The ultimate goal of a control system ⁴ is to maximize safeguarding of assets and capital by minimizing the exposures that have the potential to unexpectedly deplete such firm resources. The specific components of an effective risk management and control system will vary considerably in sophistication based on the size and complexity of a firm's business operations. However, a well-developed risk management and control system generally should include a comprehensive risk management and control strategy. That would include policies and procedures to accomplish this strategy, risk measurement and control methodologies, compliance monitoring and reporting, and on-going assessment of the effectiveness of the strategies, policies and procedures. The components of an effective risk management and control system are discussed below.

Risk Management and Control Strategy

The governing body (i.e., a board of directors or its equivalent) of a firm has the ultimate responsibility and accountability for the level of risk undertaken and should function in an oversight capacity. The governing body should approve overall business strategies and risk management and control policies of a firm, and perform independent evaluations (through the internal audit function) to ensure compliance and continuing suitability of established strategies and policies. Firms that have adopted systems of matrix management should have clearly defined lines of reporting at all levels.

The first step in setting a risk management and control strategy is a formal analysis of firm's business activities and the risks of these activities to the firm, ultimately in terms of the risk to capital. From this analysis, quantitative risk exposure limits for each major business activity or product and specifications of the scope of permitted activities should be developed and supported by adequate capital. Once developed, ongoing reviews of the activities and risks of a firm should be conducted on a regular basis and periodic reevaluation of strategies considered based on changes in business and markets. As discussed below, the results of internal and external audits should be reported directly to the governing body.

The level of technical knowledge necessary for governing body members to have or obtain in order to fulfill their duties will vary based on the complexity of the firm's operations and products. In a larger and more complex entity, it would be desirable for members of the governing body to have industry expertise.

Policies and Procedures to Accomplish the Strategy

Once risks have been identified and the general policies toward those risks have been established, firms can develop the detailed and specific guidelines to be used in the day-to-day and long-range operations of the business. Policies and procedures to accomplish the governing body's guidance should include designated lines of authority in the risk management and control process and responsibility for compliance with risk exposure policies, effective internal accounting controls, and internal and external audit. In the case of larger and more complex entities, it may be desirable to establish a centralized and autonomous risk management and control function. Of primary importance is that the risk management and control functions are staffed at an appropriate level of expertise and are independent of risk-generating activities.

Since a control structure is only as effective as the people who operate it, a strong commitment by all personnel within an organization is a prerequisite. In developing the lines of authority and responsibility for the risk management and control process, a primary consideration should be the separation of responsibility for the measurement, monitoring and control of risk from the execution of transactions giving rise to the risk. Senior management should ensure that there is appropriate segregation of duties and that personnel are not assigned conflicting responsibilities. However, humans are fallible and internal control breakdowns can be due to errors, mistakes and collusion. Also of particular importance is formalized written communication throughout the organization of authorized activities, transactions, and risk tolerances.

Effective internal accounting controls and audit procedures are the underlying support for a risk management and control system. Basic internal controls such as authorization for transactions, segregation of duties, safeguards over assets and records, documentation standards and independent verification controls should be consistent between firms. In terms of risk management and capital protection, the most consequential internal controls involve the segregation of duties between the trading function and the internal control and risk management functions and the authorization of transactions.

While defining the respective roles of internal and external auditors is beyond the scope of this paper, it should be stressed that it is important for the supervisor to make judgments on the degree of independence of the respective functions, their relationships with the corporate governance structure, and whether the compliance function is being met.

The internal audit function should be independent of the trading and revenue side of the business and compensation should not be dependent on revenues generated. External auditors operate independently of a firm and their purpose is primarily to express an opinion on the financial statements. As part of this work, external auditors will form a view on the effectiveness of the system of internal control. Internal auditors, by contrast, are not independent of the firm they are auditing, but should be "independent" within the firm by reporting directly to the governing body. Internal auditors are able to tailor their audits to address both financial and operational functions.

Although it may not be suitable for external auditors to report on the general appropriateness of risk management and control policies, the frequency, scope and findings of internal and external auditors are an important independent check on the effective functioning of an established risk management and control system and internal control systems. While each generally has different audit purposes, internal and external auditors often rely on the other's work in determining the nature and extent of audit work to be performed.

