RISK MANAGEMENT GUIDELINES FOR DERIVATIVES
(Appendix to Sec. 613 on Generally Authorized Derivatives Activities)
I. Introduction
a. No single risk management system for derivatives is expected to work for all banks considering that the structure and level of derivatives activities will vary from one bank to another. Each bank should apply the principles set in these guidelines in a manner appropriate to its needs and circumstances. The Bangko Sentral shall evaluate the quality of a bank’s risk management system based on the principles and minimum requirements of these guidelines, scaled to the derivatives activities being undertaken.
b. The requirements prescribed in these guidelines are merely minimum standards and therefore, should not be taken as the “be-all” for a bank’s risk management. The board of directors1 has the responsibility of ensuring that a bank’s risk management system appropriately captures its risk exposures and affords proper management of these.
c. A trust entity within a bank must have a separate risk management system. However, the trust department may in-source back office functions of its risk management system with the bank proper only upon prior Bangko Sentral approval on the basis that such in-sourcing will not give rise to potential conflict of interest.
II. Risk associated with derivatives
III. Risk management process for derivatives
a. Identify the risks arising from its derivatives activities in whatever capacity it deals with the same. A bank must likewise identify the impact of its derivatives activities on its overall risk profile. To properly identify risks, a bank must understand the derivatives products with which it is transacting and the factors that affect them. Considering that changes in the value of derivatives are highly influenced by changes in market factors, risk identification should be a continuing process and should occur at both a transaction and portfolio level.
b. Measure the risks arising from its derivatives activities. A bank must have measurement models or tools to quantify the risks identified. These measurement tools should be suitable to the nature and volume of a bank’s derivatives activities. As the complexity and volume of the derivatives activity increases, the measurement tools should correspondingly be more sophisticated. The primary criteria for the propriety of the measurement tools are accuracy, timeliness, efficiency and comprehensiveness with which these tools can capture the risks involved and their contribution to the decision-making process of bank management.
c. Monitor the risks arising from its derivatives activities. Derivatives products are very sensitive to market factors, which continually change. Thus, a bank should have a mechanism to monitor the responsiveness of derivatives to market factors to enable it to review and assess its risk positions. In order to effectively monitor the risks, reports must be timely generated in order to aid management in determining whether there is a need to adjust the bank’s derivatives positions.
d. Control the risks arising from its derivatives activities. A bank must establish limits to its derivatives exposure. These limits should be comprehensive and aligned with a bank’s overall risk tolerance. A bank’s policies and procedures on control should provide for contingencies when limits are breached. A bank must allot lead time and have a mechanism that enables management to act in time to control unacceptable or undesired exposures. A bank must also establish a system that separates functions susceptible to conflicts of interest.
IV. Sound risk management practices for derivatives
a. Active and appropriate board2 and senior management oversight
A bank’s board of directors must set the general policy or the policy direction relating to the management of a bank’s risks, including those arising from its derivatives activities. This policy should be consistent with the bank’s business strategies, capital strength, management expertise and risk profile. Accordingly, the board of directors must understand the nature and purpose of the bank’s derivatives activities and the role derivatives play in the bank’s overall business strategy. Passive board of directors approval is not acceptable. There must be verifiable evidence of the board of directors approval processes and that senior management exerted effort to explain the nature and purpose of the derivatives activities to the board of directors (e.g., minutes of board of directors meetings documenting presentations and reports to the board of directors and the approval processes).
The board of directors must review and pre-approve new derivatives products as well as significant related policies and procedures. Central to the approval of new products is defining when a product or activity is new in order to ensure that variations on existing products receive the proper review and authorization. Policies should also detail authorized activities (e.g., at what stages approvals should be obtained, from whom approvals should be obtained), those that require one-time approval and those that are considered inappropriate.
The board of directors must be apprised of the bank’s derivatives exposures on a timely basis in order to enable the board of directors to act on such exposures accordingly. Consequently, there should be an established reporting methodology to ensure that the board of directors receives, on a continuing basis, detailed information regarding the bank’s risk exposures from derivatives, including the impact to the bank’s overall risk profile, earnings and capital. These reports should include both normal and stress scenarios.
