The collapse of Barings, Britain's oldest merchant bank, and the billion-dollar losses suffered by Sumitomo Corporation catapulted the need for sound risk control into corporate consciousness. But even before these spectacular losses, risk control had occupied the minds of those whose business it is to know - the regulators and the senior managers of the world's leading financial institutions. They knew that sound internal risk control is essential to the prudent operation of a financial institution and to promoting stability of the financial system as a whole.

Risk control has a wider ambit than risk management. The latter is often defined as hedging or neutralising the financial risks that result from one or a series of transactions. For the purposes of this discussion, risk control is the entire process of policies, procedures and systems an institution needs to manage prudently all the risks resulting from its financial transactions, and to ensure that they are within the bank's risk appetite. To avoid conflicts of interests, risk control should be separated from and sufficiently independent of the business units, which execute the firm's financial transactions, (the latter are often responsible for hedging the risks which result from their trades.) In some organisations, risk control work is carried out by independent risk management units rather than specially-named risk control sections, but the difference here is a question of semantics rather than job function.

Numerous reports have come out in the last four years with recommendations on best practices in risk control and risk management. Two stand head and shoulders above the rest. They are the G-30 report released in July 1993, entitled "Derivatives: Practices and Principles" (a private sector initiative) and "Risk Management Guidelines for Derivatives", written jointly by the Basle Committee on Banking Supervision and the International Organisation of Securities Commissions (IOSCO) which came out a year later. These two reports together have shaped today's best practices in risk control.

Both reports are rooted in simple common sense. They emphasise the importance of determining at the highest level the policy and scope of a firm's involvement in and the use of financial instruments; oversight by boards of directors and senior managers; a risk management process that involves continuous measuring, monitoring and controlling of all risks (especially market and credit); accurate and reliable management information with comprehensive limits; frequent management reporting; sound control and operational systems; and thorough audit and control procedures. They also stress the importance of the human factor in risk management - professionals involved must have the necessary skills and experience, and the firm should not deal in any instrument until senior managers are fully satisfied that all relevant personnel understand and can manage the risks involved. The specific way an institution applies these recommendations depends on the complexity and nature of its financial holdings and activities.

The G-30 report caters for both dealers (financial institutions) and end-users (corporates). The guidelines are embodied in 20 recommendations which firms can use to set up and evaluate their risk management and control practices. The guidelines are divided into five main areas;

• general policies for senior management
• valuation and market risk management
• credit risk measurement and management
• systems, operations and controls
• recommendations for legislators, regulators, and supervisors.

The full text of the report is available from the G-30.

The Basle Committee/IOSCO paper is directed towards banking organisations and supervisors - to provide both a framework to follow and against which they can reassess their own risk management procedures. These guidelines are more detailed than those of the G-30, and include sound risk management practices for each major risk identified - credit, market, liquidity, operations and legal. And while the G-30 report called for independent credit and market risk management functions, the Basle Committee/IOSCO goes one step further by suggesting that the entire process of measuring, monitoring and controlling risk consistent with the firm's established policies, should be independent. This independence should be reflected in the senior hierarchy of the institution as well as the firm's exposure-reporting system. The 1994 document has become the definitive word on best practices in risk control for derivatives.

Resulting from the Basle Committee's increasing focus on sound internal controls is "Framework for the Evaluation of Internal Control Systems"(1998). This final report released in October 1998 follows an earlier draft issued in January of the same year. The Committee notes, "An analysis of the problems related to the losses [incurred by several banking organisations] indicates that they could probably have been avoided had the banks maintained effective internal control systems. Such systems would have prevented or enabled earlier detection of the problems that led to the losses, thereby limiting damage to the banking organisation." The Committee noted that the control breakdowns typically seen in recent problem bank situations could be grouped into five broad categories:

• Lack of adequate management oversight and accountability, and failure to develop a strong control culture within the bank.

• Inadequate assessment of the risk of certain banking activities, whether on- or off-balance sheet.

• The absence or failure of key control activities, such as segregation of duties, approvals, verifications, reconciliations, and reviews of operating performance.

• Inadequate communication of information between levels of management within the bank, especially in the upward communication of problems.

• Inadequate or ineffective audit programs and other monitoring services.

It is thus not surprising that the 13 principles issued by the Basle Committee cover management oversight and the control culture; risk assessment; control activities; information and communication; monitoring; and evaluation of internal control systems by supervisory authorities. Unlike previous guidance, the latest principles on internal control are not area-specific. Instead, the Committee wants supervisors to use them when evaluating internal controls for all the on- and off-balance sheet activities of a bank.

