand out from another. (In Chapter 2 we
discuss the risk management process from the perspective of a corporation.)
To the unwary, Figure 1-1 might suggest that risk management is a continual process of corporate risk reduction. But we mustn’t think of the modern
attempt to master risk in defensive terms alone. Risk management is really about
how firms actively select the type and level of risk that it is appropriate for them
We acknowledge the coauthorship of Rob Jameson in this chapter.
1
1
2 • The Essentials of Risk Management
FIGURE 1-1 The Risk Management Process
Identify risk
exposures
Measure and estimate
risk exposures
Find instruments and
facilities to shift
or trade risks
Assess effects
of exposures
Assess costs and
benefits of instruments
Form a risk mitigation
strategy:
• Avoid
• Transfer
• Mitigate
• Keep
Evaluate performance
to assume. Most business decisions are about sacrificing current resources for
future uncertain returns.
In this sense, risk management and risk taking aren’t opposites, but two sides
of the same coin. Together they drive all our modern economies. The capacity to
make forward-looking choices about risk in relation to reward, and to evaluate
performance, lies at the heart of the management process of all enduringly successful corporations.
Yet the rise of financial risk management as a formal discipline has been
a bumpy affair, especially over the last 15 years. On the one hand, we have
had some extraordinary successes in risk management mechanisms (e.g., the
Risk Management: A Helicopter View • 3
lack of financial institution bankruptcies in the downturn in credit quality
in 2001–2002) and we have seen an extraordinary growth in new institutions
that earn their keep by taking and managing risk (e.g., hedge funds). On the
other hand, the spectacular failure to control risk in the run-up to the 2007–2009
financial crisis revealed fundamental weaknesses in the risk management
process of many banks and the banking system as a whole.
As a result, risk management is now widely acknowledged as one of the
most powerful forces in the world’s financial markets, in both a positive and a
negative sense. A striking example is the development of a huge market for credit
derivatives, which allows institutions to obtain insurance to protect themselves
against credit default and the widening of credit spreads (or, alternatively, to get
paid for assuming credit risk as an investment). Credit derivatives can be used
to redistribute part or all of an institution’s credit risk exposures to banks, hedge
funds, or other institutional investors. However, the misuse of credit derivatives
also helped to destabilize institutions during the 2007–2009 crisis and to fuel
fears of a systemic meltdown.
Back in 2002, Alan Greenspan, then chairman of the U.S. Federal Reserve
Board, made some optimistic remarks about the power of risk management to
improve the world, but the conditionality attached to his observations proved to
be rather important:
The development of our paradigms for containing risk has emphasized dispersion of risk to those willing, and presumably able, to bear it. If risk is properly
dispersed, shocks to the overall economic system will be better absorbed and
less likely to create cascading failures that could threaten financial stability.2
In the financial crisis of 2007–2009, risk turned out to have been concentrated rather than dispersed, and this is far from the only embarrassing failure of
risk management in recent decades. Other catastrophes range from the near failure of the giant hedge fund Long-Term Capital Management (LTCM) in 1998 to
the string of financial scandals associated with the millennial boom in the equity
and technology markets (from Enron, WorldCom, Global Crossing, and Qwest
in the United States to Parmalat in Europe and Satyam in Asia).
Remarks by Chairman Alan Greenspan before the Council on Foreign Relations, Washington,
D.C., November 19, 2002.
2
4 • The Essentials of Risk Management
Unfortunately, risk management has not consistently been able to prevent market disruptions or to prevent business accounting scandals resulting
from breakdowns in corporate governance. In the case of the former problem,
there are serious concerns that derivative markets make it easier to take on large
amounts of risk, and that the “herd behavior” of risk managers after a crisis gets
underway (e.g., selling risky asset classes when risk measures reach a certain
level) actually increases market volatility.
Sophisticated financial engineering played a significant role in obscuring
the true economic condition and risk-taking of financial companies in the runup to the 2007–2009 crisis, and also helped to cover up the condition of many
nonfinancial corporations during the equity markets’ millennial boom and bust.
Alongside simpler accounting mistakes and ruses, financial engineering can
lead to the violent implosion of firms (and industries) after years of false success,
rather than the firms’ simply fading away or being taken over at an earlier point.
Part of the reason for risk management’s mixed record here lies with the
double-edged nature of risk management technologies. Every financial instrument
that allows a company to transfer risk also allows other corporations to assume
that risk as a counterparty in the same market—wisely or not. Most important,
every risk management mechanism that allows us to change the shape of cash
flows, such as deferring a negative outcome into the future, may work to the shortterm benefit of one group of stakeholders in a firm (e.g., managers) at the same
time that it is destroying long-term value for another group (e.g., shareholders
or pensioners). In a world that is increasingly driven by risk management concepts and technologies, we need to look more carefully at the increasingly fluid
and complex nature of risk itself, and at how to determine whether any change in a
corporation’s risk profile serves the interests of stakeholders. We need to make sure
we are at least as literate in the language of risk as we are in the language of reward.
The nature of risk forms the topic of our next section, and it will lead us to
the reason we’ve tried to make this book accessible to everyone, from shareholders,
board members, and top executives to line managers, legal and back-office staff,
and administrative assistants. We’ve removed from this book many of the complexities of mathematics that act as a barrier to understanding the essential principles
of risk management, in the belief that, just as war is too important to be left to the
generals, risk management has become too important to be left to the “rocket scientists” of the world of financial derivatives. This book is made suitable to students
at colleges and universities who are interested in the emerging and expanding field
of risk management in financial as well as nonfinancial corporations.
Risk Management: A Helicopter View • 5
What Is Risk?
We’re all faced with risk in our everyday lives. And although risk is an abstract
term, our natural human understanding of the trade-offs between risk and
reward is pretty sophisticated. For example, in our personal lives, we intuitively
understand the difference between a cost that’s already been budgeted for (in risk
parlance, a predictable or expected loss) and an unexpected cost (at its worst, a
catastrophic loss of a magnitude well beyond losses seen in the course of normal
daily life).