Pursuant to the general policy or policy direction on risk management set by the board of directors, senior management must adopt adequate policies and procedures for conducting the bank’s derivatives activities on both a long-range and day-to-day basis. Policies should clearly delineate responsibility for managing risk, and provide effective internal controls and a comprehensive risk-reporting process. Policies must also keep pace with the changing nature of derivatives products and markets and therefore must be reviewed on an on-going basis. Senior management should ensure that the various components of a bank’s risk management process are regularly reviewed and evaluated. Internal evaluations may be supplemented by external auditors or other qualified outside parties.
The quality of oversight provided by the board of directors and senior management to a bank’s derivatives activities will be reflected in the overall risk management process, the adequacy of resources (financial, technical expertise, and systems technology) devoted to handle derivatives activities and its use of the monitoring reports. The board of directors and senior management shall be responsible for ensuring that bank personnel comply with prescribed risk management standards and sales and marketing guidelines.
b. Adequate risk management policies and procedures
A bank must establish policies and procedures to guide its personnel in conducting derivatives activities. These risk management policies must be reflective of a bank’s current strategy and practice.
A bank should not issue policies and procedures for derivatives in isolation. All aspects of the risk management process for derivatives activities should be integrated into the bank’s over-all risk management system to the fullest extent possible using a conceptual framework common to the bank’s other activities. Risk management policies should be comprehensive, covering all activities of the bank. The Bangko Sentral will evaluate the degree to which controls covering derivatives activities have been integrated in other issuances of the bank covering aggregate risk-taking activities
For banks that conduct derivatives transactions with subsidiaries and affiliates, there should be policies and procedures that describe the nature, pricing, monitoring, and reporting of acceptable related-party transactions.
All risk management policies and procedures must be written, well communicated to all personnel involved in the derivatives activities and readily available in user-friendly form, whether the same is a hard or soft copy thereof. A bank must also put up systems and procedures to ensure an audit trail evidencing the dissemination process for new and amended policies and procedures.
At a minimum, a bank is expected to have:
1. Comprehensive, updated and relevant risk policy manual(s);
2. Operations manual(s) or similar documents that describe the flow of transactions among and between the relevant units and personnel in a bank’s treasury (front office, back office and accounting) and risk management unit;
3. Approved product manual(s) that includes product definition, benefits and risks, pricing mechanisms, risk management processes, capital allocation guidelines, tax implications and other operating procedures and controls for the bank’s derivatives activities.
c. Appropriate risk measurement methodologies, limits structure, monitoring and management information system.
(1) Measurement methodologies
A bank must be able not only to accurately quantify the multiple risk exposures arising from its derivatives activities but also aggregate similar risks across the different activities of the bank to the fullest extent possible. A bank must develop a risk measurement model appropriate to its portfolio. Accordingly, a bank must evaluate the assumptions used, computational requirements, procedures for computing the risk metric, sourcing of inputs used in the measurement process, including the theoretical reasons for a particular input choice, and how these concepts apply to the bank’s portfolio.
The risk measurement system should be structured to enable management to initiate prompt remedial action, facilitate stress- testing, and assess the potential impact of various changes in market factors on earnings and capital. A risk measurement system is considered sound if it is capable of comprehensively capturing risks from:(a) the bank’s on and off-balance sheet exposure; (b) all relevant market factors; and (c) normal circumstances and stress events. Sound risk measurement practice includes identifying possible events or changes in market behavior that could have unfavorable effects on the bank and assessing the ability of the bank to withstand these events or changes. The stress testing should include not only quantitative exercises that compute potential gains or losses but also qualitative analyses of actions that management might take under particular scenarios.
A bank’s risk measurement system should provide appropriate pricing and valuation procedures to ensure best execution for both proprietary trading and those undertaken for clients and mark-to-market/model (MTM) methodology for derivatives instruments that follows established MTM regulations and Philippine Financial Reporting Standards (PFRS 9).