The guidelines stress the importance and role of senior management in establishing a robust internal control system. Principle 2 states that senior management must not only set out and monitor the adequacy and effectiveness of the internal control system; they should also develop processes that identify, measure, monitor and control risks incurred by the bank; maintain an organisational structure that clearly assigns responsibility, authority and reporting relationships and ensure that these delegated responsibilities are effectively carried out.

Principle 3 deals only with establishing a strong control culture which reflects the importance the Basle Committee now places on the subject because it sees the former as an essential element of an effective system of internal control. The Committee believes that it is the responsibility of the board of directors and senior management to push home the importance of internal controls through their actions and words. This includes the ethical values management displays in their business dealings, both inside and outside the organisation. For example, senior management may weaken the control culture by promoting and rewarding managers who are successful in generating profits but fail to implement internal control policies or address problems identified by internal audit. Such actions send a message to others in the organisation that internal control is considered secondary to other goals in the organisations, and thus diminish the commitment to and quality of the control culture.

The Joint Forum on Financial Conglomerates addresses the lack of management oversight in its consultative documents on how financial conglomerates should be supervised. One of the constituent reports, Fit and Proper Principles (1999), sets out the criteria which supervisors can use to assess whether managers and directors are competent to fulfil their responsibilities. These include fitness, propriety or other qualification tests being applied at the authorisation stage and thereafter, on the occurrence of specified events. These tests will not only apply to managers and directors but to shareholders whose holdings are above specified thresholds and/or who exert a material influence on regulated entities within the financial conglomerate.

The importance of these issues was again reiterated in a paper on corporate governance by the Basle Committee. "Enhancing Corporate Governance in Banking Organisations" (1999) lists six key practices for banks and the Committee hopes the paper will help supervisory authorities worldwide to promote sound corporate governance principles. One proposed practice stands out because it reflects the growing concern among regulators over compensation programmes in banks. Practice 6 states that the board of directors and senior management should ensure their compensation approaches are consistent with the bank's ethical values, objectives, strategy and control environment. Failure to link incentive compensations to the business strategy can encourage managers to book business based upon volume and/or short-term profitability to the bank with little regard to short or long-term risk consequences. This can be seen particularly with traders and loan officers, but can also adversely affect the performance of other support staff.

IOSCO has also published a paper which addresses risk controls from a supervisory perspective. Risk Management and Control Guidance for Securities Firms and their Supervisors (1998) states that supervisors must make an effort to understand the control environment of each firm and ensure that these controls are adequate. They must therefore be proactive, rather than reactive, in devising high quality control standards. Some suggestions IOSCO puts forward are capital tiering, regulations requiring the establishment of specified risk management and controls at securities firms and working with industry associations to promulgate the establishment of management controls.

The IOSCO paper sets outs 12 basic elements of a risk management and control system. Supervisors should use these elements as benchmarks to measure the adequacy of firms' control systems. The 12 elements are grouped under five categories: the control environment, nature and scope of controls, implementation, verification and reporting.

Despite the BIS and IOSCO guidelines on risk control discussed above, recent developments in the financial markets show that there are still serious deficiencies in banks and securities houses' risk management practices. The granting of extensive credit facilities to Long-Term Capital Management which allowed it to build up a market exposure of over $200 billion on a capital base of about $4 billion, and its subsequent near-collapse prompted the Basle Committee to analyse the relationships between banks and highly leveraged institutions (HLIs). "Banks' Interactions with Highly Leveraged Institutions" (1999) and "Sound Practices for Banks' Interactions with Highly Leveraged Institutions" (1999) highlight several deficiencies in some banks' risk control practices with respect to HLIs.
Banks did not appear to possess effective policies and guidelines for managing exposures to HLIs in a manner consistent with their overall credit standards, possibly because the activities of HLIs are so opaque and their trading strategies always changing. The Committee also singled out strong competitive pressures as one reason why some banks compromised important elements of the risk management process to agree to generous credit conditions. Also banks did not generally conduct stress tests on their exposures to HLIs nor did they update frequently the information they received from HLIs..

The Committee recommends that before establishing a credit relationship with a HLI, a bank should ensure that all relevant information be disclosed on a timely and ongoing basis. This should include the HLI's liquidity profile, changes in the general direction of trading strategies, significant changes to leverage and profit and loss developments. The same report also suggests that banks improve the way they set credit limits for HLIs. These limits should recognise and reflect the risks associated with the near-term liquidation of derivatives positions if the counterparty defaults.

