This is a chapter from the Bloomsbury Professional book Managing Risk in Financial Firms 2nd Edition, which provides a detailed analysis of the types of risk that financial institutions may face and offers authoritative and comprehensive advice on putting in place measures to minimise exposure to risk. This book explains why there is significantly more to risk management than the now discredited VAR modelling techniques and describes a range of effective risk management methods to address various types of risk. It is essential reading for all those working within a financial institution who have no risk measurement expertise but who are inevitably involved in the risk management function of that institution. This reworked and revised second edition examines risks associated with the market and liquidity risk; risks arising from counterparties (including customer issues such as unfair contract terms and best execution); and risks which may be found closer to home, such as operational and legal and regulatory risk, including insolvency.
This chapter and the table of contents are FREE to view, as a sample of the book's contents. To view the other chapters, please subscribe to Books online.
Table of Contents
Much literature is devoted to the science of market risk measurement. 'Risk management' is sometimes regarded as a fancy name for measurement of market risk. This reflects the fact that market risk is (relatively) easy to model and therefore assumed to be easy to predict. Other risk events have, in many instances, lower probability than market risk events. Where data are scarce, modelling credit and operational risk has been more difficult. It is easy to focus on what you can do (because you are good at it) and put off what is more tricky. For regulatory and, increasingly, business reasons, risk measurement is no longer only about market risk. Standard thinking has been as follows. If you model your market risk badly, you are negligent and stand to lose your bonus/profits and your job. If you model your credit, liquidity or operational risks badly, you are reckless and stand to lose your whole company. But the market upheavals of 2007–08 showed that even a market risk event can be life-threatening: if the market is so illiquid that you cannot reverse out of a position, the normal-market-condition model is probably worthless, and the firm's losses are likely to pile up.
Some assessment of the probability of the risk event is needed, otherwise we would all be worried sick about the possibility of the moon crashing into the earth next week. Some risks may not need managing because they are too remote. The art of the risk manager is to identify those low-probability events which need to be managed, then he can turn his attention to how. Part of this process, whether for market and credit risks or lower probability risks, is sizing the risk.
Here is standard thinking. Measurement of market risk is easy. There are lots of data. Models can be formulated and tested against observable price movements. This means that models have become increasingly accurate and complex. Oh yes.
Models are glamorous, speak an esoteric language, and can earn lots of money, but they are not as clever as you would like them to be:
Complex accurate models are slow. A model is no use if all it can tell you is what you ought to have done but too late to act on it.
Models can become replacements for thoughtful risk management strategies. Risk management is more than complex algebra – the qualitative element may be more important than the quantitative element.
Models are only models, they are not real life. Markets may not behave as they 'should': traders are humans, not models. Markets were not designed by mathematicians.
Modelling jargon is useful as a succinct way of dealing with complex ideas. But it may be a mask for woolly thinking. A modeller who cannot explain his model in layman's terms to management is as much of a risk as a trader without a position limit.
Never use a model unless you know why you are using it, what its limitations are, and what assumptions were made in developing the model. (Common assumptions underlying value-at-risk (VaR) models are given later in this section.) Things to watch out for include:
The predictions of models are expressed with a confidence interval: that is, that the modeller is satisfied that there is a 95% chance (or whatever confidence threshold is chosen) that the prices will move within a particular range.
The predictions of models are based on previous market data. Small samples in: garbage out. Irrelevant data in: garbage out. Low-volatility data in: low volatility prediction out.
Markets do not follow Normal distributions. Price rises do not occur to the same degree in opposite conditions to price falls. Extreme deviations from the average are more prevalent than predicted by Normal distributions (the tails of the bell-shaped curve are fatter than expected – see diagram below). Complex models can factor in these oddities, sometimes at the cost of other simplifications; simpler models may not.
Fat tails are not well understood, even though they are often written about. They are not the only way in which models may mislead. The deviations which are unusual and unexpected will be unpublicised; but they may cause the worst losses. These risks may be unsuitable for everyday VaR modelling and may need a different approach to control.
What is the objective of your model? Is it intended to tell you what (on reasonable assumptions) you might lose if markets move within expected parameters, or is it intended to cater for market shocks? Regulators, concerned with systemic risk, may expect models to do the latter; institutions, concerned with profits, may find the former more beneficial. Regulatory requirements do not necessarily imply best practice.
VaR modelling has come in for more critical examination since the market shocks at the end of the 1990s: models did not predict the Russian debt crisis or the Asian market collapse. They were equally useless in the crisis of 2007–08. But they were not designed to do that. Extreme market turmoils are unlikely to be covered by VaR models, which work efficiently in everyday situations. Even after you devise the best model imaginable, it cannot predict what kind of market crunch is going to occur or when. You cannot expect your model to predict things which even leading economists disagree about. An approach devised for operational risks is going to be more appropriate than reliance on a VaR model for these kinds of event. It is the role of senior management to provide the sort of reality check which allows for unmodellable factors to come into the equation. This is the objective of scenario analysis (see later in this section).
Contrary to expectations, VaR modelling does not tell you how much you stand to lose. What it tells you is the probability that you might lose a certain amount; and even then the measure of probability depends on the assumptions made and the reliability of the model.
