Risk Library
   Documents by Author
     Additional Regulatory Documents
       Framework for Voluntary Oversight
         
         II. Management Controls
         










 

Framework for Voluntary Oversight

II. Management Controls

I. Overview

  1. This component of the framework identifies the principal elements of a system of internal controls for monitoring and managing the various risks to which a firm engaged in business as a professional intermediary in the OTC derivatives markets may be exposed as a result of its OTC derivatives activities.

  2. The guidelines, policies and procedures referred to in this discussion need not be designed or implemented specifically for OTC derivatives activities but may form part of a broader or an integrated firm-wide system of internal risk management guidelines, policies and procedures, as a particular firm deems appropriate.

  3. The design and implementation of an effective system of sound controls for a particular firm should reflect the circumstances of the firm. Accordingly, an individual firm must have the flexibility to implement specific policies and procedures unique to its circumstances. Conversely, policies and procedures that are appropriate for one firm may not be appropriate for another.

    Factors that may influence the policies and procedures of an individual firm include:

    • the ownership and governance structure of the firm (e.g., private partnership or close corporation versus publicly-held company);

    • the composition of the firm's governing body;

    • the firm's management philosophy and culture;

    • the scope and nature of the risk management guidelines established by the firm;

    • the scope and nature of the approved OTC derivatives activities of the firm in relation to its overall activities and capital;

    • the sophistication and experience of relevant trading, risk management and internal audit personnel;

    • the sophistication and functionality of information and reporting systems; and

    • the character and frequency of monitoring, reporting and auditing activities.

II. Risk Management Control Objectives

  1. Internal risk management control systems are designed to implement management's business judgment regarding the scope or level of activity risk to be undertaken by an individual firm and to reduce the firm's risk of inadvertent loss.

  2. An effective system of internal controls should include:

    • the adoption of risk management guidelines at an appropriate level of management; and

    • the implementation of risk monitoring systems to identify, measure, monitor and report exposure to relevant risks and of risk management processes to control those risks.

Outline of Risk Management Controls

Firms engaged in significant OTC derivatives activities should have in place comprehensive internal risk management control systems that are commensurate with the scope, size and complexity of the activities that have been authorized and the nature and extent of the risks they entail. The following overview summarizes the key elements of such risk management control systems.

  1. Certain Definitions

    1. Risk. References in this discussion to risk encompass the following:

      • market risk: the risk that a change in liquidity or in the level of one or more market prices, rates, indices, volatilities, correlations or other market factors will result in losses for a specified position or portfolio;

      • credit risk: the risk that a counterparty will fail to perform its obligations to the firm;

      • liquidity risk: the risk that, as a result of mismatches in the timing of cash in-flows and out-flows, a firm will have inadequate cash available to fund current obligations;

      • legal risk: the risk that a counterparty's performance obligations will be unenforceable because (i) the underlying transaction documentation is inadequate; (ii) the counterparty lacks the requisite authority or is subject to legal transaction restrictions; (iii) the underlying transaction is impermissible under applicable law; or (iv) applicable bankruptcy or insolvency laws limit or alter contractual remedies; and

      • operational risk: the risk of human error or deficiencies in the firm's operating systems (e.g., database management, trade entry, trade processing, trade confirmation, payment, delivery, receipt, collateral management, valuation and related information systems).

    2. Risk Monitoring. Risk Monitoring is that function within a firm that identifies, measures, monitors and reports on the market, credit and liquidity risks incurred by the firm.

    3. Risk Management. Risk Management is that process within a firm by which risk guidelines are established, allocated and managed.

  2. Role of the Governing Body or Other Authorizing Body

    1. Authorizing Body. The OTC derivatives activities of a firm should be conducted pursuant to general authorizing guidelines (Authorizing Guidelines) reviewed and approved by the firm's governing body (i.e., a board of directors or its equivalent), a committee of such governing body or a committee designated by the governing body for the purpose of approving such guidelines (Authorizing Body). The Authorizing Body should be selected by the governing body based on, among other relevant considerations, the composition and expertise of the governing body, the customary allocation of equivalent responsibilities within senior management of the firm and the nature, scope and complexity of the firm's OTC derivatives activities.

      If the Authorizing Body is not the governing body (or a committee comprised exclusively of members of the governing body) of the firm the Authorizing Guidelines, and material amendments to the Authorizing Guidelines, should be reported to the firm's governing body (or a committee comprised exclusively of members of the governing body).

    2. Written guidelines. The Authorizing Guidelines should be adopted in written form by the firm's Authorizing Body.

    3. Relevant considerations. Relevant factors to be considered by the Authorizing Body in approving Authorizing Guidelines include the firm's overall business strategies and product lines, its tolerance for risk and its general risk management philosophy, its past performance and experience, its financial condition and capital levels, its internal expertise and experience, the sophistication of its Risk Monitoring and Risk Management systems and processes and any regulatory or organizational constraints.