The Basle Committee's thoughts are echoed in "Report of the President's Working Group on Financial Markets on Hedge Funds, Leverage, and the Lessons of Long-Term Capital Management."(1999). The main lesson to be learnt from the LTCM episode is how to constrain excessive leverage, not just by hedge funds but all participants in the financial system. The report notes, "Our market-based economy relies primarily on market discipline to constrain leverage… In the case of LTCM, market discipline seems to have largely broken down. The breakdown in market discipline was made possible by risk management weaknesses at LTCM as well as at the large banks and securities firms that were LTCM counterparties." US banking regulators have notified banks that their examiners will be looking at the following points:

• Senior management and boards of directors must understand the strengths and weaknesses of their risk measurement systems, including model risk, liquidity risk, and the risk of breakdown of historical correlations among different instruments and markets.

• Senior management and boards of directors must have a realistic assessment of their tolerance for losses in adverse markets

• The interconnection of material risks, including market, credit, and liquidity risks needs to be integrated into credit and risk management decisions.

The Basle Committee has also released guidelines specifically for interest rate risk management. "Principles for the Management of Interest Rate Risk" contains 11 principles which banking supervisory authorities must apply when assessing banks' management of interest rate risk. The specific manner in which a bank applies these elements depends upon the complexity and nature of its holdings and exposure to interest rate risk.

The Basle Committee believes that interest rate risk should be monitored on a consolidated basis, to include interest rate exposures in subsidiaries. At the same time, however, institutions should fully recognise any legal distinctions and possible obstacles to cash flow movements among affiliates and adjust their risk management process accordingly. While consolidation may provide a comprehensive measure of interest rate risk, it may also underestimate risk when positions in one affiliate are used to offset positions in another affiliate. This is because a conventional accounting consolidation may allow theoretical offsets between such positions from which a bank may not in practice be able to benefit because of legal or operational constraints. The 1997 report is more specific than the 1994 one and suggests ways of measuring interest rate risk, because prudent interest-rate risk control is conditional on a robust measurement system. The Committee believes that an interest rate risk measurement system must be able to assess the effects of rate changes on both the bank's accrual or reported earnings and the economic value of the bank's assets, liabilities and off-balance sheet positions.

The Bank of England's report into the collapse of Barings brings to life the recommendations of both the G-30 and BIS/IOSCO reports. Sections 10 and 11 of the "Report of the Board of Banking Supervision inquiry into the Circumstances of the collapse of Barings (1995)" illustrate vividly the logic of every risk control practice promulgated by the above-mentioned reports. By doing so, the Barings report answers all doubts about the validity of risk control recommendations made by the Basle Committee, the International Organisation of Securities Commissions and the Futures and Industry Association, to name a few. The report also drives home the point that the essence of risk control is plain common sense, and not technological and mathematical wizardry. It seems almost pedantic that the first two lessons for management singled out by the Inquiry are: (a) management teams have the duty to understand fully the businesses they manage (b) responsibility for each business activity has to be clearly established and communicated - two principles that apply to all businesses not just financial institutions.

The G-30 cites the failure of Barings and trading losses at Morgan Grenfell and Sumitomo Corporation as proof for the need of a new supervisory approach to global institutions. It believes that the largest proportion of serious financial problems at financial firms arise from problems which the organisations ought to be able to control themselves. It also thinks it is unreasonable to expect supervisors alone to keep global institutions from mishaps. Its report on international systemic risk, Global Institutions, National Supervision and Systemic Risk"(1997) thus argues that major financial institutions should take a leading role in developing a global framework for comprehensive and effective management controls, in cooperation with supervisors.

Such a framework must take into account market volatility and the differences in institutional complexity and geography. "Yet," the report acknowledges, "the greatest challenge to address is… excessively risky behaviour. Since no code of ethics is likely to eliminate that tendency, an institution's control system must at least aim to check the excesses of human nature by establishing an internal vigilance system that will provide early warning of such behaviour. Controls must withstand both external shocks and internal breakdowns."

An effective internal control system requires a major commitment to:
• Hire, support and retain employees throughout the management system with appropriate training and background in trading, modelling, information technology and other required skills.
• Invest in global risk-monitoring systems, encompassing both sophisticated risk models and sufficient computer and communications capacity to handle high-volume, high speed transactions in all their financial and legal complexity.
• Establish a management structure with appropriate checks and balances, between front and back office, for example, and with more direct responsibility to the respective audit committees.
• Adopt a more sophisticated approach to credit risk, operational risks, management of collateral and related disciplines.

This list drives home the point that comprehensive and effective controls are not solely a matter of skills and technologies, but of organisational culture as well.

"Framework for Voluntary Oversight" (1995), written by the Derivatives Policy Group, also contains a section on best practices for risk control. The group believes that the design and implementation of an effective system of control should reflect the circumstances of the firm. However, all risk control systems must have a high-level authorising body that draws up the guidelines for the firm. These guidelines must address, among other things:

1. the scope of authorised activity or any non-quantitative limitation on the scope of authorised activities;

2. quantitative guidelines for managing the firm's overall or constituent risk exposures;
3. the significant structural elements of the firm's Risk Monitoring and Risk Management systems and processes;

4. the scope and frequency of reporting by management on risk exposures; and the mechanisms for reviewing these guidelines. The members of this authorising body should be selected by the firm's board of directors (or its equivalent) based on, among other things, the composition and expertise of the board, the customary allocation of equivalent responsibilities within senior management of the firm and the nature, scope and complexity of the firm's trading activities.

