Risk Governance, Policies, and Procedures

Risk governance refers to the mechanisms that a firm uses to assess and implement decisions related to market, credit, liquidity, and operational risks inherent in capital markets business. The risk governance framework at a bank typically involves various stakeholders at different levels of the firm, including the board of directors and senior executives across various business, risk, and corporate functions, such as finance and audit.

Capital markets firms, encouraged by regulators globally, organize and govern their risk management practices using a three‐lines‐of‐defense model. The three lines of defense typically include risk‐taking, risk‐oversight, and risk‐assurance activities. Broadly, the first line is made up of the risk takers—business line heads who must own and track the risks they generate. The second line is an independent body, typically the capital markets risk function that sets risk‐taking limits and ensures that all risks are being appropriately managed across the organization. The third line, usually internal audit, verifies the efforts of the other two functions to ensure that nothing falls through the cracks so that policies, processes, and other controls are being adhered to.

The effectiveness of the three‐lines‐of‐defense model depends upon: (1) clarity of roles and responsibilities/accountabilities across all stakeholders; (2) segregation of duties to promote independence in risk management; and (3) appropriate review and challenge that is built into the governance framework at all levels of the organization.

The capital markets risk function needs to outline its approach and strategy to risk management on a periodic basis (at a minimum annually, given the rapidly evolving capital markets business and regulatory landscape). In other words, the risk function needs to quantify and articulate how much risk the firm is willing to take across all risk types, and outline specific actions that management should undertake when the firm approaches or exceeds agreed‐upon risk thresholds. The activity of identifying and quantifying risks manifests in a risk appetite statement with permissible risk levels for each risk type. Furthermore, risk policies, which are guiding principles used to set the direction of the risk management function across all risk types, are developed and maintained to remain in sync with the business's strategy and the firm's risk appetite statement.

Capital markets risk management procedures and processes translate policies into specific and tangible steps, according to which day‐to‐day activities can be performed. Procedures also need to ensure that the firm has in place an effective system of controls, reasonably designed to identify and mitigate risks.

Risk Modeling, Measurement, and Reporting

A firm's ability to effectively monitor risk across risk types (i.e., credit, market, liquidity, and operational risk) requires key capabilities, namely: sound risk model methodology, model development, model validation, and the ability to respond to specific business and regulatory analyses. Although modeling methodologies vary by risk type, there are foundational elements that need to be considered:

• Decomposing risk into discrete parts: Dividing the analytical problem into manageable subparts (e.g., for market risk methodology, segmenting models by asset class; for credit risk methodology, segmenting models by market segment/obligor).
• Balancing model effectiveness and efficiency: Evaluating the complexity of the model methodology, number of models required, and the accuracy/predictive power of the model, taking account of constraints such as the availability and quality of modeling data, number of resources available, and the timeliness of model development.
• Aligning methodology with regulatory requirements and firm's accounting practices: As risk management models are developed and then validated, it is essential that they achieve the desired performance requirements of the risk function and are consistent with the firm's accounting practices while also adhering to guidelines and expectations set by the regulators.

Example: A robust market risk function would typically entail execution of the following processes:

• Development of a model methodology for calculation of Value‐at‐Risk (VaR) and Stressed Value‐at‐Risk (SVaR)
• Development of pricing models and sensitivities for the asset classes in the bank's portfolio and within the capital markets risk function's purview
• Development of stress testing and scenario generation calculations
• Model calibration and measurement of model performance (e.g., via backtesting)
• Execution of applicable ad‐hoc risk analyses
• Periodic validation of market risk models in line with the firm's model validation policies

Risk IT teams collaborate with risk modelers to implement models and methodology into robust technology platforms and systems. This enables risk managers to:

• Effectively manage and oversee market data (e.g., security price, bond price), position data (e.g., number of shares), and reference data (e.g., CUSIP, ISIN), which feed into risk systems
• Execute risk measurement processes on a periodic basis—real‐time/daily for market risk, upon specific events/triggers (e.g., changes in corporate structure) for credit risk.
• Perform backtest runs to ensure models are performing and responding as expected/designed.
• Review risk metrics and key risk indicators (KRIs) that are calculated, to ensure conformance with risk limits.