Normal distributions and fat tails
OK, this is the maths diagram. But you can't visualise a fat tail without a picture. What the graph shows is the likelihood of the investment having a particular price. High probability, near the top of the chart, means the price is very likely to be around this figure. Probability theory suggests that prices are 'normally' distributed around the mean (average) price. Real life on the trading floor tells you that an unexpectedly large number of prices are 'too far' from the mean – they don't fit the theorists' predictions. The 'fat tails' are the tail ends of the 'observed distribution' graph. So, if the risk appetite of the firm is to risk only a certain fall in price, relying on the theorists could lead to an underestimate of the chances of such a loss.
Historical data allow you to make predictions. Within limits, past behaviour of prices allows for prediction about future behaviour. If prices behave in statistically sensible ways, then a statistical (parametric) model can be built. Statistics are based on probability. The model can then tell you what the likely deviation from today's price might be: in a given time frame, it is much more likely that the price will move to something close to today's price than a long way from it. A movement in prices to a level miles away from today's prices is so improbable that we can ignore it. Anything with less than 5% likelihood (say) is too improbable to be worth worrying about.
The starting point for using a VaR model is to work out this 'confidence interval' – the level of improbability which you are going to disregard. It is inherent in VaR modelling that you disregard extreme price movements. (And, of course, because it is known that the behaviour of markets in these extreme cases disobeys the predictions of models, there is a particular risk in relying too heavily on models, rather than scenario analysis, when thinking about anything other than everyday movements in markets.)
Where this gets you is that the VaR model tells you the price deviation corresponding to 5% probability, ie the chances are 5% that you could lose that much money or even more. VaR modelling does not tell you the cap on your potential losses. With some kinds of instrument, such as options written by the firm, there may be no cap at all, short of the firm's capital.
All models rely on assumptions about how prices might move. Some of the more important ones may include:
The variable which is being modelled is Normally distributed about the mean (average) of the variable, ie the chances of a price being far away from the average of the sample on which you are basing your forecasts fall away as on the bell-shaped graph (see above).
The mean and standard deviation (breadth of the bell-shape; variance is the square of the standard deviation) remain constant over time, ie that prices, over time, do not tend to go up or down, and that volatility does not vary either. Or it may be assumed that these things vary in a particular way, eg according to another variable which is itself Normally distributed.
A variable's change over time is proportional to the square root of the time expired.
Variables move about in a 'random walk', ie they behave like molecules in a gas, bouncing off each other in an unpredictable way, so that tomorrow's price movement is wholly unrelated to today's. This assumption is central to the Black-Scholes option pricing theory and to the GARCH approach to modelling of volatility.
Gaps in the data which form the basis of the model or slowness may be overcome using interpolations, approximations and shortcuts.
How you extrapolate from the historical data to soothsay about the future is the clever bit. This book is not written by mathematicians and it does not try to explain how models are engineered. But a few pointers can help the non-specialist influence the way the assumptions shape the model:
Does the model rely on the variance-covariance technique? This assumes that the risk is captured by the variance (deviation from average price movement) of the sample. Each factor which influences price will have a variability. Some models (putting it crudely) tot up the variances. Some factors can be assumed to move in tandem rather than independently, so their covariance can be plugged into the model. But assumptions about correlations can break down – for example, as to the relationship between equity prices and bond prices during the Asian market turmoil of 1997–98.
Does the model rely on historical simulation? This technique tries to eliminate the risk of fat tails or other prediction errors which creep in by assuming price movements vary Normally. Instead, the recent past is assumed to be the best guide to the future. But often that is just as misleading – for example, where prices are subject to annual peaks and troughs; eliminating these by scaling down or scaling up the size of the sample introduces other oddities into the results.
What is the observation period? This is the period over which data are gathered with a view to finding the pattern from which future market prices are to be predicted. The difficulties of this are obvious, particularly when volatility has changed suddenly.
What is the theoretical basis for the model? The temptation to squeeze a variable into a Normal distribution (by using a logarithm of a Normal distribution or some other mathematical massage) is overwhelming, because statisticians know how Normally distributed variables behave and therefore they can make predictions. A statistician who cannot make predictions is not earning his salary and therefore needs to do this. But there can be an exercise in blind faith here: there may be no theoretical justification for the mathematical processing which enables the Normal curve to be fitted to the data. How well the equation fits the graph of real data, and that alone, may be what justifies it.
How were fat tails dealt with? Various mathematical devices can be used to squash the shape of the Normal distribution curve to make its tails fatter. But how realistic are these? Squashing curves is discredited as a way of tackling extreme movements in disturbed markets. There are fewer data on the unusual events which cause these extremes of price movement, so the reliability of modelling is reduced. Some statistical techniques completely eliminate 'outliers' as freaks, so as to preserve the purity of the model; this approach may in ordinary circumstances be more appropriate than trying to include them.
Does the model apply in the market it is being used to measure? It is tempting to use a model which works well to capture market risk in one market to address risks in similar instruments in a different market, or different instruments in the same market, but the model may not be effective to do this; on the other hand, it may be better than nothing.
Does the model capture specific risk? Specific risk is the element of price change which is determined by factors peculiar to the issuer of the instrument: a bond issued by company X will be priced differently from one issued by company Y because they carry different default risks.