In particular, we understand that risk is not synonymous with the size of a
cost or of a loss. After all, some of the costs we expect in daily life are very large
indeed if we think in terms of our annual budgets: food, fixed mortgage payments, college fees, and so on. These costs are big, but they are not a threat to our
ambitions because they are reasonably predictable and are already allowed for in
our plans.
The real risk is that these costs will suddenly rise in an entirely unexpected
way, or that some other cost will appear from nowhere and steal the money we’ve
set aside for our expected outlays. The risk lies in how variable our costs and revenues really are. In particular, we care about how likely it is that we’ll encounter a
loss big enough to upset our plans (one that we have not defused through some
piece of personal risk management such as taking out a fixed-rate mortgage, setting aside savings for a rainy day, and so on).
This day-to-day analogy makes it easier to understand the difference
between the risk management concepts of expected loss (or expected costs) and
unexpected loss (or unexpected cost). Understanding this difference is the key
to understanding modern risk management concepts such as economic capital attribution and risk-adjusted pricing. (However, this is not the only way to
define risk, as we’ll see in Chapter 5, which discusses various academic theories
that shed more light on the definition and measurement of risk.)
One of the key differences between our intuitive conception of risk and
a more formal treatment of it is the use of statistics to define the extent and
potential cost of any exposure. To develop a number for unexpected loss, a bank
risk manager first identifies the risk factors that seem to drive volatility in any
outcome (Box 1-1) and then uses statistical analysis to calculate the probabilities of various outcomes for the position or portfolio under consideration. This
probability distribution can be used in various ways. For example, the risk manager might pinpoint the area of the distribution (i.e., the extent of loss) that the
6 • The Essentials of Risk Management
institution would find worrying, given the probability of this loss occurring (e.g.,
is it a 1 in 10 or a 1 in 10,000 chance?).
BOX 1-1 RISK FACTORS AND THE MODELING OF RISK
In order to measure risk, the risk analyst first seeks to identify the key factors
that seem likely to cause volatility in the returns from the position or portfolio
under consideration. For example, in the case of an equity investment, the
risk factor will be the volatility of the stock price (categorized in the appendix
to this chapter as a market risk), which can be estimated in various ways.
In this case, we identified a single risk factor. But the number of risk
factors that are considered in a risk analysis—and included in any risk
modeling—varies considerably depending on both the problem and the
sophistication of the approach. For example, in the recent past, bank risk
analysts might have analyzed the risk of an interest-rate position in terms
of the effect of a single risk factor—e.g., the yield to maturity of government
bonds, assuming that the yields for all maturities are perfectly correlated.
But this one-factor model approach ignored the risk that the dynamic of
the term structure of interest rates is driven by more factors—e.g., the forward rates. Nowadays, leading banks analyze their interest-rate exposures
using at least two or three factors, as we describe in Chapter 6.
Further, the risk manager must also measure the influence of the risk
factors on each other, the statistical measure of which is the “covariance.” Disentangling the effects of multiple risk factors and quantifying the influence
of each is a fairly complicated undertaking, especially when covariance alters
over time (i.e., is stochastic, in the modeler’s terminology). There is often a distinct difference in the behavior and relationship of risk factors during normal
business conditions and during stressful conditions such as financial crises.
Under ordinary market conditions, the behavior of risk factors is
relatively less difficult to predict because it does not change significantly in
the short and medium term: future behavior can be extrapolated, to some
extent, from past performance. However, during stressful conditions, the
behavior of risk factors becomes far more unpredictable, and past behavior
may offer little help in predicting future behavior. It’s at this point that statistically measurable risk threatens to turn into the kind of unmeasurable
uncertainty that we discuss in Box 1-2.
Risk Management: A Helicopter View • 7
The distribution can also be related to the institution’s stated “risk appetite”
for its various activities. For example, as we discuss in Chapter 4, the senior risk
committee at the bank might have set boundaries on the amount of risk that
the institution is willing to take by specifying the maximum loss it is willing to
tolerate at a given level of confidence, such as, “We are willing to countenance a
1 percent chance of a $50 million loss from our trading desks on any given day.”
(At this point we should explain that while some chapters of this book focus on
aspects of bank risk management—e.g., in Chapter 3 we elaborate on the regulation of risk management in banks—the risk management issues and concepts
we cover are encountered in some form by many other industries and organizations, as we highlight in Chapter 2.)
Since the 2007–2009 financial crisis, risk managers have tried to move away
from an overdependence on historical-statistical treatments of risk. For example, they have laid more emphasis on scenario analysis and stress testing, which
examine the impact or outcomes of a given adverse scenario or stress on a firm
(or portfolio). The scenario may be chosen not on the basis of statistical analysis,
but instead simply because it is both plausible and suitably severe—essentially, a
judgment call. However, it can be difficult and perhaps unwise to remove statistical approaches from the picture entirely. For example, in the more sophisticated
forms of scenario analysis, the firm will need to examine how a change in a given
macroeconomic factor (e.g., unemployment rate) leads to a change in a given
risk factor (e.g., the probability of default of a corporation). Making this link
almost inevitably means looking back to the past to examine the nature of the
statistical relationship between macroeconomic factors and risk factors, though
a degree of judgment must also be factored into the analysis.
The use of statistical, economic, and stress testing concepts can make risk
management sound pretty technical. But the risk manager is simply doing more
formally what we all do when we ask ourselves in our personal lives, “How bad,
within reason, might this problem get?” The statistical models can also help in
pricing risk, or pricing the instruments that help to eliminate or mitigate the
risks.
What does our distinction between expected loss and unexpected loss
mean in terms of running a financial business, such as a specific banking business line? Well, the expected credit loss for a credit card portfolio, for example,
refers to how much the bank expects to lose, on average, as a result of fraud and
defaults by cardholders over a period of time, say one year. In the case of large
and well-diversified portfolios (i.e., most consumer credit portfolios), expected
8 • The Essentials of Risk Management
loss accounts for almost all the losses that are incurred in normal times. Because
it is, by definition, predictable, expected loss is generally viewed as one of the
costs of doing business, and ideally it is priced into the products and services
offered to the customer. For credit cards, the expected loss is recovered by charging the businesses a certain commission (2 to 4 percent) and by charging a spread
to the customer on any borrowed money, over and above the bank’s funding cost
(i.e., the rate the bank pays to raise funds in the money markets and elsewhere).
