What’s our policy? Posted on May 01, 2015 | By David Perez

Today’s volatile and unpredictable market conditions make it increasingly important to design an overarching risk management policy upon which a risk management program can be defined and built. David Perez of Enite offers some guidelines.

Risk managers are currently faced with several challenges. The global credit crunch is constricting liquidity and exacerbating volatility, stressing existing risk management capabilities. The resulting turmoil is increasing scrutiny from regulators across a variety of geographies and agencies. Finally, boards of directors are pressuring risk managers to protect shareholder value. An effective risk management programme is critical to address these concerns, and a comprehensive risk management policy is critical to both define and support that programme. Most trading organisations have developed a collection of policies, processes and procedures to address specific risks or regulatory requirements, but they often lack an overarching policy to define and support their risk management programme. A thorough risk management policy serves as a blueprint for the trading organisation’s risk management capabilities. It allows management to articulate the purpose of their business activities and identify the resulting risks, and then detail how leadership addresses them through organisational structure, risk metrics and limits, and reporting and monitoring capabilities.

Why develop a comprehensive risk

Recent market conditions are saddling companies with increasingly complex market risks, the prospect of increased regulatory control and shareholder demands to mitigate potential earnings risk. Risk management programmes are being evaluated on their ability to identify and report emerging risks, manage limit breaches, and notify management through the organisation at the appropriate levels. A policy should define how the organisation mitigates and responds to volatility in the form of counterparty or pricing exposure. The emergence of new types of market participants such as airlines, investment banks, hedge funds and private equity has significantly complicated counterparty risk evaluation. The increased variety of counterparty risk profiles, coupled with commodity price volatility, requires well-developed risk management capabilities to respond effectively. These conditions have increased demand for a well-defined approach to respond to changing market conditions. A thorough risk management policy incorporates regulatory controls within the overall risk management programme. Once again market conditions have resurrected concern about gaps in controls, escalating regulatory scrutiny. Frequently compliance policies and procedural documents are used only as reference during audits and may not be actively managed to reflect business and changes to market conditions. A comprehensive risk policy serves to implement these controls and provide a reference to regulators and employees. Finally, a risk management policy should provide leadership with the tools to effectively manage risk and provide shareholder confidence. A comprehensive programme ensures that exposures to identified risks are minimised, using the most effective and efficient methods to measure, monitor, report, and potentially eliminate, reduce, or transfer such exposures while supporting the company’s business objectives. Inadequacies in risk management or perceived mismanagement of risk will continue to stress an industry already beleaguered by market, credit and regulatory risk. However, a concise risk policy can provide a cohesive plan for assessing and reacting to risk tolerance breaches.

What is a risk management policy?

A thorough risk management policy begins by describing the business and trading activities that are generating the risks to be managed, providing context for the risk management approach, oversight structure, risk mitigation and risk management tools to be detailed throughout the remainder of the document. While a risk management policy’s composition will depend on the organisation’s business and market, the following are common components:

Trading organisation’s business purpose
An overview of the markets in which the organisation engages and the purpose of its trading activities. Provides business context for the risks encountered by the organisation and addressed by the policy.

Purpose of the risk management policy
An overview of the outcomes desired by effectively managing the identified risks.

Approach to addressing risk
Should include a detailed description of the risk management team’s objectives and control principles and how to apply the policy in managing risk.

Risk management oversight structure
Describes the composition and responsibilities of each level of the oversight structure. This

Most trading organisations have developed a collection of policies, processes and procedures to address specific risks or regulatory requirements, but they often lack an overarching policy to define and support their risk management programme

may include the Board of Directors, CEO, CFO, Risk Management Committee, CRO, and Risk Managers of subsidiary business units, geographic regions or commodities.

Identified risks
Describes the categ provides detail as nec nature of your busine transactions and stab ties. The remainder o designed to mitigate identified here. Poten types to address are:

  • Market risk – the potential change in value due to a change in the price of a commodity. The number of markets, the volatility and liquidity of these markets and the size of the company’s open posi-tion primarily determines the exposure to this risk.
  • Credit risk – the risk that a counter-party will fail to perform on its contractual obligations. Credit risk includes current exposure, which can be measured as the replacement cost of the position or port-folio, and potential exposure, which can be estimated as the additional replacement cost that may arise over time.
  • Operational risk – exposures due to human error, fraud, or failure of the system of internal controls to record, monitor, and account for transac-tions or positions as outlined in this risk management policy and procedure documents.
  • Regulatory and legal risk – the risk that the company will not be in compliance with full regulatory and legal requirements or that relevant regulatory and legal requirements change.

Controls and risk mitigation
Lists all controls and risk mitigation tools in place. This will include authorisation controls for transaction types, traders, authorised regions, markets and instruments and authorised foreign exchange trans-actions. This should be a thorough itemisation of the activities the transactors can engage in, who can transact, and how they are to transact.

Risk monitoring
Details system security and audit measures, confirmation procedures, and any other operational controls. Risk measurement methodologies Details the metrics employed to measure identified risks and their individual methodologies. Describes responsibilities for producing those metrics, periodic reviews for appropriateness, who has authorisation to change them and the audit process.

Defines the types of limits used, such as Notification Limits (position, P&L, VaR, etc), Credit Limits, Stop Loss Limits (by portfolio, trader, etc) and any others employed.

Limit compliance
Defines the process for enforcing limits and responding to violations. Describe how the organisation will respond to non-compliance by defining the process, roles and responsibilities for evaluating and disciplining violations.

Management reporting
Defines the key reports, owners, frequency of reporting and distributions.

Steps to developing a risk management policy

First determine the organisational level the policy will address. Is it to be a corporate policy, or a subsidiary or business unit the policy is being written for? Having defined the organisation, determine which risk management policy components previously defined comprise the final policy document.

That list will provide a framework for structuring the final policy document. The next step is to identify and review policies and procedures. Catalogue the existing components and evaluate their quality and completeness. Compare the catalogue of existing components to the framework and identify any missing required components.

Utilise the framework to begin structuring the final policy document. Incorporate the existing risk policy documents either reproducing the text or summarising relevant portions and referencing to the original. Approved missing risk policy components should be developed and the completed risk policy document should be disseminated to risk managers for independent review.

A working group of risk managers tasked with review and approval is helpful. Any feedback from this review will be incorporated into the document. After final revisions are complete the risk policy document will be submitted for executive sign-off.

Once the executive sign-off has been granted the implementation of the policy begins. Management is well served by developing a standing risk management policy working group, comprised of the key risk managers, legal representation, front office manager, back office manager, internal regulatory advisors as well as an information technology steward. This working group team should be intimately versed in the risk policy and be called on to effectively enact the risk policy mandates, address compliance issues, or react to market changes. By care-fully defining a team dedicated to the effort, you help ensure effective implementation across the organisation and responsiveness to future policy issues in a timely manner. The risk management policy is only as good as its utilisation, which is dependent on a well-executed implementation and widespread adoption.