How has the holding period been determined? The amount of money you might lose depends not just on the volatility of the market or where you are when you decided to close out your position, but on the length of time before you can actually close the position out. This interval is called the holding period. Its length depends on the liquidity of the market. And holding periods differ according to the type of instrument. One of the dangers of reliance on models for anything other than everyday market conditions is that liquidity in anything except rock-solid developed-world Government debt can evaporate in times of market stress, lengthening real holding periods. See further section 9.5 for special considerations which arise when determining the holding period for collateral.
Were close-out costs taken into account? In illiquid markets, bid-offer spreads widen. Depending on the purpose for which the model has been constructed, it may be appropriate to build in conservative assumptions.
How was the model validated? Back-testing is usually used to validate a model: what did the model predict, and how did it measure up against what actually happened? Systematic errors can creep into how back-testing is done, in the same way as they creep into the data that are used to shape the model in the first place.
Here is some good sense from the Institute of International Finance:
'In some firms more than others, there seems to be a need for the risk-control/risk-management function to be more transparent about the limitations of risk metrics and models that are used in the firm. Metrics, much less internal or external ratings, should never be the end of risk-management thinking. Models are powerful tools but necessarily involve simplifications and must be approached critically. Expert judgment and critical analysis are always needed, and the metrics, models and ratings themselves should not be allowed to become ends in themselves or obstacles to risk-identification. Similarly, hedges should not be taken at face value without disciplined examination of which risks can be hedged and consideration of how hedges would perform in stressed conditions.'
Regulators now accept that models are useful predictors of losses and will allow models to be used by firms in calculating their capital adequacy ratios.
But regulators have also required that the predictions of value at risk computed by models be multiplied up (by a factor of three) for this purpose. The Basel Committee has put forward the following explanation for the multiplication factor. The factor is to compensate for weaknesses in the modelling process. Identified weaknesses are: fat tails; the inadequacy of the past as a guide to the future; models which do not take account of intraday risk; failure to capture 'event risk' arising from exceptional market conditions; and simplifying assumptions. While describing these concerns as 'prudential', at least two of the factors suggest that the Committee was worried about exceptional market movements. What happens outside the confidence limits really concerns regulators – this is because this is where the systemic risks lie. Many institutions would not expect their models to capture these risks and would regard the multiplier as a crude and unreliable way of catering for them.
Detailed regulatory requirements for models apply where firms wish to calculate capital requirements for position risk, foreign exchange risk and commodities risk (each a species of market risk) using their own internal models, if recognised by their regulator. Capital can then be calculated on the basis of the higher of the previous day's value-at-risk and the average of the previous 60 days' value-at-risk.
There are also rules about management of risk within an institution, including audit and policy, which must be complied with. Modelling can also be used for the specific (issuer) risk component of market risk associated with traded debt and equity positions.
Bank's risk management system to be conceptually sound and implemented with integrity
Bank has sufficient staff skilled in models in trading, risk, audit and back office
Models have, in the regulator's view, a proven track record of reasonable accuracy in measuring risk
Bank to conduct regular stress tests.
Risk control unit
Back-testing programme and ongoing validation of the model
GUMP (see section 1.1)
Independent review – an annual MoT test covering 12 factors
Specific factors for interest rates, FX, equities, and commodities.
VaR to be calculated daily with a 99% one-tailed confidence interval, 10-day holding period, 1-year historical observation period, 3-monthly dataset updates
Freedom of choice of model theory and to recognise correlations
Specific rules on options.
Quantitative and qualitative, and to cover a range of factors which make control of risks difficult, including liquidity disturbance
Scenarios requiring simulation and not requiring simulation
Development of stress tests identified as 'the most adverse based on the characteristics of the portfolio'
Review by management and reflection in policies and limits.
The 'Greeks' are shorthand words used to describe (and model) influences on the price of options. Every option is a derivative of an underlying asset: for example, a call option on a bond is a derivative of that bond. The 'analogy' column is strictly for lawyers and others who have fear of maths. It is far from accurate, and the different analogies do not fit tightly together. It will make all option traders scream – so don't take it too seriously!