The bank recovers mundane operating costs, such as the salaries it pays tellers,
in much the same way.
The level of loss associated with a large standard credit card portfolio is
relatively predictable because the portfolio is made up of numerous bite-sized
exposures and the fortunes of most customers, most of the time, are not closely
tied to one another. On the whole, you are not much more likely to lose your
job today because your neighbor lost hers last week. There are some important
exceptions to this, of course. During a prolonged and severe recession, your
fortunes may become much more correlated with those of your neighbor, particularly if you work in the same industry and live in a particularly vulnerable
region. Even in the relatively good times, the fortunes of small local banks, as
well as their card portfolios, are somewhat driven by socioeconomic characteristics, as we discuss in Chapter 9.
A corporate loan portfolio, however, tends to be much “lumpier” than
a retail portfolio (i.e., there are more big loans). Furthermore, if we look at
industry data on commercial loan losses over a period of decades, it’s much
more apparent that in some years losses spike upward to unexpected loss
levels, driven by risk factors that suddenly begin to act together. For example,
the default rate for a bank that lends too heavily to the technology sector will
be driven not just by the health of individual borrowers, but by the business
cycle of the technology sector as a whole. When the technology sector shines,
making loans will look risk-free for an extended period; when the economic
rain comes, it will soak any banker that has allowed lending to become too
concentrated among similar or interrelated borrowers. So, correlation risk—the
tendency for things to go wrong together—is a major factor when evaluating
the risk of this kind of portfolio.
The tendency for things to go wrong together isn’t confined to the clustering of defaults among a portfolio of commercial borrowers. Whole classes of risk
Risk Management: A Helicopter View • 9
factors can begin to move together, too. In the world of credit risk, real estate–
linked loans are a famous example of this: they are often secured with real estate
collateral, which tends to lose value at exactly the same time that the default rate
for property developers and owners rises. In this case, the “recovery-rate risk” on
any defaulted loan is itself closely correlated with the “default-rate risk.” The two
risk factors acting together can sometimes force losses abruptly skyward.
In fact, anywhere in the world that we see risks (and not just credit risks)
that are lumpy (i.e., in large blocks, such as very large loans) and that are driven
by risk factors that under certain circumstances can become linked together (i.e.,
that are correlated), we can predict that at certain times high “unexpected losses”
will be realized. We can try to estimate how bad this problem is by looking at
the historical severity of these events in relation to any risk factors that we define
and then examining the prevalence of these risk factors (e.g., the type and concentration of real estate collateral) in the particular portfolio under examination.
A detailed discussion of the problem of assessing and measuring the credit
risk associated with commercial loans, and with whole portfolios of loans, takes
up most of Chapters 10 and 11 of this book. But our general point immediately
explains why bankers became so excited about new credit risk transfer technologies such as credit derivatives, described in detail in Chapter 12. These bankers
weren’t looking to reduce predictable levels of loss. Instead, the new instruments
seemed to offer ways to put a cap on the problem of high unexpected losses and
all the capital costs and uncertainty that these bring.
The conception of risk as unexpected loss underpins two key concepts
that we’ll deal with in more detail later in this book: value-at-risk (VaR) and
economic capital. VaR, described and analyzed in Chapter 7, is a statistical
measure that defines a particular level of loss in terms of its chances of occurrence (the “confidence level” of the analysis, in risk management jargon). For
example, we might say that our options position has a one-day VaR of $1 million
at the 99 percent confidence level, meaning that our risk analysis shows that
there is only a 1 percent probability of a loss that is greater than $1 million on
any given trading day.
In effect, we’re saying that if we have $1 million in liquid reserves, there’s
little chance that the options position will lead to insolvency. Furthermore,
because we can estimate the cost of holding liquid reserves, our risk analysis
gives us a pretty good idea of the cost of taking this risk.
10 • The Essentials of Risk Management
Under the risk paradigm we’ve just described, risk management becomes
not the process of controlling and reducing expected losses (which is essentially
a budgeting, pricing, and business efficiency concern), but the process of understanding, costing, and efficiently managing unexpected levels of variability in
the financial outcomes for a business. Under this paradigm, even a conservative
business can take on a significant amount of risk quite rationally, in light of
•• Its confidence in the way it assesses and measures the unexpected loss
levels associated with its various activities
•• The accumulation of sufficient capital or the deployment of other risk
management techniques to protect against potential unexpected loss levels
•• Appropriate returns from the risky activities, once the costs of risk capital and risk management are taken into account
•• Clear communication with stakeholders about the company’s target risk
profile (i.e., its solvency standard once risk-taking and risk mitigation
are accounted for)
This takes us back to our assertion that risk management is not just a
defensive activity. The more accurately a business understands and can measure
its risks against potential rewards, its business goals, and its ability to withstand
unexpected but plausible scenarios, the more risk-adjusted reward the business
can aggressively capture in the marketplace without driving itself to destruction.
As Box 1-2 discusses, it’s important in any risk analysis to acknowledge that some factors that might create volatility in outcomes simply can’t be
measured—even though they may be very important. The presence of this kind
of risk factor introduces an uncertainty that needs to be made transparent, and
perhaps explored using the kind of worst-case scenario analysis we describe in
Chapter 16. Furthermore, even when statistical analysis of risk can be conducted,
it’s vital to make explicit the robustness of the underlying model, data, and risk
parameter estimation—a topic that we treat in detail in Chapter 15, “Model Risk.”
The Conflict of Risk and Reward
In financial markets, as well as in many commercial activities, if one wants to
achieve a higher rate of return on average, one often has to assume more risk.
But the transparency of the trade-off between risk and return is highly variable.
Risk Management: A Helicopter View • 11
BOX 1-2 RISK, UNCERTAINTY . . . AND TRANSPARENCY ABOUT THE
DIFFERENCE
In this chapter, we discuss risk as if it were synonymous with uncertainty.
In fact, since the 1920s and a famous dissertation by Chicago economist
Frank Knight,1 thinkers about risk have made an important distinction
between the two: variability that can be quantified in terms of probabilities
is best thought of as “risk,” while variability that cannot be quantified at all
is best thought of simply as “uncertainty.”