    4. Authorizing Guidelines. The Authorizing Guidelines should address the following areas:

      • the scope, or the procedures for determining the scope, of authorized activity or any nonquantitative limitation on the scope of authorized activities;

      • the quantitative guidelines for managing the firm's overall or constituent risk exposure(s);

      • the significant structural elements of the firm's Risk Monitoring and Risk Management systems and processes;

      • the scope and frequency of reporting by management on risk exposures; and

      • the mechanisms for reviewing the Authorizing Guidelines.

        1. Scope of authorized activity. If the Authorizing Body wishes to impose specific (nonquantitative) constraints on the scope of permitted activities (such as product, market, geographic or trading strategy restrictions), the Authorizing Guidelines should specify any restrictions. If the Authorizing Body wishes to approve only specific activities, the Authorizing Guidelines should specify the scope of authorized activity. The Authorizing Guidelines may designate one or more individuals within management or management committees to perform the function of authorizing or restricting activities in particular products or markets.

        2. Guidelines on risk exposure(s). The Authorizing Guidelines should establish market and credit risk exposure guidelines applicable to the overall or constituent risk exposure(s) of the firm's derivatives activities. Risk exposure guidelines should be based on factors such as the character of the risk(s) being measured, the extent and nature of the derivative products utilized, the risk measurement methodology employed by the firm and the nature of the firm's counterparties and their industry, country or credit rating categories.

          If the Authorizing Guidelines do not contain specific limits on risk exposures, they should contain quantitative guidelines sufficient to enable management to implement specific quantitative limits. The Authorizing Guidelines may provide that specified individuals or committees within management, independent from or senior to the relevant business or trading unit, may approve exceptions to the quantitative guidelines in the Authorizing Guidelines, with material exceptions to be periodically reported to the Authorizing Body.

          The Authorizing Guidelines should also address the degree to which the firm's OTC derivatives-related risk exposures should be aggregated, for purposes of Risk Monitoring and Risk Management, with the related risk exposures arising from other trading activities of the firm.

        3. Risk Monitoring and Risk Management structures.

          The Authorizing Guidelines should address the following structural elements of Risk Monitoring and Risk Management:

          1. An independent process and checks and balances for Risk Monitoring. The Authorizing Guidelines should define a process for Risk Monitoring independent from the business or trading units whose activities create the risks being monitored.

            In connection with Risk Monitoring systems, the Authorizing Body should also consider the need for organizational checks and balances to protect against irregularities or inconsistencies in risk measurement and to ensure to the greatest extent practicable that the risks posed by OTC derivative (and related) products are uniformly and accurately identified and evaluated.

          2. The appropriate degree of independence for Risk Management. The Authorizing Guidelines should define a Risk Management function to be performed by specified committees or individuals independent from or senior to the relevant business or trading units whose activities create risks for the firm.

          3. Authority, resources and information reporting. The Authorizing Body should determine that the bodies or personnel performing Risk Monitoring and Risk Management functions have the necessary authority and resources to accomplish their management control objectives. The Authorizing Body should also determine that mechanisms are in place through which information regarding the firm's risk-creating activities will be reported to Risk Monitoring and Risk Management personnel.

          4. Ongoing review of systems and processes The Authorizing Body should review from time to time the firm's Risk Monitoring and Risk Management systems and processes.

          5. Scope and frequency of reporting. The Authorizing Guidelines should identify the type, scope and frequency of reports to be prepared in connection with the firm's Risk Monitoring and Risk Management systems and processes and to be made available for review by the governing body, the Authorizing Body and senior management. Such reports should contain information regarding the firm's positions and risk exposures to facilitate effective oversight of the Risk Monitoring and Risk Management functions. The Authorizing Body should review the scope and frequency of reporting as business and market circumstances change.

  • Role of Management

    Firm management should ensure that control procedures with respect to the firm's OTC derivatives activities are consistent with the firm's Authorizing Guidelines, including, in particular, procedures with respect to the following matters:

    1. Measurement of risk consistent with prescribed guidelines

      Systems and procedures should be in place to identify and assess the material risks arising from the firm's OTC derivatives activities and to assist in managing those risks.

      Risk identification and measurement procedures should address the following risk factors:

      1. Market risk. Mechanisms should be in place to measure market risk consistent with established risk measurement guidelines. These procedures should include the capability to measure (to the extent material in light of the character of the firm's portfolio) basic components of market risk on a business unit (or, if desired, trading strategy) level as well as on a firm-wide level and to provide the information necessary to conduct "stress testing".

      2. Credit risk. Procedures should be in place to measure the risk that a counterparty will be unable to meet its obligations to the firm and to measure credit exposures and concentrations against established guidelines (e.g., guidelines based on counterparty or on industry, country or credit rating category). Credit risk measurement systems should assess both the firm's current credit exposure to a counterparty (i.e., the current market value or replacement cost of the transaction) and its potential exposure (i.e., the firm's risk of additional exposure to the counterparty due to possible future changes in applicable market rates, prices or levels during the term of the transaction).

