Swati Sawjiany
As discussed in earlier chapters, capital markets activities by their very nature require careful and appropriate risk management. The global financial crisis exposed the need for improved and more stringent risk management practices at financial services firms; firms have responded by investing in upgrades to their risk management processes, technology, and data environments.
The pace of regulations and complexity remains daunting. As a result, the cost of compliance is higher than at any point in recent history, operational and technology risks are plentiful, and the need for more timely and accurate analytics is pervasive.
With this backdrop, risk processes, technology, and data are playing and will continue to play a critical role in the stability and efficiency of capital markets business models. This chapter provides an overview of the risk management and measurement processes, technology, and data capabilities required at capital markets firms. Following this introductory section are the following topics:
To execute on demands placed on capital markets risk management teams, firms must institute appropriate risk policies and governance that are implemented in the organization day‐to‐day via procedures and processes. Figure 6.1 depicts a typical process architecture for a large capital markets risk management function.
Risk governance refers to the mechanisms that a firm uses to assess and implement decisions related to market, credit, liquidity, and operational risks inherent in capital markets business. The risk governance framework at a bank typically involves various stakeholders at different levels of the firm, including the board of directors and senior executives across various business, risk, and corporate functions, such as finance and audit.
Capital markets firms, encouraged by regulators globally, organize and govern their risk management practices using a three‐lines‐of‐defense model. The three lines of defense typically include risk‐taking, risk‐oversight, and risk‐assurance activities. Broadly, the first line is made up of the risk takers—business line heads who must own and track the risks they generate. The second line is an independent body, typically the capital markets risk function that sets risk‐taking limits and ensures that all risks are being appropriately managed across the organization. The third line, usually internal audit, verifies the efforts of the other two functions to ensure that nothing falls through the cracks so that policies, processes, and other controls are being adhered to.
The effectiveness of the three‐lines‐of‐defense model depends upon: (1) clarity of roles and responsibilities/accountabilities across all stakeholders; (2) segregation of duties to promote independence in risk management; and (3) appropriate review and challenge that is built into the governance framework at all levels of the organization.
The capital markets risk function needs to outline its approach and strategy to risk management on a periodic basis (at a minimum annually, given the rapidly evolving capital markets business and regulatory landscape). In other words, the risk function needs to quantify and articulate how much risk the firm is willing to take across all risk types, and outline specific actions that management should undertake when the firm approaches or exceeds agreed‐upon risk thresholds. The activity of identifying and quantifying risks manifests in a risk appetite statement with permissible risk levels for each risk type. Furthermore, risk policies, which are guiding principles used to set the direction of the risk management function across all risk types, are developed and maintained to remain in sync with the business's strategy and the firm's risk appetite statement.
Capital markets risk management procedures and processes translate policies into specific and tangible steps, according to which day‐to‐day activities can be performed. Procedures also need to ensure that the firm has in place an effective system of controls, reasonably designed to identify and mitigate risks.
A firm's ability to effectively monitor risk across risk types (i.e., credit, market, liquidity, and operational risk) requires key capabilities, namely: sound risk model methodology, model development, model validation, and the ability to respond to specific business and regulatory analyses. Although modeling methodologies vary by risk type, there are foundational elements that need to be considered:
Example: A robust market risk function would typically entail execution of the following processes:
Risk IT teams collaborate with risk modelers to implement models and methodology into robust technology platforms and systems. This enables risk managers to:
The aggregation of risk metrics into insightful risk reports and KRIs is vital to senior management's ability to effectively monitor and consequently mitigate risk across all material risk types. Senior management usually sets the frequency of risk management report production and distribution. The frequency of risk management reports reflects the needs of the recipients, the nature of the risk reported, and the speed at which the risk can change. In summary it depends on the importance of reports in contributing to sound risk management and effective and efficient decision making across the bank.
Risk reporting is a key capability that comprises the following processes:
In addition to the above, the risk function needs to ensure it is closely managing and responding to more targeted regulatory requests as well as broader regulatory mandates.
As discussed in earlier chapters, regulators in the United States and in Europe view stress testing as the primary tool to ensure appropriate capital adequacy and robustness in risk management processes. Note: In the United States this manifests itself through the annual Comprehensive Capital Analysis and Review (CCAR).
Key processes performed as part of the stress testing and CCAR exercise align with the process architecture outlined previously, comprising the following categories: risk governance, policies, and procedures, as well as risk modeling, measurement, and reporting.
Figure 6.2 details the specific processes performed for stress testing and CCAR within each of these process categories. The key differentiation here is that as part of the stress testing and CCAR exercise, risk is modeled, measured, and reported in order to estimate the impact on the bank's income statements and balance sheets under stress scenarios and demonstrate adequacy of capital under stressed scenarios.