Name |
Factor measured |
Description |
Analogy |
|---|---|---|---|
Delta |
Sensitivity of price of option to change in price of underlying asset. |
Change in price of option per unit change in price of underlying: eg $100 increase in option price for every $1 increase in underlying bond price. Delta provides only a snapshot of how an option price is moving. Delta is affected by changes in the price of the underlying, volatility, time to expiry of the option, etc. |
Delta is like the distance travelled by a can rolling about on the floor of a train. With a nice constant speed the can and a train cover ground at the same rate. Delta shows you a snapshot of the movement of the can relative to the train. To plan where the can ends up you need to know how it will move throughout the trip, not just take a snapshot. |
Gamma |
Sensitivity of delta to change in price of underlying asset. |
Change in delta per unit change in price of underlying. Gamma measures fluctuation in likelihood of exercise of an option. If today the option is out of the money, the likelihood is low, if it is in the money, it is high; but market conditions will change. Gamma captures the expected volatility of the market. |
Gamma shows the effect on the can of the accelerator and brake of the train. If the driver hits the accelerator or the brake, the can moves about a lot relative to the train, ie the delta will rise (the option price will become more sensitive to changes in the price of the underlying). An option is more likely to be exercised if the market becomes more uncertain. |
Vega |
Sensitivity of price of option to change in volatility. |
Volatility is another description for the width of the bell-shaped curve which suggests how far the price might move away from the observed average. The higher the volatility the greater the value of the option. Vega decreases if the strike price and the price of the underlying are far apart; also if the expiry date of the option is near. |
Vega is like the railway's placement of seats in the carriage. The more obstacles there are, the more likely it is that big changes in the can's positions will be constrained during the journey, regardless of big swings in the train's speed. In other words, vega is measuring change in volatility relative to the price of the underlying. |
Beta |
Correlation of volatility of asset price to that of general class of assets to which it belongs. |
Beta measures idiosyncrasy of the particular option relative to the market average. If an option is more volatile than the market generally, beta >I; if less than the market, beta <I. |
Beta is like what makes a beer can different from soft-drink cans. |
Theta |
Sensitivity of price of option to decrease in time left to expiry. |
Theta shows the time decay of the option price: the effect on price of getting another day closer to the expiry date. As the expiry date approaches, theta falls. If theta is positive then gamma is usually negative. |
Theta tells you how the can's movement changes over time. Will the can get to the other end of the carriage before the journey ends? Is it going fast enough? As the train slows right down it gets less and less likely. |
VaR is best suited to 'ordinary' market conditions, where variables change within fairly usual limits. But firms need to be able to manage the rarer events, when markets move dramatically. Stress testing and scenario analysis are designed to provide information about these types of event. Stress testing is more quantitative than scenario analysis, but both involve analysis of 'what-if' imagined scenarios.
This kind of test can allow a firm to predict how much is at risk as a result of certain kinds of market shock. Movements in particular market variables – eg an increase in UK interest rates of 2% – are used as the basis for revaluing the firm's positions. This enables potential losses or gains to be assessed. The difficulties with stress testing include: identifying the firm's particular sensitivities; choosing the appropriate stresses to work through; working out what assumptions have been made in the revaluation exercise (eg as to liquidity of markets or correlation of variables); and knowing what to do with the results. Often, actual market movements (eg the exit of sterling from the European exchange-rate mechanism) are used as the scenarios for stress testing.
Scenario analysis does not really allow a quantitative approach but is intended to ensure that a creative approach to shocks is developed in the firm. What would be the consequences of a major political, geological or economic event? What about operational disasters? Which markets would it affect and how? What steps could be taken now, or after the event, to minimise its impact?
Extreme value theory is one possibility for dealing with the unusual. Its development lies outside the world of finance: it has been used primarily for dealing with environmental problems, like exceptionally high tides. In relation to financial risk management, it may help to deal with the amount at risk as a result of rare risk events. Extreme value theory allows the modeller to form some sort of idea as to the amount at risk from rare scenarios. For example, there is a certain fall in the stock market which should be exceeded on average only once every x number of years. Previous years' data can be used to enable the modeller to predict this. Because of the need for historical data, only certain kinds of low probability event can be modelled in this way. These numbers may be useful to feed into stress testing. It has been of little use for the 2007–08 financial crisis.
Stress testing is not somehow going to make your normal-distribution bell-curve fit unexpected market turbulence. But it could be a useful tool to help prepare for a hurricane.
Industry guidance includes some useful pointers:
Don't use it mechanically but as a stimulus for creative thinking about handling unusual conditions.
There is no one-size-fits-all approach.
Historical scenario analysis is of some use but does not predict the future. History does not repeat itself, either as tragedy or farce.
Don't do it in silos. What happens in one business area infects and feeds on what happens in others.
Use the output to make business choices, not to tick a regulatory or management box.
Expert judgment is even more important than the data spelled out by numerical analysis.
Credit risk comes in various shapes and sizes. The measurement technique to use depends on the source of the credit risk. Where there is a relatively homogeneous pool of debt, there may be a large enough number of debtors to eradicate the classic problem of credit risk modelling: low probability risk event x serious consequence of risk event if it happens. The difficulties referred to in the list above would not normally arise in such cases. Other portfolios of credit risks do not enjoy this luxury.
With the advent of credit-risk-based measures for determining capital adequacy of banks, there is a real incentive for banks to move to an 'IRB approach' to measurement of credit risk, at least where their lending business has sufficient volume to support an application to the regulator for permission to calculate capital in this way. See section 3.10 if you need details of the variables which must be calculated in order to achieve a 'counterparty risk weight' for capital adequacy purposes; if you don't need the detail, it is probably enough to know that, like market risk modelling, you need a ton of historical data, and a sceptical attitude to the value of modelling. What is also important is to know that the regulator does not allow banks to devise their own models: the Basel Committee sets the formula which models the credit risk of the bank's loans, and all the bank does is plug in its historical data.
Furthermore, the Basel Committee urges banks to stress-test the output, as a condition of eligibility to use the IRB approach:
'An IRB bank must have in place sound stress testing processes for use in the assessment of capital adequacy. Stress testing must involve identifying possible events or future changes in economic conditions that could have unfavourable effects on a bank's credit exposures and assessment of the bank's ability to withstand such changes. Examples of scenarios that could be used are (i) economic or industry downturns; (ii) market-risk events; and (iii) liquidity conditions.'