        Management should consider the use of risk-reducing practices such as bilateral and multilateral netting arrangements, collateral agreements, third-party credit enhancements and offsetting exposures to the same counterparty.

      3. Liquidity risk. Procedures should be in place to measure and provide for potential funding requirements that might arise as a result of the impact of market movements on cash flows and collateral and margin requirements in light of mismatches in the timing of offsetting payment and delivery obligations, taking into account the potential impact of contractual provisions, such as early termination provisions, that may give rise to such timing mismatches.

    2. Establishment of risk guidelines for business units. Market risk exposure guidelines should be in place for each of the firm's business units.

    3. Data collection and synthesis. Processes should be in place through which the data necessary to conduct Risk Monitoring and Risk Management functions effectively is made readily accessible on a timely basis and information management systems are available to capture, monitor, analyze and report relevant data.

    4. Policies for valuation methodology. Systems and procedures should be in place to mark-to-market the value of OTC derivative products or portfolios accurately and on a timely basis, as necessary to implement the Risk Monitoring and Risk Management functions required under the Authorizing Guidelines.

      The firm's valuation systems should identify and utilize definitions of value (e.g., mid-market or replacement cost) in view of the particular OTC derivative products or markets involved and the purposes for which the valuation is used, and techniques should be identified to address situations where no market prices are readily observable. Valuation data collected with respect to an instrument or portfolio should be documented, should specify any pricing or related assumptions and should be maintained for review by the firm's auditors or other authorized examiners.

      1. Frequency of mark-to-market. The frequency with which derivatives positions or portfolios are required to be marked-to-market should be consistent with the risk management guidelines established by the Authorizing Body and should be based on the volatility of the relevant market factor(s) and the nature of the firm's risk profile.

      2. Valuation policy. A valuation policy should be in place that reflects fair market value and, where appropriate, incorporates adjustments for credit quality, market liquidity, funding costs and transaction administration costs.

      3. Pricing verification procedures. Routine procedures should be in place, where practicable, for verifying the prices assigned to particular OTC derivative products. In addition, procedures and parameters should be in place for validating valuation methodologies on a periodic basis. Any assumptions (such as historic correlations and volatilities) used in such valuations should be periodically evaluated.

      4. Model verification procedures. Statistical or other simulation models for conducting "stress tests" and measuring the impact of various market movements on the value of OTC derivative products or portfolios should themselves be subject to review and validation. Among other objectives, such review and validation should compare model predictions against actual market performances and should provide for timely identification and correction of any deficiencies in the models.

    5. Establish a process for identifying and managing deviations from risk guidelines. A method should be in place for identifying and reviewing situations in which internal risk management guidelines have been exceeded and for taking any responsive or remedial action that may be necessary.

    6. Other controls. Other management control functions include the following:

      1. Legal risk. Procedures should be in place to monitor and address the risk that an OTC derivative transaction will be unenforceable because (i) the underlying transaction documentation is inadequate; (ii) the counterparty lacks the requisite authority or is subject to legal transaction restrictions; (iii) the underlying transaction is impermissible under applicable law; or (iv) applicable bankruptcy or insolvency laws limit or alter contractual remedies.

      2. Operational risk. Procedures should be in place to adequately identify and address any deficiencies in the firm's operating systems (e.g., database management, trade entry, trade processing, trade confirmation, payment, delivery, receipt, collateral management, valuation and related information systems) and to contain the extent of losses arising from unidentified deficiencies. Operational risk measurement and management procedures should, as appropriate, also incorporate the use of disaster recovery planning or related techniques for reducing the firm's exposure to operational risks.

      3. Designate authority to commit on trades. Procedures should be in place to authorize certain employees to commit the firm to particular types of derivatives transactions, to specify any quantitative limits on such authority and to provide for the oversight of their exercise of such authority. Authorized employees should understand the risk exposures arising from the product in question, the applicable risk management guidelines and the management control procedures for documenting, recording and reporting the transaction.

      4. Role of external audit functions. External auditors should periodically review the integrity of Risk Monitoring and Risk Management functions.

      5. Approve internal controls for documentation, adequacy of operational procedures and risk reduction procedures. Procedures should be in place to provide for adequate documentation of the principal terms of OTC derivatives transactions and other relevant information regarding such transactions. Such documentation should be appropriately maintained and should be made available to the firm's auditors or other authorized examiners. Internal operational systems should also provide for effective tracking and processing of OTC derivative. transactions from their initiation to their settlement.

      6. Provide for an adequate level of professional expertise for Risk Monitoring and Risk Management. Adequate personnel resources with appropriate expertise should be committed to implementing effectively the firm's Risk Monitoring and Risk Management systems and processes.

    IV. Verification

    An annual report prepared by an external auditor regarding the firm's compliance with the internal risk management control objectives summarized in this discussion and the firm's Authorizing Guidelines and internal procedures will be made available to the SEC and the CFTC.

    • Contact us * Risk Library * Documents by Author * Additional Regulatory Documents * Framework for Voluntary Oversight