New measurement models whether developed internally or purchased from vendors, should be subject to an initial validation before it is used. Internally developed models require more intensive evaluation where they have not been market-tested by external parties. The validation process should consist of a review of the logic, mathematical or statistical theories, assumptions, internal processes and overall reliability of a bank’s measurement models, including the compatibility of the measurement model with the bank’s technology and systems. The validation must be undertaken by a technical expert independent from the unit that developed the model. For example, pricing systems developed by a trader is required to be independently validated by a corresponding technical expert from the bank’s risk management unit. If no such personnel from the risk management unit exists, an independent validation may be performed by internal audit provided that internal audit has the necessary expertise. A bank may also avail of the services of an independent outside expert. Thereafter, the frequency and extent to which models are validated depends on changes that affect pricing, risk presentation or the existing control environment. Changes in market conditions that affect pricing and risk conventions, which model performance, should trigger additional validation review.
Risk management policies should clearly address the scope of the validation process, the frequency of validations, documentation requirements, and management responses. At a minimum, policies should require the evaluation of significant underlying algorithms and assumptions before the model is put in regular use, and as market conditions warrant thereafter. Such internal evaluations should be conducted by parties who, where practicable, are independent of the business sector using or developing the model. The evaluation may, if necessary, be conducted or supplemented with reviews by qualified outside parties, such as experts in highly technical models and risk management techniques.
(2) Limits structure
A bank must specify individual limits for all types of risks involved in a bank’s derivatives activities. A bank should use a variety of limits to adequately capture the range of risks or to address risks that the measurement system does not capture. These limits should be integrated into the bank-wide limit structure to ensure consistency with the board of director- approved risk appetite and business strategy.
The limit structure should be realistic taking into consideration the target budget, level of earnings and capital. Limits must be documented and promptly communicated to all relevant personnel. Limits must be reviewed at least annually or more frequently, if circumstances warrant, in order to ensure that limits reflect the bank’s past performance and current position.
Limits should be continually analyzed as regards its impact on target income, earnings and capital. These analyses should be submitted/reported to the board of directors. Any excess over the limit must be approved only by authorized personnel and immediately reported to senior management and depending on the seriousness, also to the board of directors. The seriousness of limit exceptions depends upon management’s approach towards setting limits and on the actual size of individual and organizational limits relative to the bank’s capacity to take risks. A bank with relatively conservative limits may encounter more exceptions to those limits than that with less restrictive limits. There must also be mechanisms for the correction of breach of these limits.
A bank’s limit structure should address the following:
(a) Definition of a credit exposure;
(b) Maximum credit exposure to an individual counterparty;
(c) Credit concentrations;
(d) Maximum nominal exposure:
(i) per trader and per transaction; and
(ii) position limits.
(e) Approved credit risk mitigation techniques;
(f) Appropriate loss exposure triggers:
(i) loss alert;
(ii) stop loss;
(iii) value-at-risk; and
(iv) earnings-at-risk.
(3) Monitoring
Monitoring of risk exposures, market conditions, and trading positions should be done at least daily. Derivatives instruments are highly influenced by movements in market factors. Thus, a bank must have a mechanism that can track and analyze the effect of market movements on its derivatives exposures.
To ensure proper monitoring of risks, a bank is expected to have technology and systems that can (a) track movements in reference variables (underlying) and other market factors affecting the value of the derivatives instruments, such as trigger events; and (b) incorporate observed market movements into the pricing and valuation of derivatives instruments.
While monitoring is undertaken independently from the personnel conducting derivatives activities, bank traders are expected to actively monitor their positions to ensure that they do not breach their limits. Bank traders should not wait until a limit is breached to alert senior management and risk control units. Instead, traders should promptly report unanticipated changes and progressively deteriorating positions, as well as other significant issues arising from their positions, to the risk control function and responsible management.