In addition, says the Basel II paper, the bank must perform a stress test to assess the effect of mild recession scenarios. In this case, one example might be to use two consecutive quarters of zero growth to assess the effect on the bank's PDs, LGDs and EADs. Banks may also have to consider the impact of a deterioration in the credit quality of credit risk protection providers, in particular the impact of protection providers falling outside the eligibility criteria due to rating downgrades. For more on stress-testing in a credit-risk context, see section 5.6 (Pillar 2 guidance).
So, credit risk measurement is fashionable and sexy, as you would expect for a model. But the IRB world in which the models move is a limited environment, whereas credit risks are at the heart of all parts of financial sector activity. A firm which is looking roundly at its credit risks will need to consider how to measure and monitor its exposures across all sectors, not just retail and commercial lending.
In times gone by, one question has been whether, rather than how, to measure credit risk. For example, foreign exchange settlement risk has historically not been measured, because banks were not aware that there was a significant credit exposure worth measuring. Whether you classify this as an operational risk issue (failure to identify significant risks) or a credit risk issue is up to you. But firms will often find that there are unmeasured (and uncontrolled) credit risks in ordinary trading relationships – for example, in a simple securities business where the customer's order will not be settled for several days and the firm is left taking the market risk on the securities ordered if the customer fails to pay. Another example: the Basel Committee considers that regulators should monitor intra-group transactions and credit exposures.
Type of credit risk |
Features |
Measurement? |
Loan made |
On balance sheet Pre-loan due diligence may have revealed credit risk information Account relationship managers may be unaware of this information |
Probability of default Amount at risk in event of default (effect of security and other credit enhancements or subordination) |
Guarantee given |
Contingent |
Probability of call Amount at risk in event of call (recourse to principal or collateral) |
Bond bought |
On balance sheet |
Model? |
Default of derivative counterparty |
Pre-settlement v settlement risk |
Pre-settlement risk: model amount, but not counterparty-specific aspects Settlement risk: as loans, but see Basel Committee guidance issued in July 1999 |
For derivatives, a number of factors affect the measure of credit risk. The easiest to model is the amount of pre-settlement exposure. If the counterparty defaults today, assuming that the contractual arrangements with the counterparty allow for immediate close-out of the position, the credit exposure is the amount by which the position is in-the-money plus the amount by which the position might move further into the money by the time it is replaced. Then there is 'potential future credit exposure' which is how this number might change between today and the actual default date. The potential future credit exposure can be modelled using market risk modelling methods. But this is only the 'relatively easy part' of the modelling process discussed below: it only tells you (with all the usual caveats about market risk modelling) how likely it is that you will be running a large credit risk at a certain date.
Derivatives exposures may be subject to a margining arrangement which alters this profile, by bringing in-the-money positions up to the money every so often. Margining arrangements may give a false sense of security because it may be assumed that they work efficiently – the vagaries of collateral valuation, settlement risk, and the delay since the last occasion of marking-to-market may all need to be factored in before the real credit exposure can be worked out.
New software products are available which model credit risk in similar fashion to VaR models for market risk. Old-fashioned bankers are sceptical about these models, because they tend to be portfolio-based: bankers know that a true assessment of a customer's credit involves intimate knowledge of the customer's affairs, coupled with a business judgment about the customer's ability to sidestep the common pitfalls of commercial life. The similarity of credit risk models to market risk models shows where the weaknesses may lie:
they are based on historical default probabilities of debtors;
models developed by investment banks are likely to be more suitable for investment banks than for other types of financial institution;
probability data are only available for certain kinds of debt instrument which are traded in sufficient volumes for a databank to be built – basing forecasts on a databank which has too broad a range of credits in it can be just as unreliable as one which has too little data;
much credit exposure is on other sorts of instrument;
traded debt π syndicated loans π unsyndicated loans π securitisable retail debt π wholesale counterparty risk;
default data may be scarce, information on recovery rates even more so – banks in general did not historically collect information on which statistical analyses can be run outside certain business areas;
applying a risk weighting to a debt issuer may depend on the issuer's publicly reported financial data – which may be out of date and subject to distortions;
holding periods have to be very long to reflect recovery times – with credit risk, the holding period is the period from default to recovery rather than default to close-out of a position; debt is illiquid, so recovery may not be achievable through sale;
observation periods have to be even longer to reflect economic cycles;
general economic data (such as trends in real estate prices) may be underweighted in importance relative to the type or concentration of exposure in an individual institution's credit portfolio;
lack of liquidity in the debt actually held may invalidate assumptions on which the model is based;
backtesting, and thus model validation, may be much more difficult.
In all credit risk, some sort of estimate of the default and recovery rate of each credit in the portfolio needs to be made. And then an estimate of how this might change over time: this involves predictions about volatility (upgrades, downgrades and default). And, of course, you need to know the sizes of the exposures (that should be the relatively easy part). And then you need to make the assumption that any given credit in the portfolio will not behave differently from expectations, except in accordance with a known statistical pattern such as a Normal distribution. Some credit exposures are contingent in nature, for example undrawn loan facilities: they need to be factored in. To do all this may necessitate assumptions which are peculiar to credit-risk modelling: that senior and junior debt issues behave similarly; that recovery rates are statistically distributed; that the holding period is one year; that credit behaves like an option to repay granted by the creditor to the debtor, and can be modelled in that way; that there is a correlation between likelihood of drawdown of loans and weakness of credits in the portfolio. Added to this are the modeller's bugbears: in particular, credit distributions do not match the shape of the Normal distribution curve (they tend to be skewed and to have fat tails), and they can only be modelled empirically by statistical sampling.