In a speech some years ago,2 Mervyn King, then governor of the Bank
of England, usefully pointed up the distinction using the example of the
pensions and insurance industries. Over the last century, these industries
have used statistical analysis to develop products (life insurance, pensions, annuities, and so on) that are important to us all in looking after
the financial well-being of our families. These products act to “collectivize”
the financial effects of any one individual’s life events among any given
generation.
Robust statistical tools have been vital in this collectivization of risk
within a generation, but the insurance and investment industries have not
found a way to put a robust number on key risks that arise between generations, such as how much longer future generations might live and what this
might mean for life insurance, pensions, and so on. Some aspects of the
future remain not just risky, but uncertain. Statistical science can help us to
only a limited degree in understanding how sudden advances in medical
science or the onset of a new disease such as AIDS might drive longevity
up or down.
As King pointed out in his speech, “No amount of complex demographic modeling can substitute for good judgment about those unknowns.”
Frank H. Knight, Risk, Uncertainty and Profit, Boston, MA: Hart, Schaffner & Marx;
Houghton Mifflin Company, 1921.
1
2
Mervyn King, “What Fates Impose: Facing Up to Uncertainty,” Eighth British Academy Annual Lecture, December 2004.
12 • The Essentials of Risk Management
Indeed, attempts to forecast changes in longevity over the last 20 years
have all fallen wide of the mark (usually proving too conservative).3
As this example helps make clear, one of the most important things
that a risk manager can do when communicating a risk analysis is to be
clear about the degree to which the results depend on statistically measurable risk, and the degree to which they depend on factors that are entirely
uncertain at the time of the analysis—a distinction that may not be obvious to the reader of a complex risk report at first glance.
In his speech, King set out two principles of risk communication for
public policy makers that could equally well apply to senior risk committees at corporations looking at the results of complex risk calculations:
First, information must be provided objectively and placed in context so
that risks can be assessed and understood. Second, experts and policy
makers must be open about the extent of our knowledge and our ignorance. Transparency about what we know and what we don’t know, far
from undermining credibility, helps to build trust and confidence.
We can’t measure uncertainties, but we can still assess and manage them through
worst-case scenarios, risk transfer, and so on. Indeed, a market is emerging that may help
institutions to manage the financial risks of increased longevity. In 2003, reinsurance companies and banks began to issue financial instruments with returns linked to the aggregate
longevity of specified populations, though the market for instruments that can help to
manage longevity risk is still relatively immature.
3
In some cases, relatively efficient markets for risky assets help to make clear
the returns that investors demand for assuming risk. For example, Figure 6-1,
in Chapter 6, illustrates the risk/return relationship in the U.S. bond markets,
showing the spreads for government bonds and corporate bonds of different ratings and maturities since 2007.
Even in the bond markets, the “price” of credit risk implied by these numbers
for a particular counterparty is not quite transparent. Though bond prices are a
pretty good guide to relative risk, various additional factors, such as liquidity risk
and tax effects, confuse the price signal (as we discuss in Chapter 11). Moreover,
investors’ appetite for assuming certain kinds of risk varies over time. Sometimes
the differential in yield between a risky and a risk-free bond narrows to such an
extent that commentators talk of an “irrational” price of credit. That was the case
Risk Management: A Helicopter View • 13
during the period from early 2005 to mid-2007, until the eruption of the subprime
crisis. With the eruption of the crisis, credit spreads moved up dramatically, and
reached a peak following the collapse of Lehman Brothers in September 2008.
However, in the case of risks that are not associated with any kind of
market-traded financial instrument, the problem of making transparent the
relationship between risk and reward is even more profound. A key objective of risk management is to tackle this issue and make clear the potential for
large losses in the future arising from activities that generate an apparently
attractive stream of profits in the short run.
Ideally, discussions about this kind of trade-off between future profits and
opaque risks would be undertaken within corporations on a basis that is rational
for the firm as a whole. But organizations with a poor risk management and risk
governance culture sometimes allow powerful business leaders to exaggerate the
potential returns while diminishing the perceived potential risks. When rewards
are not properly adjusted for economic risk, it’s tempting for the self-interested
to play down the potential for unexpected losses to spike somewhere in the
economic cycle and to willfully misunderstand how risk factors sometimes
come together to give rise to severe correlation risks. Management itself might
be tempted to leave gaps in risk measurement that, if mended, would disturb
the reported profitability of a business franchise. (The run-up to the 2007–2009
financial crisis provided many examples of such behavior.)
This kind of risk management failure can be hugely exacerbated by the
compensation incentive schemes of the companies involved. In many firms
across a broad swathe of industries, bonuses are paid today on profits that may
later turn out to be illusory, while the cost of any associated risks is pushed,
largely unacknowledged, into the future.
We can see this general process in the banking industry in every credit cycle
as banks loosen rules about the granting of credit in the favorable part of the
cycle, only to stamp on the credit brakes as things turn sour. The same dynamic
happens whenever firms lack the discipline or means to adjust their present
performance measures for an activity to take account of any risks incurred. For
example, it is particularly easy for trading institutions to move revenues forward
through either a “mark-to-market” or a “market-to-model” process. This process
employs estimates of the value the market puts on an asset to record profits on the
income statement before cash is actually generated; meanwhile, the implied cost
of any risk can be artificially reduced by applying poor or deliberately distorted
risk measurement techniques.
14 • The Essentials of Risk Management
This collision between conflicts of interest and the opaque nature of risk
is not limited solely to risk measurement and management at the level of the
individual firm. Decisions about risk and return can become seriously distorted
across whole financial industries when poor industry practices and regulatory
rules allow this to happen—famous examples being the U.S. savings and loan
crisis in the 1980s and early 1990s (see Box 8-1) and the more recent subprime
crisis. History shows that industry regulators can also be drawn into the deception. When the stakes are high enough, regulators all around the world have
colluded with local banking industries to allow firms to misrecord and misvalue
risky assets on their balance sheets, out of fear that forcing firms to state their
true condition will prompt mass insolvencies and a financial crisis.