(4) Management information system
A bank must institute an information system that generates accurate and incisive reports to ensure that management and the board of directors are timely and regularly apprised of the bank’s derivatives exposures. A bank is expected to have policies and procedures pertaining to the derivatives reporting specifying, among others, the types of derivatives reports to be generated, the purpose and contents thereof, responsible units that will generate the reports, frequency and deadlines of reports, recipients/users of reports, and the type of action expected from the users of the report. At a minimum, management reports should contain the following: outstanding derivatives positions, compliance with or status of positions as against limits, analysis of derivatives positions, along with other bank exposures, in relation to the impact to earnings and capital, monitoring of trigger events, and deviations from established policies and procedures and justifications thereof.
The management information system must be able to translate the measured risks from derivatives activities from a technical and quantitative format to one that can easily be read and understood by senior managers and directors, who may not have specialized and technical knowledge of derivatives products. Such a system enables management and the board of directors to judge the changing nature of the bank’s risk exposures. The electronic data processing capability must be commensurate to the volume and complexity of the bank’s derivatives activities to facilitate the generation of needed reports.
The frequency and content of board of directors and management reporting will ultimately depend upon the nature and significance of derivatives activities. Where applicable, board of directors and management reports should consolidate information across functions and divisions. Board of directors and management reporting should be tailored to the intended audience, providing summary information to senior management and the board of directors and more detailed information to bank traders.
Management reports should be generated by control departments independent of the risk-takers. When risk-takers provide information (e.g., valuations or volatilities on thinly traded derivatives contracts) for management reports, senior management should be informed of possible weaknesses in the data, and these positions should be audited frequently.
d. Comprehensive internal controls and independent audits
A sound system of internal controls promotes effective and efficient operations, reliable financial and regulatory reporting, and compliance with relevant laws, regulations and policies of the bank. In determining whether a bank’s internal controls meet these objectives, the Bangko Sentral will consider the overall control environment of the bank, particularly, the process of identifying, measuring, analyzing and managing risk, the adequacy of management information systems, and degree of adherence to control activities such as approvals, confirmations and reconciliations. Control of the reconciliation process is particularly important where there are differences in the valuation methodologies or systems used by the front and back offices.
(1) Risk control
A bank should have an independent risk control unit responsible for the design and implementation of the bank’s risk management system. A strong risk control function is a key element in fulfilling the oversight responsibilities of board of directors and senior managers. This unit must be independent from business trading units and should report directly to senior management of the bank. The role and structure of risk control function should be commensurate to the nature, complexity and extent of a bank’s derivatives activities.
A risk control unit should regularly evaluate risk-taking activities by assessing risk levels and the adequacy of risk management processes. It should also monitor the development and implementation of control policies and risk measurement systems. It should analyze daily reports produced by the bank’s risk measurement model, including an evaluation of the relationship between measures of risk exposure and trading limits. Risk control personnel staff should periodically communicate their observations to senior management and the board of directors.
A bank’s control structure shall be considered sound if all the following elements are present:
(a) Formal approval process for new products
A bank should have an effective process to evaluate and review risks involved in products that are either new to the bank or new to the market and of potential interest to the bank. A bank that desires to engage in new products and transactions must first subject these products and transactions to a rigorous review and approval process. This will ensure that all bank personnel involved in the activity have sufficient knowledge of the product or transaction, and that the ensuring risk exposures can be identified, measured and analyzed. The process must be contained in a board of directors- approved policy that is fully documented and must be implemented consistently and with integrity.
Before initialing a new derivatives activity, all relevant personnel should understand the product. Risks arising from the new product should be integrated into the bank’s risk measurement and control systems. The new product approval process should include a sign-off by all relevant areas such as risk control, operations, accounting, legal, audit, and senior management and trading operations.
Defining a product or activity as “new” is central to ensuring that variations on existing products receive the proper review and authorization. Factors that should be considered in classifying a product/activity as “new” include: capacity changes (e.g., end-user to dealer), structure variations (e.g., non-amortizing swap versus amortizing interest rate swap), products which require a new pricing methodology, legal or regulatory considerations, or market characteristics (e.g., foreign exchange forwards in major currencies as opposed to emerging market currencies).