Perhaps more fundamental is the modellers' approach to credit risk events. You can choose between the following approaches:
a credit risk event is a change in market value of the debt;
a credit risk event is a default;
credit risk events are pre-ordained by economics, so they will be correlated with certain factors (eg increase in price of fuel will affect solvency of airlines);
credit risk events are the result of mismanagement by the debtor, which is essentially random once management has convinced the firm's credit committee of its soundness.
Notwithstanding the difficulties, a credit risk model may still be suitable, eg to provide a more realistic assessment of the risk/potential return of a portfolio than the crude approach of regulatory capital risk-weightings. But it depends on the nature of the institution's business. A bank which is primarily involved in trade finance or commercial lending secured on property will have different credit-assessment needs from an investment house which is primarily exposed in the bond markets.
Under Basel II, the significance of credit rating agencies' assessment of credit risk has increased hugely. Now banks can determine their regulatory capital requirements by relying on the agencies' rating rather than a crude look-up table based only on borrower type.
Standard & Poor's issues credit ratings which reflect S&P's current opinion of the creditworthiness of the obligor with regard to a specific obligation, taking into account credit enhancement and currency (eg where the obligor has assumed an obligation in a foreign currency). Debts are divided into long- and short-term categories with different rating scales. There are three areas – insurance, bank loan and recovery, and the subprime mortgage market.
Ratings are based on:
likelihood of payment in accordance with the terms of the obligation;
nature and provisions of the obligation;
robustness of the obligation in bankruptcy or reorganisation of the obligor;
market prices;
transferability of the underlying debt and the security granted on the underlying debt.
Ratings are expressed in terms of risk of default; they pertain to senior obligations; junior obligations will be rated lower to reflect reduced ranking of the debt on insolvency, and may thus not conform to the strict descriptions otherwise applicable to the rating. The ratings set out below are long-term ratings; ratings below 'BBB' suggest a speculative investment:
AAA |
extremely strong capacity to meet financial commitment |
AA |
very strong capacity to meet financial commitment |
A |
strong capacity to meet financial commitment, but somewhat susceptible to adverse effects of changes in circumstances and economic conditions |
BBB |
adverse economic conditions or changing circumstances more likely to lead to weakened capacity to meet financial commitment |
BB |
major ongoing uncertainties or exposure to adverse business, financial or economic conditions which could lead to inadequate capacity to meet financial commitment |
B |
adverse business, financial or economic conditions are likely to impair capacity to meet financial commitment |
CCC |
in the event of adverse business, financial or economic conditions, obligor not likely to have capacity to meet financial commitment |
CC |
highly vulnerable to non-payment |
C |
bankruptcy petition has been filed or similar action taken, but payments continue to be made on the obligation |
D |
obligation is in payment default |
+ or - |
reflects relative standing within these categories |
r |
reflects significant non-credit aspect of obligation (eg equity-linked instrument) |
credit watch |
rating may be raised or lowered, if the credit watch designation is positive or negative respectively; or raised, lowered or affirmed if it is developing |
Bank Loan Ratings (BLRs) aim to capture the specific credit risk mitigants (security, covenants, etc) negotiated in favour of holders of senior bank debt. They are shown as a variation on the basic unsecured corporate credit rating (CCR):
Bank Loan Rating (notching vs corporate credit rating) |
Recovery Rating Scale |
Analytical Description |
Recovery Expectation |
CCR + 3 notches |
1+ |
Highest expectation of full recovery of principal |
100% of principal |
CCR + 1 or 2 notches |
1 |
High expectation of full recovery of principal |
100% of principal |
BLR = CCR (un-notched) |
2 |
Substantial recovery of principal |
80–100% of principal |
BLR = CCR (un-notched) |
3 |
Meaningful recovery of principal |
50–80% of principal |
BLR = CCR (un-notched) |
4 |
Marginal recovery of principal |
25–50% of principal |
BLR = CCR (un-notched) |
5 |
Negligible recovery of principal |
0–25% of principal |
Given the importance of the role that rating agencies play, it is not surprising that there have been calls for them to be regulated. But the need for regulation is seated more deeply: even sophisticated investors are under-informed about what rating agencies do, how they do it, what the significance of a rating might be, and what pressures the agencies might face. These uncertainties have led to over-reliance on ratings in inappropriate circumstances, and are being blamed as a contributory factor to the market turmoil of 2007.
The primary regulatory document is an IOSCO Code of Conduct, which is non-binding, but to which all agencies will have to adhere if they wish to enable banks to use their ratings for regulatory capital purposes. This document contains guidance on the rigour of the rating process, conflicts of interest between the rating agency and its client (who is usually the person whose credit is being rated), and transparency and timeliness of ratings disclosure.
What's in a rating?