Perhaps, in these cases, regulators think they are doing the right thing in
safeguarding the financial system, or perhaps they are just desperate to postpone
any pain beyond their term of office (or that of their political masters). For our
purposes, it’s enough to point out that the combination of poor standards of risk
measurement with a conflict of interest is extraordinarily potent at many levels—both inside the company and outside.
The Danger of Names
So far, we’ve been discussing risk in terms of its expected and unexpected nature.
We can also divide up our risk portfolio according to the type of risk that we
are running. In this book, we follow the latest regulatory approach in the global
banking industry to highlight three major broad risk categories that are controllable and manageable:
Market risk is the risk of losses arising from changes in market risk
factors. Market risk can arise from changes in interest rates, foreign
exchange rates, or equity and commodity price factors.3
Credit risk is the risk of loss following a change in the factors that drive
the credit quality of an asset. These include adverse effects arising from
credit grade migration, including default, and the dynamics of recovery
rates.
The definition and breakdown of market risk into these four broad categories is consistent with
the accounting standards of IFRS and GAPP in the United States.
3
Risk Management: A Helicopter View • 15
Operational risk refers to financial loss resulting from a host of potential operational breakdowns that we can think in terms of risk of loss
resulting from inadequate or failed internal processes, people, and
systems, or from external events (e.g., frauds, inadequate computer systems, a failure in controls, a mistake in operations, a guideline that has
been circumvented, or a natural disaster).
Understanding the various types of risk is important, beyond the banking industry, because each category demands a different (but related) set of risk
management skills. The categories are often used to define and organize the risk
management functions and risk management activities of a corporation. We’ve
added an appendix to this chapter that offers a longer and more detailed family
tree of the various types of risks faced by corporations, including key additional
risks such as liquidity risk and strategic risk. This risk taxonomy can be applied
to any corporation engaged in major financial transactions, project financing,
and providing customers with credit facilities.
The history of science, as well as the history of management, tells us
that classification schemes like this are as valuable as they are dangerous.
Giving a name to something allows us to talk about it, control it, and assign
responsibility for it. Classification is an important part of the effort to make
an otherwise ill-defined risk measurable, manageable, and transferable. Yet
the classification of risk is also fraught with danger because as soon as we
define risk in terms of categories, we create the potential for missed risks and
gaps in responsibilities—for being blindsided by risk as it flows across our
arbitrary dividing lines.
For example, a sharp peak in market prices will create a market risk for an
institution. Yet the real threat might be that a counterparty to the bank that is
also affected by the spike in market prices will default (credit risk), or that some
weakness in the bank’s systems will be exposed by high trading volumes (operational risk). If we think of price volatility in terms of market risk alone, we are
missing an important factor.
We can see the same thing happening from an organizational perspective.
While categorizing risks helps us to organize risk management, it fosters the
creation of “silos” of expertise that are separated from one another in terms of
personnel, risk terminology, risk measures, reporting lines, systems and data,
and so on. The management of risk within these silos may be quite efficient in
16 • The Essentials of Risk Management
terms of a particular risk, such as market or credit risk, or the risks run by a
particular business unit. But if executives and risk managers can’t communicate
with one another across risk silos, they probably won’t be able to work together
efficiently to manage the risks that are most important to the institution as a
whole.
Some of the most exciting recent advances in risk management are really
attempts to break down this natural organizational tendency toward silo risk
management. In the past, risk measurement tools such as VaR and economic
capital have evolved, in part, to facilitate integrated measurement and management of the various risks (market, credit, and operational) and business
lines. More recently, the trend toward worst-case scenario analysis is really
an attempt to look at the effect of macroeconomic scenarios on a firm across
its business lines and, often, across various types of risk (market, credit,
and so on).
We can also see in many industries a much more broadly framed trend
toward what consultants have labeled enterprisewide risk management, or
ERM. ERM is a concept with many definitions. Basically, though, ERM is
a deliberate attempt to break through the tendency of firms to operate in
risk management silos and to ignore enterprisewide risks, and an attempt to
take risk into consideration in business decisions much more explicitly than
has been done in the past. There are many potential ERM tools, including
conceptual tools that facilitate enterprisewide risk measurement (such as
economic capital and enterprisewide stress testing), monitoring tools that
facilitate enterprisewide risk identification, and organizational tools such as
senior risk committees with a mandate to look at all enterprisewide risks.
Through an ERM program, a firm limits its exposures to a risk level agreed
upon by the board and provides its management and board of directors
with reasonable assurances regarding the achievement of the organization’s
objectives.
As a trend, ERM is clearly in tune with a parallel drive toward the unification of risk, capital, and balance sheet management in financial institutions.
Over the last 10 years, it has become increasingly difficult to distinguish risk
management tools from capital management tools, since risk, according to
the unexpected loss risk paradigm we outlined earlier, increasingly drives the
allocation of capital in risk-intensive businesses such as banking and insurance.
Risk Management: A Helicopter View • 17
Similarly, it has become difficult to distinguish capital management tools from
balance sheet management tools, since risk/reward relationships increasingly
drive the structure of the balance sheet.
A survey in 2011 by management consultant Deloitte found that the
adoption of ERM has increased sharply over the last few years: “Fifty-two
percent of institutions reported having an ERM program (or equivalent),
up from 36 percent in 2008. Large institutions are more likely to face complex and interconnected risks, and among institutions with total assets of
$100 billion or more, 91 percent reported either having an ERM program in
place or [being] in the process of implementing one.”4 But we shouldn’t get
too carried away here. ERM is a goal, but most institutions are a long way
from fully achieving the goal.
Numbers Are Dangerous, Too
Once we’ve put boundaries around our risks by naming and classifying them,
we can also try to attach meaningful numbers to them. A lot of this book is
about this problem. Even if our numbers are only judgmental rankings of risks
within a risk class (Risk No. 1, Risk Rating 3, and so on), they can help us make
more rational in-class comparative decisions. More ambitiously, if we can assign
absolute numbers to some risk factor (a 0.02 percent chance of default versus a
0.002 percent chance of default), then we can weigh one decision against another
with some precision. And if we can put an absolute cost or price on a risk
(ideally using data from markets where risks are traded or from some internal
“cost of risk” calculation based on economic capital), then we can make truly
rational economic decisions about assuming, managing, and transferring risks.