Some risk control documents worth reading are more targetted. The main thrust of a 1995 report by the technical committee of IOSCO was to examine the implications for securities regulators of value-at-risk models. But The Implications for Securities Regulators of the Increased Use of Value At Risk Models by Securities Firms also contains a set of best practices for financial institutions to implement when using models. These best practices include recommendations on data integrity and reconciliation, the assumptions and parameters of the model and its operating environment, independent reviews of pricing algorithms, regular backtesting and understanding how the model influences the firm's decision making process.

Motivated by concern over the large exposures generated in currency settlements, the Bank for International Settlements commissioned a report on how to reduce settlement risk. A report prepared by the Committee on Payment and Settlement Systems released in 1997 calls upon individual banks and industry groups to devise mechanisms for addressing settlement risk. Appendix 2 in the report, titled "Settlement Risk in Foreign Exchange Transactions" contains a summary of best practices for controlling settlement risk. The 16 recommendations, drawn up by The New York Foreign Exchange Committee, range from basics such as understanding the settlement process and exposure to setting prudent settlement exposure limits, which must be adhered to. These exposures should be updated on-line and aggregated globally across all dealing centres. Banks are also encouraged to review correspondent bank relationships to ensure that the services they receive give them maximum control over their nostro accounts. Reconciliation of all transactions should be completed as early as possible and senior management should establish procedures to evaluate non-receipts of payments and to alert all concerned parties to potential problematic situations.

Another report prepared by the same committee examined clearing arrangements for exchange-traded derivatives in G-10 countries. Clearing Arrangements for Exchange-Traded Derivatives (1997) discusses the sources and types of risks to clearing houses and the risk control techniques they can employ to safeguard themselves against such risks. The two main risks discussed are: (1) defaults by clearing members and (2) failure of settlement banks. The most basic way of protecting against both risks is to deal only with creditworthy counterparties. This is easier said than done! Most clearing houses demand that their counterparties and members meet minimum financial requirements, including minimum capital requirements. But information on compliance with regulatory capital requirements is available only at discrete intervals. Given the considerable leverage and liquidity of derivatives, the risk profiles of clearing house members can change dramatically between reporting periods. Clearing houses are thus asked to conduct surveillance on members' positions on an on-going basis.

Other risk control safeguards include: (i) margin requirements that collateralise potential future credit exposures, and either collateralise current credit exposures, or limit the build-up of such exposures by periodically settling gains and losses; (ii) procedures that authorise prompt resolution of a clearing member's default through close-out of its proprietary positions and transfer (to a non-defaulting clearing member) or close-out of its clients' positions; and (iii) maintaining supplemental clearing house resources (capital, asset pools, credit lines, guarantees, or the authority to make assessments on non-defaulting members) to cover losses that may exceed the value of the defaulting member's margin collateral and to provide liquidity during the time it takes to realise the value of that margin collateral.

Some clearing houses mitigate their risks of settlement bank failures by structuring agreements that minimise the clearing house's potential losses and liquidity pressures if a failure occurs. Under such agreements, transfers between clearing members and the clearing house on the books of each settlement bank are effected simultaneously and are final. Also, transfers of funds between settlement banks are effected as soon as possible. Together, these steps can reduce substantially the amount and duration of a clearing house's exposures to any one settlement bank.

See also systemic safety

• Derivatives: Practices and Principles (1993)
• Risk Management Guidelines for Derivatives (1994)
• Report of the Board of Banking Supervision inquiry into the Circumstances of the collapse of Barings (1995)
• Framework for Voluntary Oversight" (1995)
• The Implications for Securities Regulators of the Increased Use of Value At Risk Models by Securities Firms Settlement Risk in Foreign Exchange Transactions (1995)
• Clearing Arrangements for Exchange-Traded Derivatives (1997)
• The Year 2000: A Challenge for Financial Institutions and Bank Supervisors (1997)
• Principles for the Management of Interest Rate Risk (1997)
• Framework for the Evaluation of Internal Control Systems (1998)
• Fit and Proper Principles (1998)
• Risk Management and Control Guidance for Securities Firms and their Supervisors (1998)
• Banks' Interactions with Highly Leveraged Institutions (1999)
• Sound Practices for Banks' Interactions with Highly Leveraged Institutions (1999)

Latest Update February 2000