A credit rating is a guide to whether the borrower will repay on time. True
A credit rating is a guide to whether the borrower will repay in full when due. True
A fall in a credit rating can worsen the borrower's financial standing. True
A credit rating does not factor in liquidity or volatility. True
By indicating that the borrower will repay in full, on time, a high credit rating is an assurance of long-term stability of the rating as well as the debt. False
Rating agencies are obliged to review ratings rapidly in troubled market conditions. False
A credit rating is a useful proxy for asset quality. False
A credit rating is similar to a research recommendation. False
A high credit rating is a guarantee of saleability. False
A published credit rating is a reflection of current credit status. False
Rating agencies independently check all the data they are given by their clients. False
Rating agencies have special processes which avoid model risk. False
Since the credit crunch, rating agencies have come under greater regulation and are no longer seen as entirely reliable. Self-regulation was no longer seen as satisfactory. For example, both rating agencies and banks ignored official warnings by the UK Treasury in early 2007 that credit market conditions were deteriorating. Rating agencies can be criticised for allowing ratings to plummet without warning, for inadequate transparency as to the limitations on the ratings, for over-reliance on assumptions about the quality of assets underpinning the ratings of asset-backed securities, and for having unclear methodologies. Part of the problem is that 'obtaining a AAA rating' drives the structuring of an asset-backed security, so the rating agency's role has become closer to being an advisor to the transaction than a judge of a finished product. But investors should know many of these things and should not themselves rely on ratings as a substitute for thought in making an investment decision. The biggest mistake investors made at the beginning of the market turmoil was to assume that there would always be a liquid market for AAA-rated securities; when confidence in the underlying assets fell, the market disappeared, and even if the rating was still valid the securities became unsaleable.
Obligations other than mere payment obligations may need to be sized into credit risk calculations. Some obligations assumed by counterparties are performance, rather than payment, obligations. For example, the counterparty may be obliged to deliver particular securities or to build a piece of computer software. If a counterparty fails to perform on time or at all, the non-defaulting party has been put into a similar position to a payment default, except that there is the added factor of managing the need to replace the missing property or service. Provided that there is an alternative source of supply (ie provided the liquidity risk can be managed), the problem is a combined credit and future market risk problem: so long as the credit support is sufficient to allow purchase of a replacement product, the default can be contained. Where the market is illiquid (or the exposure is long term and there is a risk that illiquidity might develop), credit support may have to be increased to cater for the extra risk.
If the problem of 'low probability risk event ∞ serious consequence of risk event if it happens' is bad for credit risk, it is virtually insuperable for many operational risks. This makes people think that operational risk is a fool's errand.
Another difficulty of 'operational risk' is the diversity of sources of risk. Arguably, measurement of operational risk is a pointless exercise: if you are unaware of the risk, you won't know it needs measuring; if you are aware of it, you should be controlling it. The Basel Committee described methods for measuring operational risks in September 1998 as 'relatively simple and experimental, although a few banks seem to have made considerable progress in developing more advanced techniques for allocating capital with regard to operational risk'.
By February 2003, things were not much better: 'some firms have begun to quantify their exposure to operational risk … for example, data on a bank's historical loss experience could provide meaningful information for assessing the bank's exposure to operational risk'. The truth here is that operational risk measurement is in its infancy, and the quantitative techniques being developed by banks are unproven.
Yet we hear received wisdom such as this, quoted from an author writing in Risk magazine in August 1998: 'One thing about risk that has not changed is the importance of recognising and measuring it [fair enough]; it remains true that you can only manage what you can measure' [arrant nonsense]. This is just one quotation from a forest of similar views. Of course you can manage risks you cannot measure; much of the chapter in this book on operational risk control is about management of unquantifiable operational risks.
Received wisdom is based on these factors:
Risk measurement is sometimes regarded as equal to risk management, particularly where market risk is concerned.
Traditional software solutions do not work for many types of operational risk, so software suppliers are tempted to say there is no solution.
Risk factors are frequently internal: measurement is measurement of the effectiveness of a firm's controls. As controls vary between firms, there is no sensible universal model for quantification of the residual risks.
Enlightened risk managers regard measurement as a useful tool but one which, when unavailable, has to be replaced with others. Data gathering (risk measurement by another name) is just as important for management of operational risk as for other types of risk:
You need to be able to assess which risks to manage, which involves information gathering, if not the statistical analysis of historical events typical of a VaR approach to risk measurement.
To do this, you need to be aware of the risk and to form a judgment as to its degree of seriousness (probability as well as impact of risk events); and, for this, accurate data on the risks and the control structures to be put in place are a crucial part of the risk management process.
Firms typically list risk factors which contribute to or reduce operational risk, such as volume, complexity, error rate, gross profitability, and try to score risk in each business segment.
Some operational risks are rare in occurrence, so that no statistically reliable data are available: exposures, for example, to concealed frauds of rogue traders; the dangers of participating in settlement systems; or the risk of IT systems failure. How can these be measured so the firm knows whether it is devoting sufficient (or excessive) resources to it?
Various methods rely on historical data to ascribe some sort of number to operational risk. For example, if the known influences of market and credit risk can be stripped out mathematically from fluctuations in a business area's income, what volatility in that income remains is presumably attributable to operational matters. Such an approach may not, however, tell you much about the sources of risk, or enable appropriate risk-mitigating behaviour to develop. An alternative approach is to identify a list of potential sources of risk, to rank them in terms of business impact if there were to be a risk event, and to try to put probabilities on them. The exercise itself probably identifies a number of control and other weaknesses in the firm's risk management system, so even if the end-product is some rather arbitrary numbers there may be some benefits.