At this point, risk management decisions become fungible with many other
kinds of management decision in the running of an enterprise.
But while assigning numbers to risk is incredibly useful for risk management and risk transfer, it’s also potentially dangerous. Only some kinds
of numbers are truly comparable, but all kinds of numbers tempt us to make
comparisons. For example, using the face value or “notional amount” of a bond
Deloitte, Global Risk Management Survey, seventh edition, 2011, p. 14.
4
18 • The Essentials of Risk Management
to indicate the risk of a bond is a flawed approach. As we explain in Chapter 7,
a million-dollar position in a par value 10-year Treasury bond does not represent
at all the same amount of risk as a million-dollar position in a 4-year par value
Treasury bond.
Introducing sophisticated models to describe risk is one way to defuse
this problem, but this has its own dangers. Professionals in the financial markets invented the VaR framework as a way of measuring and comparing risk
across many different markets. But as we discuss in Chapter 7, the VaR measure
works well as a risk measure only for markets operating under normal conditions and only over a short period, such as one trading day. Potentially, it’s a very
poor and misleading measure of risk in abnormal markets, over longer time
periods, or for illiquid portfolios.
Also, VaR, like all risk measures, depends for its integrity on a robust control environment. In recent rogue-trading cases, hundreds of millions of dollars
of losses have been suffered by trading desks that had orders not to assume VaR
exposures of more than a few million dollars. The reason for the discrepancy
is nearly always that the trading desks have found some way of circumventing
trading controls and suppressing risk measures. For example, a trader might falsify transaction details entered into the trade reporting system and use fictitious
trades to (supposedly) balance out the risk of real trades, or tamper with the
inputs to risk models, such as the volatility estimates that determine the valuation and risk estimation for an options portfolio.
The likelihood of this kind of problem increases sharply when those
around the trader (back-office staff, business line managers, even risk managers)
don’t properly understand the critical significance of routine tasks, such as an
independent check on volatility estimates, for the integrity of key risk measures.
Meanwhile, those reading the risk reports (senior executives, board members)
often don’t seem to realize that unless they’ve asked key questions about the
integrity of controls, they might as well tear up the risk report.
As we try to base our risk evaluations on past data and experience, we
should recall that all statistical estimation is subject to estimation errors, and
these can be substantial when the economic environment changes. In addition
we must remember that human psychology interferes with risk assessment.
Professor Daniel Kahneman, the Nobel laureate in Economics, warns us that
people tend to misassess extreme probabilities (very small ones as well as very
Risk Management: A Helicopter View • 19
large ones). Kahneman also points out that people tend to be risk-averse in the
domain of gains and risk-seeking in the domain of losses.5
While the specialist risk manager’s job is an increasingly important one, a
broad understanding of risk management must also become part of the wider
culture of the firm.
The Risk Manager’s Job
There are many aspects of the risk manager’s role that are open to confusion.
First and foremost, a risk manager is not a prophet! The role of the risk manager
is not to try to read a crystal ball, but to uncover the sources of risk and make
them visible to key decision makers and stakeholders in terms of probability. For
example, the risk manager’s role is not to produce a point estimate of the U.S.
dollar/euro exchange rate at the end of the year; but to produce a distribution
estimate of the potential exchange rate at year-end and explain what this might
mean for the firm (given its financial positions). These distribution estimates can
then be used to help make risk management decisions, and also to produce riskadjusted metrics such as risk-adjusted return on capital (RAROC).
As this suggests, the risk manager’s role is not just defensive—firms need
to generate and apply information about balancing risk and reward if they are
to compete effectively in the longer term (see Chapter 17). Implementing the
appropriate policies, methodologies, and infrastructure to risk-adjust numbers
and improve forward-looking business decisions is an increasingly important
element of the modern risk manager’s job.
But the risk manager’s role in this regard is rarely easy—these risk and
profitability analyses aren’t always accepted or welcomed in the wider firm when
they deliver bad news. Sometimes the difficulty is political (business leaders
want growth, not caution), sometimes it is technical (no one has found a bestpractice way to measure certain types of risk, such as reputation or franchise
risk), and sometimes it is systemic (it’s hard not to jump over a cliff on a business
idea if all your competitors are doing that too).
Daniel Kahneman, Thinking, Fast and Slow, Farrar, Straus and Giroux, 2011.
5
20 • The Essentials of Risk Management
This is why defining the role and reporting lines of risk managers within
the wider organization is so critical. It’s all very well for the risk manager to
identify a risk and measure its potential impact—but if risk is not made transparent to key stakeholders, or those charged with oversight on their behalf, then
the risk manager has failed. We discuss these corporate governance issues in
more detail in Chapter 4.
Perhaps the trickiest balancing act over the last few years has been trying
to find the right relationship between business leaders and the specialist risk
management functions within an institution. The relationship should be close,
but not too close. There should be extensive interaction, but not dominance.
There should be understanding, but not collusion. We can still see the tensions
in this relationship across any number of activities in risk-taking organizations—between the credit analyst and those charged with business development in commercial loans, between the trader on the desk and the market risk
management team, and so on. Where the balance of power lies will depend
significantly on the attitude of senior managers and on the tone set by the
board. It will also depend on whether the institution has invested in the analytical and organizational tools that support balanced, risk-adjusted decisions.
As the risk manager’s role is extended, we must increasingly ask difficult
questions: “What are the risk management standards of practice” and “Who is
checking up on the risk managers?” Out in the financial markets, the answer is
hopefully the regulators. Inside a corporation, the answer includes the institution’s audit function, which is charged with reviewing risk management’s actions
and its compliance with an agreed-upon set of policies and procedures (Chapter
4). But the more general answer is that risk managers will find it difficult to make
the right kind of impact if the firm as a whole lacks a healthy risk culture, including a good understanding of risk management practices, concepts, and tools.
The Past, the Future—and This Book’s Mission
We can now understand better why the discipline of risk management has had
such a bumpy ride across many industries over the last decade (see Box 1-3). The
reasons lie partly in the fundamentally elusive and opaque nature of risk—if it’s
not unexpected or uncertain, it’s not risk! As we’ve seen, “risk” changes shape
according to perspective, market circumstances, risk appetite, and even the classification schemes that we use.