The aggregation of risk metrics into insightful risk reports and KRIs is vital to senior management's ability to effectively monitor and consequently mitigate risk across all material risk types. Senior management usually sets the frequency of risk management report production and distribution. The frequency of risk management reports reflects the needs of the recipients, the nature of the risk reported, and the speed at which the risk can change. In summary it depends on the importance of reports in contributing to sound risk management and effective and efficient decision making across the bank.

Risk reporting is a key capability that comprises the following processes:

• Certifying and signing off on results (e.g., daily VaR and SVaR calculations) to maintain risk measurement accuracy and confirm that risk managers believe the results are appropriate for reporting and disclosure purposes.
• Producing risk reports that accurately and precisely convey aggregated risk data; reports need to be reconciled and validated prior to senior management review. Ideally, reports should include an appropriate balance between risk data, analysis and interpretation, and qualitative explanations.
• Producing risk reports for regulatory reporting; this particular process entails multiple checks and validations by risk managers and senior management to ensure completeness and accuracy of results.

In addition to the above, the risk function needs to ensure it is closely managing and responding to more targeted regulatory requests as well as broader regulatory mandates.

As discussed in earlier chapters, regulators in the United States and in Europe view stress testing as the primary tool to ensure appropriate capital adequacy and robustness in risk management processes. Note: In the United States this manifests itself through the annual Comprehensive Capital Analysis and Review (CCAR).

Key processes performed as part of the stress testing and CCAR exercise align with the process architecture outlined previously, comprising the following categories: risk governance, policies, and procedures, as well as risk modeling, measurement, and reporting.

Figure 6.2 details the specific processes performed for stress testing and CCAR within each of these process categories. The key differentiation here is that as part of the stress testing and CCAR exercise, risk is modeled, measured, and reported in order to estimate the impact on the bank's income statements and balance sheets under stress scenarios and demonstrate adequacy of capital under stressed scenarios.

Data Governance Principles

One of the key lessons learned from the global financial crisis was that banks' data architectures were inadequate to support the broad management of financial risks. Many banks lacked the ability to aggregate risk exposures and identify concentrations quickly and accurately at the bank group level, across business lines, and between legal entities. In response, the Basel Committee issued regulation “BCBS 239” for effective risk data aggregation and risk reporting.

Many in the industry recognize the benefits of improving a bank's risk data aggregation and reporting capabilities, as a result strengthening its ability to support better informed decisions. The associated benefits include gains in efficiency, reduced probability of losses, enhanced strategic decision‐making, and, ultimately, increased profitability.

The key principles for achieving effective risk data management are focused on establishing:

• A robust data governance that enables comprehensive, accurate, complete, and timely risk reporting.
• A data architecture and IT infrastructure that fully supports the firm's risk data aggregation capabilities and risk reporting practices not only in normal times but also during times of stress or crisis.
• Capabilities to generate accurate and reliable risk data to meet normal and stress/crisis reporting accuracy requirements. Data should be aggregated on a largely automated basis so as to minimize the probability of errors. Ideally, the firm should be able to capture and aggregate all material risk data across the group.
• Data that is available by business line, legal entity, asset type, industry, region, and other groupings that permit identification and reporting of risk exposures, concentrations, and emerging risks.
• Capabilities to generate aggregate risk data that meets a broad range of on‐demand, ad‐hoc risk management reporting requests, including requests during crisis situations, requests due to changing internal needs, and requests to meet supervisory queries.

Data Management Capabilities

In order to achieve and implement the principles described above, firms design, build, and maintain fundamental risk data management capabilities that span the lifecycle of risk data. Typical capabilities in this space include:

• Data strategy and governance outlines the risk function's data mandate/requirements, oversight committees, resources, and organization structure. Additionally the governance structure details the roles and responsibilities of the risk data group as well as business owners of the data (i.e., data stewards).
• Data operations delineate the various data lifecycle management processes, encompassing risk data sourcing of inputs from various internal and external sources/systems, data staging and transformation into desired formats, data validation for accuracy, integrity, and completeness, data loading and provisioning to models/analytics systems, data aggregation of results, reconciliation of results, and storage and archiving of inputs and results.
• Overlaying the above data operations are processes to measure, monitor, and escalate data quality and performance to the risk function's stated data requirements.
• The appropriate data architecture and IT systems need to be implemented to support data management activities. Each component of the data lifecycle may be executed on multiple systems and platforms, increasing the complexity associated with risk data quality and management.