Broker-Dealer Risk Management Practices
Office of Compliance Inspections and Examinations,
Securities and Exchange Commission
New York Stock Exchange
NASD Regulation, Inc.
July 29, 1999
The examination staffs of the Securities and Exchange Commission ("SEC"), the New York Stock Exchange ("NYSE") and the NASD Regulation, Inc. ("NASDR") convened a task force several years ago to assess risk management practices at registered broker-dealers. The task force was formed in response to changes in the industry and several instances where poor systems of internal controls resulted in substantial losses at certain firms. Among the goals of the task force was to assess the industry's awareness of the need for stringent risk management supervisory systems, and compile a compendium of sound practices and weaknesses noted during task force members' review of risk management systems.
Risk management is the identification, management, measurement and oversight of various business risks and is part of a firm's internal control structure. These risks typically arise in such areas as proprietary trading, credit, liquidity and new products. The elements of a comprehensive risk management system are highly dependent on the nature of the broker-dealer's business and its structure. The task force also considered important aspects of the control environment, such as senior management's involvement and oversight of the process, the internal audit function and other elements of an internal control system.
The task force has concluded that senior management must play a significant role in the adoption and maintenance of a comprehensive system of internal controls and risk management practices. This role should include the recognition of risk management as an essential part of the business process, management's willingness to fund the necessary elements of a risk management system, including personnel and information technology costs, and recognition that risk management is a dynamic function that must be modified and improved as a firm's business changes and improved processes and procedures become available.
Members of the task force conducted on site inspections of mid-sized and large broker-dealers, and held several meetings with industry groups to assess the adequacy of the industry's internal control and risk management systems. These inspections focused on the risk management areas noted above. The examinations revealed certain material weaknesses in the policies and practices employed by certain broker-dealers to manage risk, some of which are listed below, followed by examples of sound practices also noted during these reviews.
Weaknesses in Practices
Some firms failed to adequately monitor trading risk due to poor supervisory structures, the inconsistent use of data, and employment of inappropriate risk measurement tools. For example, one inspection noted a broker-dealer that had assigned the head of the fixed income trading desk to oversee all trading risk management functions, including the risk monitoring of fixed income trading. Several broker-dealers were found to have failed to monitor the consistency of information contained in the firm's trade processing, financial reporting and risk management systems, resulting in the omission of certain accounts and activity from the risk monitoring function. Additionally, certain broker-dealers utilized risk measures, such as notional values, that were not commensurate with the complexity of products traded.
The inspections also identified numerous weaknesses in the manner by which broker-dealers manage credit risk. Numerous broker-dealers conducted trading with counterparties for whom no credit limit had been established, and in some cases credit reviews of approved counterparties were not completed within prescribed time frames. Further, many of these reviews were not adequately documented. Reports used to monitor credit exposure were frequently inaccurate. For instance, many of the reports failed to capture fully the entire population of trades within each category of trading activity and failed to aggregate total credit exposures across all product lines on a system wide basis. Additionally, computerized system limitations yielded credit reports identifying false violations of credit guidelines due to an inability to recognize collateral or the failure to adjust credit lines. Other credit reports calculated exposure in a contradictory manner to what was intended, such as by treating credit exposure from the overcollateralization of repurchase agreements as reduction in risk.
The inspections also identified instances where broker-dealers maintained understaffed and inexperienced internal audit departments. Also, many of these internal audit departments failed to include key revenue producing and functional areas, such as trading risk management and credit risk management, in the internal audit plans. Occasionally, internal audit failed to follow up on its findings, which contributed to the deficiencies which were identified remaining unremedied.
Among the practices the staff observed as appropriate elements of a risk management system were the following:
The inspections identified instances where a firm's Board of Directors adopted guidelines defining authorized activities, the limits of these activities and the methodology for measuring the risks of these activities. Frequently, the firm's senior management had substantial experience in the firm's major business areas and, accordingly, was cognizant of risks inherent in specific business lines. Also, at certain firms, the risk profile of a product or venture was considered in senior management's allocation of capital and measurement of performance.
At several firms, traders and trading personnel were expected to play an active role in risk management. Many firms employed an independent (i.e., from revenue production) risk manager who was appropriately experienced and reported to a sufficiently high level of authority (e.g., Board of Directors, or Chief Executive Officer) that his challenges to a trader's pricing of a position were taken seriously and were implemented without requiring the concurrence of the revenue side of the business.
The inspections identified several instances where pricing, P&L and adherence to position limits were monitored by an independent (i.e., from revenue production) and appropriately experienced group, such as product controllers. On a daily basis, this group compared each trading desk's P&L to possible earnings volatility at certain confidence levels (i.e., value or earnings at risk measurements), in order to assess the reasonableness of the firm's trading results.
At many firms where data flowing into risk measurement systems was consistent with trade and financial information, the firm would periodically reconcile the categories of data input into the various informational systems. At some firms, daily reconciliations would be performed at each point of systems interface to ensure data integrity.
Many firms maintained an independent (i.e. from revenue production) and centralized credit department which administered the establishment and documentation of credit lines and monitored the usage of these lines. Many firms have adopted a system of internal credit rating of counterparties. These ratings are updated as needed but no less often than annually. Some firms' credit monitoring systems have integrated the monitoring of credit risk over all products and operations of the firm and consider future potential exposure in monitoring credit utilization.
The inspections identified several firms with internal audit groups performing an annual risk assessment and ascribing various levels of risk, and a related audit cycle, to all segments of the firms' operations. At one firm, internal audit maintained an automated tracking system that tracked audit findings and the resolution of these findings. Audit findings that were not resolved within established time frames were reported to senior management. In those areas where audit findings were of significance, internal audit verified that policy and procedural changes had been implemented. Another internal audit group performed special reviews in reaction to news events or reported developments in the industry (cause audits).
With the increased volume of transactions, new financial products, global marketplaces and expanding use of the internet, the nature of the securities business is constantly changing and becoming more complex. As a result, a dynamic risk management function must play an essential role in assuring investor protection and the integrity of a firm's financial condition. The task force found that broker-dealers need to devote adequate time and resources to assess risk management procedures and controls, and modify such systems to reflect today's market conditions. The extent and cost of the system needed should be determined by the size of the firm and the nature of its business activities.
Over the years, we have seen increased recognition in the broker-dealer community of the importance of the risk management function, and the need for continued adjustments to that function to address market and regulatory changes. Most recently, the Counterparty Risk Management Policy Group joined the list of industry and regulatory groups that have evaluated risk management practices and recommended actions. All of these initiatives contribute to the potential development of improved risk management systems.
As regulators, we want to reemphasize to management throughout the broker-dealer community the importance of maintaining an appropriate risk management system geared to a firm's business activities. In recognition of the increased importance of this function, examination staffs of the SEC, NYSE and NASDR will increase their emphasis on the review of risk management controls during regulatory examinations.