Risk Management: A Helicopter View • 21
BOX 1-3 UPS AND DOWNS IN RISK MANAGEMENT
Ups
•• Dramatic explosion in the adoption of sophisticated risk management processes, driven by an expanding skill base and falling cost
of risk technologies
•• Increase in the skill levels and associated compensation of risk
management personnel as sophisticated risk techniques have been
adopted to measure risk exposures
•• Birth of new risk management markets in credit, commodities,
weather derivatives, and so on, representing some of the most
innovative and potentially lucrative financial markets in the world
•• Birth of global risk management industry associations as well as a
dramatic rise in the number of global risk management personnel
•• Extension of the risk measurement frontier out from traditional
measured risks such as market risk toward credit and operational
risks
•• Cross fertilization of risk management techniques across diverse
industries from banking to insurance, energy, chemicals, and
aerospace
•• Ascent of risk managers in the corporate hierarchy to become
chief risk officers, to become members of the top executive team
(e.g., part of the management committee), and to report to both
the CEO and the board of the company
Downs
•• The financial crisis of 2007–2009 revealed significant weaknesses
in managing systemic and cyclical risks.
•• Firms have been tempted to over-rely on historical-statistical
measures of risk—a weakness that improved stress testing seeks
to address.
•• Risk managers continue to find it a challenge to balance their
fiduciary responsibilities against the cost of offending powerful
business heads.
22 • The Essentials of Risk Management
•• Risk managers do not generate revenue and therefore have not
yet achieved the same status as the heads of successful revenuegenerating businesses.
•• It’s proving difficult to make truly unified measurements of different kinds of risk and to understand the destructive power of risk
interactions (e.g., credit and liquidity risk).
•• Quantifying risk exposure for the whole organization can be
hugely complicated and may descend into a “box ticking” exercise.
•• The growing power of risk managers could be a negative force in
business if risk management is interpreted as risk avoidance; it’s
possible to be too risk-averse.
The reasons also lie partly in the relative immaturity of financial risk management. Practices, personnel, markets, and instruments have been evolving
and interacting with one another continually over the last couple of decades to
set the stage for the next risk management triumph—and disaster. Rather than
being a set of specific activities, computer systems, rules, or policies, risk management is better thought of as a set of concepts that allow us to see and manage
risk in a particular and dynamic way.
Perhaps the biggest task in risk management is no longer to build
specialized mathematical measures of risk (although this endeavor certainly
continues). Perhaps it is to put down deeper risk management roots in each
organization. We need to build a wider risk culture and risk literacy, in which
all the key staff members engaged in a risky enterprise understand how they
can affect the risk profile of the organization—from the back office to the
boardroom, and from the bottom to the top of the house. That’s really what
this book is about. We hope it offers both nonmathematicians as well as mathematicians an understanding of the latest concepts in risk management so that
they can see the strengths and question the weaknesses of a given decision.
Nonmathematicians must feel able to contribute to the ongoing evolution of risk management practice. Along the way, we can also hope to give those
of our readers who are risk analysts and mathematicians a broader sense of how
their analytics fit into an overall risk program, and a stronger sense that their
role is to convey not just the results of any risk analysis, but also its meaning
(and any broader lessons from an enterprisewide risk management perspective).
Appendix 1.1
TYPOLOGY OF RISK
EXPOSURES
In Chapter 1 we defined risk as the volatility of returns leading to “unexpected
losses,” with higher volatility indicating higher risk. The volatility of returns is
directly or indirectly influenced by numerous variables, which we called risk factors, and by the interaction between these risk factors. But how do we consider
the universe of risk factors in a systematic way?
Risk factors can be broadly grouped together into the following major
categories: market risk, credit risk, liquidity risk, operational risk, legal and
regulatory risk, business risk, strategic risk, and reputation risk (Figure 1A-1).1
These categories can then be further decomposed into more specific categories,
as we show in Figure 1A-2 for market risk and credit risk. Market risk and credit
risk are referred to as financial risks.
In this figure, we’ve subdivided market risk into equity price risk, interest
rate risk, foreign exchange risk, and commodity price risk in a manner that is in
line with our detailed discussion in this appendix. Then we’ve divided interest
rate risk into trading risk and the special case of gap risk; the latter relates to the
risk that arises in the balance sheet of an institution as a result of the different
sensitivities of assets and liabilities to changes of interest rates (see Chapter 8).
In theory, the more all-encompassing the categorization and the more
detailed the decomposition, the more closely the company’s risk will be captured.
Board of Governors of the Federal Reserve System, Trading and Capital Markets Activities
Manual, Washington D.C., April 2007.
1
23
24 • The Essentials of Risk Management
FIGURE 1A-1 Typology of Risks
Market risk
Credit risk
Liquidity risk
Operational risk
Risks
Legal and regulatory risk
Business risk
Strategic risk
Reputation risk
In practice, this process is limited by the level of model complexity that can be
handled by the available technology and by the cost and availability of internal
and market data.
Let’s take a closer look at the risk categories in Figure 1A-1.
FIGURE 1A-2 Schematic Presentation, by Categories, of Financial Risks
Equity price risk
Market risk
Interest rate risk
Foreign exchange risk
Trading risk
Gap risk
Commodity price risk
Financial
risks
Transaction risk
Issue risk
Portfolio
concentration
Issuer risk
Credit risk
Counterparty
credit risk
General
market risk
Specific risk
Risk Management: A Helicopter View • 25
Market Risk
Market risk is the risk that changes in financial market prices and rates will
reduce the value of a security or a portfolio. Price risk can be decomposed into
a general market risk component (the risk that the market as a whole will fall in
value) and a specific market risk component, unique to the particular financial
transaction under consideration. In trading activities, risk arises both from open
(unhedged) positions and from imperfect correlations between market positions
that are intended to offset one another.