Basel II requires banks to hold capital against operational risk losses. Sophisticated banks, which can gather sufficient data to predict their 'expected losses', are allowed to develop models to do this under the Advanced Measurement Approach (AMA), and to determine their capital adequacy accordingly. Penal consequences (in terms of capital hikes) flow if the model lets the bank down and there are unexpected operational risk losses.
So how does the AMA work in a typical bank? First, let's not get too excited. Few banks are doing this – the methodology is too young and too expensive, and many banks prefer just to take the charge which the simpler approaches described in section 3.10 ordain – their economic capital may be big enough to allow this without causing problems.
But some are using AMA. Essentially, the bank will use various 'key risk indicators' (KRIs) – such as failure of the computers to fire up on Monday mornings, or the level of payments being made in response to credit-card fraud – as measurable proxies for operational risk. The KRIs are used as the input into the model which generates the prediction of expected losses. The model itself has to qualify under regulatory standards, and the following list describes the criteria:
1. A bank's operational risk measure must meet a soundness standard comparable to the one year holding period and 99.9% confidence interval standard applicable to credit risk models.
2. The system must be consistent with the scope of operational risk as defined in the Basel definition and the loss event types set out in section 6.2.
3. The regulatory capital requirement is the sum of expected loss (EL) and unexpected loss (UL), unless the bank can demonstrate that it is capturing EL in its internal business practices.
4. A bank's risk measurement system must be sufficiently granular to capture the major drivers of operational risk affecting the shape of the tail of the loss estimates.
5. Risk measures for different operational risk estimates must be added. Internally determined correlations may be acceptable, subject to additional criteria.
6. Internal data, external data, scenario analysis and business environment/internal control factors must be used. In particular:
– Internally generated operational risk measures must be based on a minimum five-year observation period of internal loss data (except when a bank first moves to the AMA, when a three-year window is acceptable).
– The bank must have objective criteria for allocating losses to specific business lines and event types.
– Excluded activities and exposures have to be justified.
– A de minimis (EUR 10,000 is suggested) threshold is required for small losses which are to be ignored.
– Qualitative information about the cause of the loss must be captured.
– Operational risk losses associated with credit risk (eg collateral management failures) count as credit risk for capital purposes but must be recorded as operational risk.
– Scenario analysis should be used to assess the impact of deviations from correlation assumptions, and the assessments validated over time by comparison with actual loss experience.
Some firms have developed data-sets which enable them to attempt full-scale quantification exercises for particular types of risk. The approach works for risks where there are reasonably high-frequency risk events (such as processing error), so that data can be gathered and extrapolated from. Risk of loss estimations can be made actuarially in much the same way that an insurer evaluates the premium on fire or motor insurance policies. Gathering this sort of data could be a very useful exercise in identifying current control weaknesses.
But beware over-reliance on statistical methods of measuring operational risks:
Data-sets bought in from other institutions will be unreliable, because the frequency of operational risk events is directly related to the effectiveness of that institution's controls (or rather the absence of them). Industry averages may be helpful but they are rough guides only.
Data-sets from a single institution are unlikely to be large enough to be statistically significant. To obtain enough data, you probably have to go back over many years – can you be sure that the data-capture is good enough, and that the same thing has been measured over the whole sample period (eg that controls did not change)?
Few (if any) operational risks are sufficiently frequent to be susceptible to this quasi-statistical approach.
Choosing which parameters to quantify and correlate is almost as hard as getting reliable data-sets.
Insurance premiums can be a useful guide. Insurance companies can measure some operational risks much better than individual firms, because they see the effects of risk events over a large number of institutions and can therefore aggregate data and calculate probabilities more realistically. Individual institutions, unless they are very large and have very good data capture facilities, are unlikely to be able to do so. Large institutions may prefer to self-insure (ie not insure at all) against some operational risks. Note some of the drawbacks:
added bureaucracy in gathering information internally about risk events and losses: without data capture, you cannot be said to be 'managing' the risk at all, and no effective control strategy can be devised;
staff reluctance to discuss operational failings may be less apparent where some outsider appears to pick up the bill – reporting to an outsider may be perceived by individuals to be less damaging;
insurance premiums may be priced arbitrarily or competitively, and outside insurance may therefore be cheaper for some risks or across a portfolio of risks.
A subjective approach to risk evaluation (self-assessment) may be appropriate. Appraisals of this kind also carry dangers: the diligent tend to be highly aware of weaknesses and excessively self-critical; the negligent to be cavalier and self-confident. So you can end up with a completely distorted picture. To combat this, an independent review of self-assessments can be done by central risk management, but this requires a completely clear mind, free of prejudgments about controls in the business area under review, as well as a thorough understanding of the business itself – a rare combination. Don't forget that control systems can fix the agenda for risk assessment: the objective can become finding the gaps in the controls, rather than envisaging where there is no control system at all.
Other aids to quantification include indexes and rankings given by independent bodies to industry infrastructure, such as the GSCS/Thomson index which seeks to quantify the costs of dealing in different equity markets. This brings in factors like settlement efficiency, income payments, tax, costs of establishment and so forth.
Use of Internal Models to Calculate Capital Requirements, Annex V, Capital Adequacy Directive 2006/49/EC, June 2006