Wednesday, December 8, 2010

Auditing Derivatives: Think of what can go wrong -- Risk Management

This article appeared in The Malaysian Accountant journal, Sep-Oct 2010 issue

By Jasvin Josen

Being in the Risk Management unit of an Investment Bank can be very overwhelming, let alone auditing this function. The term itself carries unpleasant reminders of past crisis; Barings, LTCM and Orange County of the 1990s; AIG, Bear Stearns and Lehman Brothers of 2008. All of these disasters seem to directly implicate the Risk Management Group. 

The Risk Management group is quite different from the Trading Floor and Controlling Group discussed in the last two issues. Some companies associate the function with recovery and disaster procedures. However in an investment bank, risk management is far more encompassing.

According to the International Financial Risk Institute (, risk management provide four important functions:
§    to protect the firm against market, credit, liquidity, operational, and legal risks;
§    to protect the financial industry from systemic risk;
§    to protect the firm's customers from large non-market related losses (e.g., firm failure, misappropriation, fraud, etc.); and
§    to protect the firm and its franchise from suffering adversely from reputational risk.

In auditing this function, one should avoid the temptation to get pulled in all directions. It is always useful to
start with thinking of what can go wrong by relating to past mishaps. The auditor should also dare to imagine the improbable and occasionally, the impossible. After all, risk is about uncertainty in the happenings of extreme events.

So what could go wrong? Below is a non-exhaustive risk of some lessons we can take from the recent past.

Taking excessive risk (knowingly or unknowingly)

  • Assuming complicated risks
In 2008, Lehman Brothers was taking unprecedented risk in subprime CDOs by assuming first loss default risk (or equity risk).  AIG was the “dumping ground” for hedges of subprime CDOs. Default risk and correlation risk, for the first time, was being taken at such a large scale.
Default risk and correlated default risk are not straightforward to comprehend as they involve heavy mathematical modelling that is frequently based on unrealistic assumptions. As a result, prices and market risk computations (e.g. delta, gamma, vega, rho, theta) thrown out by models were questionable. But how many practitioners in the bank knew this?
  • Assuming high negative gamma risk
In the business of derivatives, negative gamma risk can be a scary experience. Gamma is the rate of change in the delta of an option instrument. Delta is just the price change of the option compared to the price of the underlying.

When gamma is positive, this means that as the price of the underlying moves in your favour, the rate at which you profit will accelerate, i.e. the delta is increasing. When the underlying moves against you, the rate at which you lose will decelerate. When gamma is negative, this means that the rate at which you profit will DECELERATE as the stock price continues to move in your favour, but the rate at which you lose will ACCELERATE as the stock price makes continued moves against you.

Markets can turn the corner suddenly and become very volatile. Short positions tend to suffer huge negative gamma in volatile markets. The problem is not with the computation or knowledge of the negative gamma, but more that risk managers are unable to tell when negative gamma will shoot up in volatile markets. When the markets do turn suddenly and negative gamma rise suddenly, risk managers often end up instructing for positions to be liquidated at a major loss. To make matters worse in volatile times, another risk, liquidity, makes getting rid of positions even more difficult.

  • So, what does the auditor do
Ø  Do not discourage such risks
It is a mistake to conclude that taking complicated risk and assuming negative gamma in positions is bad and should be avoided at all costs. This is part and parcel of any growing financial market. The answer is in managing the risks around the positions, so that when things do falter (and they do), the safety net is ready. Regulators, especially in Asia (and Malaysia), who have been shying away from “complicated” derivatives, are slowly realising this and starting to liberalise their markets.

Ø  Understand the business well
The auditor can start by taking a good look of the type of derivative business that the bank engages in. Questions in his mind would be like: what kind of risk is being taken; are all types of risk being considered; does any ambiguity exist in computation of any risk (for example, there is still no market standard for correlated default risk); and the risk trends. A detail assessment of the IT environment for risk computations and reports is critical too as risk managers depend entirely on data processing and models.

It is always useful to review off-balance sheet structures with risk management personnel to assess what risk they carry and if all the risks are captured and accounted for.

Ø  Review stress testing and scenario analysis
The auditor should also review for scenario analysis and stress testing. The focus is not the performance of the tests but that right parameters are stressed and the scenarios are extreme enough. Equally important is what is done with the results. A plan must exist to provide for instances when results are not favourable - who do they get reported to and what action is required. The auditor must attain a comfortable level with this issue or else, take it up with management.