A bank should introduce new products in a manner that adequately limits potential losses and permits the testing of internal systems.
(b) Segregation of functions/units subject to conflict of interest
A bank must separate the business unit conducting the derivatives activities from the unit/s tasked with the checking, accounting, reporting and control functions of its derivatives activities.
A bank should have policies and procedures addressing conflicts of interest, particularly among the following functions: proprietary trading, sales or marketing desks/units, personal trading, and asset management.
A bank that conducts derivatives activities with its subsidiaries and/or affiliates must establish policies and procedures to avoid actual, or even the appearance of a conflict of interest. Off-market rates between related parties should generally be forbidden.
A bank should avoid dealing in transactions conducted at off-market rates. A bank should have internal policies defining what constitutes “market rates” and identify the range of deviation from the benchmark rates which could still be considered as “market rates”. The bank’s monitoring system should be able to alert management of any breaches in the rate tolerance levels and the appropriate action that should be taken. A bank must be able to justify any off-market transaction.
(c) Competent and adequate personnel who are properly supervised
The increased complexity of derivatives activities requires highly skilled staff particularly in the risk-taking, risk control, and operational functions. Management should regularly review the knowledge, skills and number of people needed to engage in the bank’s derivatives activities. The staff must be appropriately balanced among the different areas involved in derivatives activities such that no area is understaffed in terms of number or skill.
Staff turnover can create serious problems, especially if knowledge is concentrated in a few individuals. The impact of staff turnover can be particularly acute in specialized trading markets where bank traders are in high demand and are often recruited in teams.
To mitigate business continuity and succession risk arising from a high staff turnover, a bank should devise a system of building technical expertise across involved personnel through continuous technical training, periodic rotation and cross-training of staff members performing key functions and developing understudies.
The board of directors should ensure that the power and control delegated to these expert personnel are not abused. Therefore, the board of directors must establish appropriate controls over their activities.
(d) Independent control functions or units
The risk control and audit units should possess the authority, independence, and corporate stature to enable them to identify and report their findings unimpeded by bank traders. It is equally important to employ individuals with sufficient experience and technical expertise to be credible to the business line they monitor and senior executives to whom they report.
(2) Audit
Audits should be conducted by qualified professionals who are independent of the business line being audited. Audits should supplement, and not be a substitute for, risk control function.
The scope of audit coverage should be commensurate with the level of risk and volume of derivatives activity. The audit should include an appraisal of the effectiveness and independence of the bank’s risk management process; the adequacy of operations, compliance, accounting and reporting systems; propriety of risk measurement models; and the effectiveness of internal controls. Auditors should test compliance with the bank’s policies, including limits.
The level of auditor expertise should be consistent with the level and complexity of activities and degree of risk assumed. A bank may choose to out-source audit coverage to ensure that the professionals performing the work possess sufficient knowledge and experience.
Procedures should be in place to ensure that auditors are informed of significant changes in product lines, risk management methods, risk limits, operating systems, and internal controls so that the auditors can update their scope and procedures accordingly. Auditors should periodically review and analyze performance and risk management reports to ensure that areas showing significant changes are given appropriate attention.
The audit function must have the support of management and the board of directors in order to be effective. Management should respond promptly to audit findings by investigating identified system and internal control weaknesses and implementing corrective action. Thereafter, management should periodically monitor newly implemented systems and controls to ensure they are working appropriately. The board of directors, or designated committee, should receive reports tracking management’s actions to address identified deficiencies.
(Circular No. 903 dated 29 February 2016)
Footnotes
- In case of a local branch of a foreign bank, the equivalent management review arrangement (e.g., management committee, regional review committee). In case of a trust entity, the trust committee.
- In case of a local branch of a foreign bank, the equivalent management review arrangement (e.g., management committee, regional review committee). In case of a trust entity, the trust committee.