Banks that do not differentiate risks of their customers would suffer from adverse economics. Overpricing good risks would discourage good customers. Underpricing bad risks would attract bad customers. Discouraging the relatively good clients and attracting the relatively bad ones would result in adverse selection.
Risk processes include the identification, monitoring and control of risks. Risk models serve for measuring and quantifying risk, and provide the inputs for the management processes and decisions. To be effective, they should be implemented within a dedicated organizational framework that should be enterprise-wide.
All risk processes imply that risk policies be properly defined and that the risk appetite of the firm be well defined. Within this framework, the common process for controlling risks is based on risk limits and risk delegations. Limits impose upper bounds to the potential loss of transactions, or of portfolios of transactions. Delegations serve for decentralizing the risk decisions, within limits.
Limits aim at avoiding that adverse events, affecting a transaction or a portfolio of transactions, impair the credit standing of the firm. Banks need to segment their activities into meaningful portfolios, for example by business unit, product or type of clients. Limits of exposure are set for each segment and down to transactions, forming a hierarchy of limits and sublimits. For credit risk, limits are set by segment, then by counterparty and then by individual transaction. For market risk, limits can be set for specific books of trades, then desks and then trades.
Delegations are authorizations to act and take risks on behalf of the organization. Delegations decentralize and simplify the risk process by allowing local managers to make decisions without referring to the upper levels of the organization, within the scope of their delegations. For example, they simplify the risk process for transactions that are small enough to be dealt with by local procedures.
1.5.2.1 Credit Risk Limits and Delegations
Any limit system requires one or several measures of risk used for determining whether or not a transaction, or a portfolio of transactions, complies with limits. Various risk metrics are used for setting limits for credit risk. The amount at risk, or exposure, is a simple measure of the amount that could be lost in the event of a default of the borrower. Other metrics capture other dimensions of credit risk. For example, trades might be allowed only for eligible borrowers based on their credit quality. Or limits can apply to regulatory capital for credit risk, which combines various components of credit risk, exposure, loss after recoveries and credit quality.
Credit limit systems are based on common criteria, for example:
• Diversify the commitments across various dimensions such as customers, industries and regions.
• Avoid lending to any borrower an amount that would increase its debt beyond its borrowing capacity. The equity of the borrower sets up some reasonable limit to its debt given acceptable levels of debt/equity ratios and repayment ability.
• Set up a maximum risk level, for example defined by the credit standing of borrowers, above which lending is prohibited.
• Ensure a minimum diversification across counterparties and avoid concentrations of risk on a single borrower, an industry or a region.
For being comprehensive and consistent, the limit system has to be bank-wide. Global limit systems aggregate all risks on any single counterparty, no matter which business unit initiates the risk, across all transactions with the bank. Global limits are broken down into sublimits. Sublimits might exist even at the level of a single client. The total usage of sublimits should not exceed the global limit assigned to each counterparty or portfolio of transactions. Limit systems allow sublimits to sum up to more than the global limit because not all sublimits are fully used simultaneously, but the aggregated risk should comply with the global limit. For example, multiple currency facilities are convenient for clients because they allow raising funds in several currencies and as needed, but a client should not use more than its global limit. Utilizations are bounded by either sublimits or global limits, whichever is hit first.
Any excess limit has to be corrected by not entering into a new transaction or mitigating the risk with guarantees. Some limits might be hit while others are not. Banks' systems address the issue with excess limit reports showing which transaction hits which limit.
Credit approval processes vary across banks and across types of transaction. In retail banking, the process relies on procedures that need to accommodate a large volume of transactions. Time-consuming processes are not applicable for the retail portfolio because of the high number of transactions. Instead credit scoring mechanisms and delegations are used, within the guidelines of the credit policy. In normal circumstances, the credit officer in charge of the clients of a branch is authorized to make decisions as long as they comply with the guidelines.
For large transactions, the process involves credit committees. Credit committees bring together the business line, the risk managers and the general management. The business line proposes new transactions, together with a risk analysis, and the committee reviews the deal. Committees need to reach a minimal agreement between members before authorizing a credit decision by examining in detail significant credit applications. The committee makes a yes/no decision, or might issue recommendations for altering the proposed transaction until it complies with risk standards. Collateral, third-party guarantees or contractual clauses, mitigate the risk. The alternate process is through “signatures” whereby the transaction proposal is circulated and approval requires agreement between all credit officers. Whether signatures or committees are used for approval, risk officers remain accountable for the risk decisions and decisions are recorded, eventually with comments and recommendations of participating executives.
1.5.2.2 Market Risk and Trading Activities
For market risk, a common risk metric is the sensitivity of a position or of a portfolio of positions. Sensitivities measure the variations of values due to standard shocks on market parameters such as interest rates, foreign exchange rates or equity indexes. There is a variety of sensitivities depending on the type of products and on the risk factors that influence their values. Other risk metrics involve the capital charge for market risk, which embeds other elements of market risk, such as the market volatility and an assessment of the likelihood of losses of various magnitudes.
As the gains and losses in trading are market driven, a risk tolerance has to be defined for the business lines, the desks and the traders. A risk tolerance is an assessment of the maximum loss, for the business line or for desks, considered as acceptable, but which should not be exceeded.
The policies for trading should be comprehensively documented. Limits depend on expectations about market conditions, as formulated in market committees. Market instability might require tighter limits because the chances of large fluctuations are higher. A daily market committee formalizes the current market conditions. Trading desks operate within their limits. Limits are set for the various desks consistently with aggregate market risk. Traders comply with limits by hedging their risks, or unwinding their positions, eventually at a loss.
As risk regulations developed and standard practices for risk management spread across the industry, some common views on the organization of the risk management process emerged.
1.5.3.1 The Risk Department and the “Three Lines of Defense” Model
The three lines of defense model is a convenient scheme used for structuring the roles, responsibilities and accountabilities with respect to decision making, risk controlling and for achieving an effective risk governance bank-wide. It illustrates how controls, processes and methods are aligned throughout large organizations. The three lines of defense are:
• The lines of business.
•