Ø  Identify gaps in risk expertise
The risk management function has to strike a fine balance in investing in capital (human and systems) to protect the firm and yet being profitable in doing so. A report by the Economic Intelligence Unit in Feb 2010, “Rebuilding Trust: Next Steps for Risk Management in Financial Services” identified gaps in risk expertise as a serious issue, even in the West. The report also identified an over-reliance on risk models, and data problems that is widely seen as key failures in financial risk management.

Ignoring Liquidity Risk

Liquidity risk is what killed Bear Stearns, the renowned hedge fund. The firm heavily invested in seemingly low-risk CDOs, graded AAA or AA. The fund was heavily leveraged by borrowing money in the low cost short term repos to buy higher yielding long term CDO tranches. The difference between the borrowing interest rate and the yield on the CDOs generated the fund’s profits. As the subprime credit market blew over, the dried up liquidity in the repo market caused interest rates to shoot up, leading to the unsustainable business and downfall of the hedge fund.

Illiquid financial instruments are often priced off the parameters of other liquid instruments. For example, off-the-run bonds are priced off the curve of on-the-run bonds. Highly structured interest rate products are priced off interest rate volatility taken from a volatility surface built from liquid caps, floors and swaptions. These practices are not unreasonable but it is dangerous to assume that illiquid instruments like these will always trade close to its theoretical price. In times of financial shocks, there will always be a “flight to quality” and instruments like these will trade at a large discount.

§  So, what does the auditor do?

Bearing in mind the above, the auditor should look if the bank’s stress testing results includes stretching liquidity in worst case scenario values.
It is very challenging for the treasury department managers of a bank to maintain enough liquidity in a bank when the wider liquidity dries up in the market. The auditor should discuss with treasury about the extent of leverage taken by all the leveraged transactions in the bank and should be comfortable with what is being done to maintain enough liquidity.

Underestimating Counterparty Risk
Counterparty risk is basically the risk that the other party of a transaction will not be able to come up with the payments due. These are mainly applicable in over-the-counter trades like swaps and options. Credit risk can be minimized by requiring counterparties to maintain some collateral. Very often AAA rated counterparties will not be required to put up any collateral.
When AIG was rated AAA, the firm did not have to post any collateral upfront with its counterparties for over-the-counter trades. When the company was exposed to questionable accounting practises, its rating was downgraded. It could not afford to post billions in collateral to its counterparties. AIG was about to collapse and counterparties were nervous as the extent of their exposure to AIG was enough to drag them down as well, leading to a serious economic collapse.

  • So, what does the auditor do?
The auditor should review the banks method of managing counterparty risk and may want to ensure that banks do not entirely rely on their external ratings.

Unable to grasp systemic risk
The International Financial Risk Institute refers to systemic risk as a risk that encompasses the risk that failure in one firm or one segment of the market would trigger failure in segments of or throughout the entire financial markets.

§  So, what does the auditor do?

Systemic risk is perhaps the greatest challenge to risk mangers and to financial markets. Keeping the big picture outlook, and daring to imagine the impossible in all situations, will keep the auditors mind focussed on assessing the dangers of systemic risk.

Risk Managers’ warnings go unheard
With all the failures that we have heard in the last three years, it is hard to believe that all of them were caused by solely excessive risk taking. There must be a few risk mangers that noticed cracks in the system and alerted management immediately. A bigger problem seems to be that their warnings were ignored.
A report prepared for the OECD in 2010 by R. C. Anderson encourages boards to assess and manage the risk management culture, risk management maturity and it stresses the overall importance of ethics to the management of risk. The paper encourages boards to take a more pro-active stance in overseeing the risk management framework as part of the development of the assurance framework.
  • So, what does the auditor do?
With this in mind, the auditor should be observant of the risk culture in the bank and how much regard is given to the risk management team.

Risk Management Group sits in a high tower, operating in a silo

During the crisis, separating risk into separate departments (market risk management, credit risk management, treasury-liquidity risk management) led many financial institutions to underestimate risk concentrations and correlations. Poor communication between departments is seen as a key barrier to effective risk management.

  • So, what does the auditor do?
The auditor needs to analyse the organisation structure and conduct interviews to assess how risks is being communicated in the bank.

It may seem at present that investment banks in Malaysia do not face the same challenges as others around the world as we do not trade those fancy derivatives. However there is a great possibility that very soon Malaysia and neighbouring countries (Singapore already did a long time ago) will be trading more aggressive financial products, in line with their efforts to liberalise the markets.
In the next article we will investigate a common risk measure, “Value at Risk” – a once popular measure, whose effectiveness is now being questioned…

No comments:

Post a Comment