Running capital market risk management processes requires a substantial technological investment as it necessitates putting in place a robust set of systems and applications for risk analytics and risk data management. Given the complexity of calculations and degree of data processing performed on a daily basis, key risk systems and applications take several months and often years to develop and test before releasing to users for day‐to‐day use. Banks may choose to develop these systems in‐house (i.e., “build”), leveraging their internal IT teams, or may choose to implement an IT solution that is provided and implemented by a risk technology vendor (i.e., “buy”). Build‐versus‐buy decisions are typically made by risk and IT senior management in advance of any systems implementation, and each approach has its own pros and cons.
Capital markets risk functions that depend on internally developed systems may face challenges with ongoing maintenance (i.e., keep the lights on or KTLO enhancements), especially when it comes to legacy systems that were developed in archaic software development languages for which developers are scarce, and on inflexible infrastructures. The benefits of developing risk systems internally are that a bank may be able to incorporate custom business requirements and ensure that the system is compatible with its technology landscape.
As new financial technology vendors emerge, banks are increasingly leveraging opportunities to implement IT solutions developed by risk technology vendors (i.e., commercial off‐the‐shelf technology). This provides the risk function with access to innovative, flexible, and modular technology solutions, often incorporating market best practices and evolving regulatory requirements with future releases and upgrades.
Capital markets IT architecture can be viewed through several lenses, namely: contextual view, conceptual view, logical view, and technical view. Each of these IT architecture views is described ahead:
The logical view is the most commonly used lens to represent capital markets risk technology architecture. Within the logical view, the capital markets risk‐IT landscape comprises the following layers:
Data is a critical but often underappreciated component of capital markets risk management—it is what fuels risk management engines. Typically, most risk management calculations require 7–10 years of historical data for robust model development and validation activities. Furthermore, the quality of the risk measurement/output is only as good at the input data sets; in other words, inaccurate input data typically results in inaccurate risk metrics. Thus the availability of historical data across most risk types and the quality control of large‐scale data sets present major data management challenges for capital markets institutions.
Capital markets institutions expend substantial human and financial resources to access, source, consolidate, format, and validate risk data. More recently, most capital markets institutions have developed data management strategies to adequately address the abovementioned data challenges. A data strategy comprises the following:
One of the key lessons learned from the global financial crisis was that banks' data architectures were inadequate to support the broad management of financial risks. Many banks lacked the ability to aggregate risk exposures and identify concentrations quickly and accurately at the bank group level, across business lines, and between legal entities. In response, the Basel Committee issued regulation “BCBS 239” for effective risk data aggregation and risk reporting.
Many in the industry recognize the benefits of improving a bank's risk data aggregation and reporting capabilities, as a result strengthening its ability to support better informed decisions. The associated benefits include gains in efficiency, reduced probability of losses, enhanced strategic decision‐making, and, ultimately, increased profitability.
The key principles for achieving effective risk data management are focused on establishing:
In order to achieve and implement the principles described above, firms design, build, and maintain fundamental risk data management capabilities that span the lifecycle of risk data. Typical capabilities in this space include:
Most large capital markets firms have embarked on the important journey of bolstering their data management capabilities and streamlining their data and IT architectures. Firms have implemented or are investing in new tools and technologies to enable more seamless management, aggregation, and visualization of large volumes of risk data. Depending on the stage of the data lifecycle, the types of systems and tools may vary:
The velocity (speed of data delivery), volume (amount of data processed), and variety (the range of data sets leveraged) of data in capital markets is increasing at a relentless pace. Banks are beginning to explore opportunities and evaluate use cases/applications for big data in capital markets. Big data is defined as a strategy and/or technology deployment that addresses data problems that are too large or complex for traditional database technologies. Capital markets tend to largely deal with structured data sets from a multitude of defined sources—clients, counterparties, market data vendors, and market infrastructure players. However, recently, the use of unstructured data is becoming increasingly popular—for example, for risk analytics, client analyses, sentiment analyses, and market surveillance (e.g., asset price, volatility, liquidity trends).
Emerging technology enablers such as high‐frequency trading (HFT)1 platforms and blockchain2 are putting increasing pressure on capital markets risk functions to proactively identify, monitor, and mitigate risks in a timely manner, and within accelerated timeframes—previously from days/hours to now minutes/seconds. For capital markets risk, this has major implications on the frequency (e.g., intraday, real‐time) and complexity of risk analytics, as well as the sophistication of underlying data and technology, in order to remain current and effectively monitor risks in the market.
Thus the next generation of risk management will involve the automated intraday and near‐real‐time calculation, aggregation, and reporting of risk exposures and KRIs across the entire capital markets institution for various risk types—market, counterparty, liquidity, and so on, by product, geography, client, and business unit. Capital markets risk will need to have the ability to perform more frequent what‐if analysis, stress‐testing, and liquidity studies to test a broad set of risk assumptions and macroeconomic scenarios. Finally, in order for risk managers to be effective they will require sophisticated tools that synthesize and articulate complex, interrelated portfolio, counterparty, market, and liquidity events into insightful and timely alerts and reports.