1. The primary components of a sound risk management process are the following: a comprehensive risk measurement approach; a detailed structure of limits, guidelines and other parameters used to govern risk taking; and a strong management information system for controlling, monitoring and reporting risks. These components are fundamental to both derivatives and non-derivatives activities alike. Moreover, the underlying risks associated with these activities, such as credit, market, liquidity, operations and legal risk, are not new to banking, although their measurement and management can be more complex. Accordingly, the process of risk management for derivatives activities should be integrated into the institution's overall risk management system to the fullest extent possible using a conceptual framework common to the institution's other activities. Such a common framework enables the institution to manage its risk exposure more effectively, especially since the various individual risks involved in derivatives activities can, at times, be interconnected and can often transcend specific markets.

2. As is the case with all risk-bearing activities, the risk exposures an institution assumes in its derivatives activities should be fully supported by an adequate capital position. The institution should ensure that its capital position is sufficiently strong to support all derivatives risks on a fully consolidated basis and that adequate capital is maintained in all group entities engaged in these activities.

Risk measurement

3. An institution's system for measuring the various risks of derivatives activities should be both comprehensive and accurate. Risk should be measured and aggregated across trading and non-trading activities on an institution-wide basis to the fullest extent possible.

4. While the use of a single prescribed risk measurement approach for management purposes may not be essential, the institution's procedures should enable management to assess exposures on a consolidated basis. Risk measures and the risk measurement process should be sufficiently robust to reflect accurately the multiple types of risks facing the institution. Risk measurement standards should be understood by relevant personnel at all levels of the institution - from individual traders to the board of directors - and should provide a common framework for limiting and monitoring risk taking activities.

5. With regard to dealer operations, the process of marking derivatives positions to market is fundamental to measuring and reporting exposures accurately and on a timely basis. An institution active in dealing foreign exchange, derivatives and other traded instruments should have the ability to monitor credit exposures, trading positions and market movements at least daily. Some institutions should also have the capacity, or at least the goal, of monitoring their more actively traded products on a real-time basis.

6. Analysing stress situations, including combinations of market events that could affect the banking organisation, is also an important aspect of risk measurement. Sound risk measurement practices include identifying possible events or changes in market behaviour that could have unfavourable effects on the institution and assessing the ability of the institution to withstand them. These analyses should consider not only the likelihood of adverse events, reflecting their probability, but also "worst case" scenarios. Ideally, such worst case analysis should be conducted on an institution-wide basis by taking into account the effect of unusual changes in prices or volatilities, market illiquidity or the default of a large counterparty across both the derivatives and cash trading portfolios and the loan and funding portfolios.

7. Such stress tests should not be limited to quantitative exercises that compute potential losses or gains. They should also include more qualitative analyses of the actions management might take under particular scenarios. Contingency plans outlining operating procedures and lines of communication, both formal and informal, are important products of such qualitative analyses.

Limiting risks

8. A sound system of integrated institution-wide limits and risk taking guidelines is an essential component of the risk management process. Such a system should set boundaries for organisational risk-taking and should also ensure that positions that exceed certain predetermined levels receive prompt management attention. The limit system should be consistent with the effectiveness of the organisation's overall risk management process and with the adequacy of its capital position. An appropriate limit system should permit management to control exposures, to initiate discussion about opportunities and risks and to monitor actual risk taking against predetermined tolerances, as determined by the board of directors and senior management.

9. Global limits should be set for each major type of risk involved in an institution's derivatives activities. These limits should be consistent with the institution's overall risk measurement approach and should be integrated to the fullest extent possible with institution-wide limits on those risks as they arise in all other activities of the institution. Where appropriate, the limit system should provide the capability to allocate limits down to individual business units.

10. If limits are exceeded, such occurrences should be made known to senior management and approved only by authorised personnel. These positions should also prompt discussions about the consolidated risk taking activities of the institution or the unit conducting the derivatives activities. The seriousness of limit exceptions depends in large part upon management's approach toward setting limits and on the actual size of individual and organisational limits relative to the institution's capacity to take risk. An institution with relatively conservative limits may encounter more exceptions to those limits than an institution with less restrictive limits.

Reporting

11. An accurate, informative and timely management information system is essential to the prudent operation of derivatives activities. Accordingly, the quality of the management information system is an important factor in the overall effectiveness of the risk management process. The risk management function should monitor and report its measures of risks to appropriate levels of senior management and to the board of directors. In dealer operations, exposures and profit and loss statements should be reported at least daily to managers who supervise but do not, themselves, conduct those activities. More frequent reports should be made as market conditions dictate. Reports to other levels of senior management and the board may occur less frequently, but the frequency of reporting should provide these individuals with adequate information to judge the changing nature of the institution's risk profile.

12. Management information systems should translate the measured risk for derivatives activities from a technical and quantitative format to one that can be easily read and understood by senior managers and directors, who may not have specialised and technical knowledge of derivatives products. Risk exposures arising from various derivatives products should be reported to senior managers and directors using a common conceptual framework for measuring and limiting risks.

Management evaluation and review

13. Management should ensure that the various components of the institution's risk management process are regularly reviewed and evaluated. This review should take into account changes in the activities of the institution and in the market environment, since the changes may have created exposures that require additional attention. Any material changes to the risk management system should also be reviewed.

14. The risk management functions should regularly assess the methodologies, models and assumptions used to measure risk and to limit exposures. Proper documentation of these elements of the risk measurement system is essential for conducting meaningful reviews. The review of limit structures should compare limits to actual exposures and should also consider whether existing measures of exposure and limits are appropriate in view of the institution's past performance and current capital position.

15. The frequency and extent to which an institution should re-evaluate its risk measurement methodologies and models depends, in part, on the specific risk exposures created by their derivatives activities, on the pace and nature of market changes and on the pace of innovation with respect to measuring and managing risks. At a minimum, an institution with significant derivatives activities should review the underlying methodologies of its models at least annually - and more often as market conditions dictate - to ensure they are appropriate and consistent. Such internal evaluations may, in many cases, be supplemented by reviews by external auditors or other qualified outside parties, such as consultants who have expertise with highly technical models and risk management techniques. Assumptions should be evaluated on a continual basis.

16. The institution should also have an effective process to evaluate and review the risks involved in products that are either new to it, or new to the marketplace and of potential interest to the institution. It should also introduce new products in a manner that adequately limits potential losses and permits the testing of internal systems. An institution should not become involved in a product at significant levels until senior management and all relevant personnel (including those in risk management, internal control, legal, accounting and auditing) understand the product and are able to integrate the product into the institution's risk measurement and control systems.