Risk Measurement Methodologies

Systems to measure risk must include a methodology that encompasses all identified risks in terms of the firm's positions, markets, currencies and counterparties. Value-at-risk ("VAR") and other mathematical models should be validated frequently, including the assumptions going into the models, and subjected to continued back-testing of the data generated. This methodology should include both sensitivity analysis and stress testing. As an adjunct to a stress testing system, a contingency plan to be followed in adverse circumstances and worst-case scenarios should be developed.

Systems for Reporting Compliance with Established Policies and Procedures

Firms should have in place a risk management and control reporting and review process. This process should include a review mechanism for reporting compliance with established policies and procedures and addressing exceptions Generally, exposures and profit and loss results should be reported daily to management responsible for risk monitoring who, in turn, should brief senior management responsible for day-to-day operations of the firm.

Assessment of the Effectiveness of the Strategies, Policies and Procedures

Assessment of the effectiveness of established strategies, policies and procedures should be performed regularly. The evaluation should consider the results of established policies, changes in business activities and changes in markets. Material changes to methodologies, models, and assumptions of risk management and control policies should be reviewed by the governing body. Policies and procedures should require that the risk management and control functions be involved in the review of new business products and activities.

B. SUPERVISORS

Supervisors should concern themselves with understanding the control environment of each firm and satisfying themselves as to the adequacy of controls established by management. Supervisors are responsible for regulating the activities of securities firms in order to protect investors in the securities markets and ensure the integrity of those markets. To this end, supervisors must be proactive, rather than reactive, in devising high quality supervision of the dynamic securities industry. In general, supervisors should not be involved in setting specific control standards at each firm. The guidance in this paper is not intended to limit a firms' management from exercising its proper responsibilities. This is not intended to preclude supervisors that have determined controls have fallen below acceptable levels of international standards or minimum standards in their jurisdictions from setting detailed requirements for a particular firm.

Oversight of the Risk Management and Control Process

While the best method of achieving supervisory goals will depend on the legal, political, and regulatory environments in a jurisdiction, the following are suggestions to supervisors concerning oversight of the risk management and control process.

Supervisors could promulgate regulations requiring the establishment of specified risk management and controls at regulated entities and require periodic reports and examinations of compliance with the regulations. The advantage to supervisors is the ability to directly administer major aspects of the oversight of the risk management and control function. However, this approach may be complicated by legal, jurisdictional and political considerations.

Supervisors could consider a tiering of capital requirements based on the level and sophistication of risk management and controls. This has the advantage of relating the level of capital to the level of capital protection procedures in place. However, universal standards of controls are not practical and the determination of the sufficiency of controls and their actual execution in practice is judgmental and time-consuming to assess.

Supervisors could work with industry associations to advocate certain risk management and control standards for members. The advantage of this recommendation is a "peer pressure" approach to compliance. However, the industry group would be primarily geared to the interests of its members and adherence to suggestions of an industry group would be strictly voluntary. Thus the supervisor would have limited enforcement abilities.

Supervisors could promulgate the establishment of management controls indirectly through standard-setting groups such as accounting and auditing principles boards. The collaboration of the IOSCO Technical Committee with the International Accounting Standards Committee and the International Auditing Practices Committee to establish global accounting and auditing standards for international securities issuers is a concrete example of an effective alliance between supervisors and standard setters. A future possibility might be a requirement for auditors to examine risk management and controls as part of an audit of a firm in the securities industry. This might motivate the establishment of additional controls if the lack of adequate controls would increase audit time and cost or be mentioned in management or audit reports. However, the difficulty of agreement between the auditing profession and the securities industry about the necessity of such examinations and the lack of objective standards for risk management and control procedures might be road blocks to the prompt adoption of such a standard.

The globalization of firms, markets and systems across geographic and functional boundaries necessitates that supervisors formally harmonize and coordinate regulatory requirements and efforts. The activities of IOSCO's Technical Committee and the Basle Committee on Banking Supervision are the leading example of the collaboration of supervisors in promoting the stability of financial markets. In June 1996, a Joint Statement concerning cooperation between banking and securities regulators identified significant principles of supervisory cooperation. These included information sharing, supervision of capital, special supervisory arrangements for diversified firms, the need of supervisors to receive accurate reports of operations and early warnings, and the necessity for periodic enhancements to the supervisory process.

Footnote

4. These controls refer to the structure of the control environment, the nature and scope of risk management and internal controls, implementation, verification and reporting taken as a whole. It is a framework by which management of a firm can independently monitor and verify the activities of its revenue producing and support operations.