• The corporate audit and compliance functions.
The business lines, or front office, make up the first line of defense and are responsible for identifying, measuring and managing all risks within their scope of business. Business lines have the primary responsibility for day-to-day risk management. As the management of the business line is close to the changing nature of risks, it is best able to take actions to manage and mitigate those risks. Lines of business prepare periodic self-assessment reports to identify the status of risk issues, including mitigation plans, if appropriate.
These reports roll up to the executive management and to a central risk department, which enforces the risk discipline. Standard practices impose that the risk management should be centralized and that a “clean break” exists between risk-taking business lines and risk supervising units. The risk department ensures an assessment and a control of risks independent of the business lines. The department is responsible for the guidance and implementation of risk policies, for monitoring their proper execution complying with documented risk processes. It defines, with the top management, the risk policy of the bank. The chief risk officer reports to the senior executive committee, who ultimately provides the risk department with the power of enforcing risk policies.
Given their roles, the perceptions of the same risk reality by the business lines and the risk department might differ. This difference in perspectives is what adds value to the enterprise as a whole and to the risk management process. However, the effectiveness of the risk process can be questioned when there are compelling business reasons to proceed with a transaction. Enforcing the power of a credit committee requires some arbitration process when conflicts arise. The arbitrage between conflicting parties is handled by more senior levels when the process is not conclusive. Moving up in the hierarchy of the bank guarantees that a conclusion will be reached and that the credit proposal is thoroughly examined at each stage.
The existence of a risk department does not suffice to enforce sound risk practices. Both the first line and the second line are accountable for risk assessment and control. Making the risk department the unique function accountable for risks would relieve the business lines from their risk responsibilities. A centralized risk control unit would be overloaded by the number of risk issues raised by the front offices. In large banks, risk managers are “embedded” within the business lines, but report both to the business lines and to the central risk department. They provide the local risk control within the “first line of defense”.
The third line of defense is that of internal and external auditors who report independently to the senior committee representing the enterprise's stakeholders. The internal auditors' role is to provide an independent review of the effectiveness and compliance to risk policies of the risk processes. Corporate audit activities are designed to provide reasonable assurance that significant financial, managerial and operating information is materially complete, accurate and reliable; and that employees' actions comply with corporate policies, standards, procedures and applicable laws and regulations. The auditors have the capacity to make recommendations and to supervise their execution.
1.5.3.2 The Asset and Liability Management Department
The ALM – asset-liability management – department is in charge of managing the funding and the balance sheet of the bank, and of controlling liquidity and interest rate risks. The function of ALM is the finance function of banks and is often located within the finance department. The scope of ALM extends mainly to the banking portfolio, and less so to trading activities because they rely primarily on short-term financing. For controlling the liquidity risk and the interest rate risk, the ALM sets up limits to future funding requirements and manages the debt of the bank. The interest rate risk is measured by the volatility of target variables such as the net interest income of the bank, using interest rate derivatives.
The ALM committee meets at least monthly, or when needed in adverse conditions. It groups the senior management, the chief finance officer, the head of the ALM team and the executives in charge of business development and commercial policies. The senior management is involved because ALM policies have a strategic influence on the bank's financing profitability. ALM policies also have strong and direct interactions with the commercial policy. The bank exposure to interest rate risk and liquidity risk depends on the product mix in the banking book. ALM policies have also a direct effect on the pricing to clients, as it should absorb the cost of financing the banking book. Furthermore, the ALM unit is in charge of internal prices of funds, the cost of funds charged to lending units and the financial compensation of deposit collection by branches.
1.5.3.3 Enterprise-wide Risk Management (ERM)
Bank-wide management implies that metrics of income and risk at the global bank level be related to similar metrics at the business unit, book and transaction levels.
Policies set global limits and profit objectives at the enterprise level, which are allocated to business units. This top-down process requires that aggregate profit and limits be allocated at lower levels of the hierarchy in a consistent manner. The monitoring and the reporting of risks and performance is bottom-up oriented, starting from transactions, and ending up with aggregated risks and income. Both processes require a sound bank-wide allocation of earnings and of risks.
As funds are transferred to lending activities and from deposits collected, the earnings of business lines depend on internal, or transfer, prices. The transfer pricing system serves to allocate earnings across business lines and transactions and is required for reconciling aggregated earnings with the earnings of business lines, and down to the transaction level.
A similar system should be implemented for allocating a share of the bank's risk to business units. Global limit systems define the hierarchy of limits and sublimits within the organization. But limit systems are distinct from measures of risk.
A key factor for risk aggregation is risk diversification. Because of diversification, risks do not add up arithmetically. Loosely speaking, the sum of individual risks is less than the arithmetic summation of risks. This well-known property of risks being subadditive is the source of the challenging problem of risk allocation. For risks to be aggregated bottom-up, and allocated top-down, a risk allocation mechanism is required. In general, the risk allocation issue is addressed by allocating the capital of the bank to portfolios and transactions and it involves an assessment of diversification effects.
Finally, earnings across transactions or portfolios are not comparable because they are in general exposed to different levels of risk. Performances need to be risk adjusted for being comparable across activities and comparable with the risk-adjusted profitability of the bank. The issue is resolved once earnings and risks are properly allocated, by adjusting earnings with the cost of risk based on the cost of capital backing the transactions.
This shows that three building blocks should be designed and assembled for addressing bank-wide risk management:
• Fund transfer pricing systems;
• Risk and capital allocation systems;
• Risk-adjusted performance measures.
These are the necessary components of risk systems for aligning the measures of earnings and risks,3 and the related management incentives, across all business lines of large organizations.
2
BANKING REGULATIONS OVERVIEW
The capital adequacy principle is the foundation of regulations aimed at making banks more resilient. Capital adequacy refers to the minimum level of capital for absorbing the potential losses from the current banks' books. Ensuring a proper level of capital fostered the emergence of sound risk management practices and imposed risk models designed for quantifying the potential losses of a bank arising from its current risks.
This chapter is a brief history and overview of the successive risk regulations introduced since 1988, up to the 2008 crisis and to the new regulations introduced as a response to the current crisis. The detailed regulations are presented in subsequent chapters (3, 17 and 26), within