Market risk is given many different names in different contexts. For example, in the case of a fund, the fund may be marketed as tracking the performance
of a certain benchmark. In this case, market risk is important to the extent that it
creates a risk of tracking error. Basis risk is a term used in the risk management
industry to describe the chance of a breakdown in the relationship between the
price of a product, on the one hand, and the price of the instrument used to
hedge that price exposure, on the other. Again, it is really just a context-specific
form of market risk.
There are four major types of market risk: interest rate risk, equity price
risk, foreign exchange risk, and commodity price risk.2
Interest Rate Risk
The simplest form of interest rate risk is the risk that the value of a fixed-income
security will fall as a result of an increase in market interest rates. But in complex
portfolios of interest-rate-sensitive assets, many different kinds of exposure can
arise from differences in the maturities and reset dates of instruments and cash
flows that are asset-like (i.e., “longs”) and those that are liability-like (i.e., “shorts”).
In particular, as we explain in more detail in Chapter 6, “curve” risk can
arise in portfolios in which long and short positions of different maturities are
effectively hedged against a parallel shift in yields, but not against a change in
the shape of the yield curve. Meanwhile, even when offsetting positions have
the same maturity, basis risk can arise if the rates of the positions are imperfectly correlated. For example, three-month Eurodollar instruments and threemonth Treasury bills both naturally pay three-month interest rates. However,
These four categories of market risk are, in general, consistent with accounting standards.
2
26 • The Essentials of Risk Management
these rates are not perfectly correlated with each other, and spreads between
their yields may vary over time. As a result, a three-month Treasury bill funded
by three-month Eurodollar deposits represents an imperfect offset or hedged
position (often referred to as basis risk).
Equity Price Risk
This is the risk associated with volatility in stock prices. The general market risk
of equity refers to the sensitivity of an instrument or portfolio value to a change in
the level of broad stock market indices. The specific or idiosyncratic risk of equity
refers to that portion of a stock’s price volatility determined by characteristics specific to the firm, such as its line of business, the quality of its management, or a
breakdown in its production process. According to portfolio theory, general market risk cannot be eliminated through portfolio diversification, while specific risk
can be diversified away. In Chapter 5 we discuss models for measuring equity risk.
Foreign Exchange Risk
Foreign exchange risk arises from open or imperfectly hedged positions in
particular foreign currency denominated assets and liabilities leading to fluctuations in profits or values as measured in a local currency. These positions may
arise as a natural consequence of business operations, rather than from any conscious desire to take a trading position in a currency. Foreign exchange volatility
can sweep away the return from expensive cross-border investments and at the
same time place a firm at a competitive disadvantage in relation to its foreign
competitors.3 It may also generate huge operating losses and, through the uncertainty it causes, inhibit investment. The major drivers of foreign exchange risk
are imperfect correlations in the movement of currency prices and fluctuations
in international interest rates. Although it is important to acknowledge exchange
rates as a distinct market risk factor, the valuation of foreign exchange transac-
A famous example is Caterpillar, a U.S. heavy equipment firm, which in 1987 began a $2 billion
capital investment program. A full cost reduction of 19 percent was eventually expected in 1993.
During the same period the Japanese yen weakened against the U.S. dollar by 30 percent, which
placed Caterpillar at a competitive disadvantage vis-à-vis its major competitor, Komatsu of Japan,
even after adjusting for productivity gains.
3
Risk Management: A Helicopter View • 27
tions requires knowledge of the behavior of domestic and foreign interest rates,
as well as of spot exchange rates.4
Commodity Price Risk
The price risk of commodities differs considerably from interest rate and foreign exchange risk, since most commodities are traded in markets in which the
concentration of supply is in the hands of a few suppliers who can magnify price
volatility. For most commodities, the number of market players having direct
exposure to the particular commodity is quite limited, hence affecting trading
liquidity which in turn can generate high levels of price volatility. Other fundamentals affecting a commodity price include the ease and cost of storage, which
varies considerably across the commodity markets (e.g., from gold to electricity
to wheat). As a result of these factors, commodity prices generally have higher
volatilities and larger price discontinuities (i.e., moments when prices leap from
one level to another) than most traded financial securities. Commodities can
be classified according to their characteristics as follows: hard commodities, or
nonperishable commodities, the markets for which are further divided into
precious metals (e.g., gold, silver, and platinum), which have a high price/weight
value, and base metals (e.g., copper, zinc, and tin); soft commodities, or commodities with a short shelf life that are hard to store, mainly agricultural products
(e.g., grains, coffee, and sugar); and energy commodities, which consist of oil,
gas, electricity, and other energy products.
Credit Risk
Credit risk is the risk of an economic loss from the failure of a counterparty
to fulfill its contractual obligations, or from the increased risk of default during the term of the transaction.5 For example, credit risk in the loan portfolio
This is because of the interest rate parity condition, which describes the price of a futures contract
on a foreign currency as equal to the spot exchange rate adjusted by the difference between the
local interest rate and the foreign interest rate.
4
In the following we use indifferently the term “borrower” or “counterparty” for a debtor. In
practice, we refer to issuer risk, or borrower risk, when credit risk involves a funded transaction
such as a bond or a bank loan. In derivatives markets, counterparty credit risk is the credit risk of
a counterparty for an unfunded derivatives transaction such as a swap or an option.
5
28 • The Essentials of Risk Management
of a bank materializes when a borrower fails to make a payment, either of the
periodic interest charge or the periodic reimbursement of principal on the loan
as contracted with the bank. Credit risk can be further decomposed into four
main types: default risk, bankruptcy risk, downgrade risk, and settlement risk.
Box 1A-1 gives ISDA’s definition of a credit event that may trigger a payout under
a credit derivatives contract.6
BOX 1A-1 CREDIT DERIVATIVES AND THE ISDA DEFINITION OF A
CREDIT EVENT
The spectacular growth of the market for credit default swaps (CDS) and
similar instruments since the millennium has obliged the financial markets
to become a lot more specific about what they regard as a credit event—i.e.,
the event that triggers the payment on a CDS. This event, usually a default,
needs to be clearly defined to avoid any litigation when the contract is
settled. CDSs normally contain a “materiality clause” requiring that the
change in credit status be validated by third-party evidence.
The CDS market has struggled somewhat to define the k…
Purchase answer to see full
attachment
