The primary driver behind the development of GARP was to provide a benchmark of risk management practice that would go beyond the limited definition of risk management as an exercise in quantification to encompass the wider issue of control across all the functions involved in the trading process from the front office through to the back office, from line management up to the board.
Whilst, in part, this was a reaction to the fact that most of the publicized difficulties faced by some well known trading houses were a result of control failures rather than errors in trading strategies, it also recognizes the increasing contribution of industry participants and regulators to the area of risk management in its broadest sense.
The risk and control framework that is proposed is organized around eighty-nine principles covering the areas of risk management strategy, organization, the risk management function, operational controls in the front and back office and in `firm-wide' functions and systems. In its comprehensive coverage, GARP provides a framework for Total Risk Management, a concept relatively new to the securities industry.
In this article, we examine the implications of GARP for trading risk management, and consider the way in which GARP may be used by senior management as a tool for identifying control deficiencies and prioritizing their resolution.
Challenges in trading risk management
GARP recognizes that the challenge faced in the management of trading activities is not simply issue of being able to quantify accurately market risk.
In fact, effective risk management needs to encompass every aspect of the management of a firm. Simplistically stated, this is related to eight major areas:
the role of the board and top management, and their understanding of the nature and extent of the risks being taken;
the comprehensiveness of the risk management framework in its coverage of all types of risk, not simply market risk;
the congruency of risks undertaken with the firm's overall business strategy;
the ability of all trading related support functions to provide an integrated risk management framework;
the effectiveness of the management structure and processes to monitor and enforce risk management policy;
the robustness of the operation controls surrounding the trading activities in both the front and back offices;
the suitability of the personnel responsible for each of the process involved in execution or support of trading activities; and
the adequacy of risk management information.
Put in this context, it is clear that the evaluation of the adequacy of risk management is a far reaching and complex issue that needs not only to cover multiple dimensions of organization, processes and controls, but also needs to take into account the inter-relationships between each of these.
The difficulty faced by many institutions now is where to start in this process of evaluation. For many organizations, the issue is not so much what to do about the known control deficiencies, but how to go about identifying trouble-spots that currently are not visible, but which have come to light in a few otherwise respected firms with catastrophic results.
One way to go about this daunting task is through a process of bench marking, not against other organizations, but against a standard of best practice. The principles set out in GARP seek to provide such a benchmark which can usefully provide a framework for analysis, and subsequently, a model around which to base development of risk management practice within a firm. Where GARP differs from existing benchmarks is in its comprehensiveness, and proposition that risk management and internal control need to underpin every aspect of an organization.
To give a feel for the sentiment of the benchmark, some of the driving tenets of GARP are described briefly below, along with extracts of the principles themselves. It is worth remembering that the content of this summary is articulated in 89 specific principles documented in detail over 240 pages.
Risk management strategy
The management of all types of risk related to trading activities needs to be integrated within an overall risk management strategy and implemented throughout the organizational structure of a firm.
Especially important in this respect is the recognition of specific responsibilities at every level of the organizational hierarchy. Responsibility for each type of risk does not stop at the business unit level, nor can it be isolated from the management of other risks if a firm is to understand fully its risk profile, and the implications in the decisions of senior management and ultimately its shareholders.
For example, GARP explicitly states that the board of directors is responsible for recognizing all the risks to which the firm is exposed and ensuring that
the requisite culture, practices and systems are in place. To effect this, the board's risk management strategy must be underpinned by an integrated framework of responsibilities and functions driven down to operational levels.
To support this, the proposed benchmark defines a risk management group, reporting to the board (usually via an executive committee), with responsibility for defining risk management policies, including market risk, and ensuring that they are implemented effectively. Depending on the nature of the organization, these responsibilities may be assumed by another senior committee, if not the executive committee itself.
To support market risk management (as well as credit and liquidity risk) at these levels, a dedicated and independent risk management function is required, whose role is to implement the risk policies associated specifically with these risks.
However, this is only one of a number of support and control functions in the overall risk management framework.
The risk management function
Turning specifically to this risk management function, the standards set out start with the requirements for an appointed head of risk who is an influential member of the risk management group.
More broadly, the critical requirement of the risk management function taken as a whole is that it is independent of the business units and trading areas whose activities generate, amongst others, market risk. Accordingly, it is in a position to ensure that business units are acting within the boundaries of agreed limits, and is able to report issues through to the risk management group and ultimately the executive committee and board of directors.
Risk measurement, reporting and control
The risk measurement, reporting and control framework set out in GARP requires the quantification of market, credit and liquidity risk, the capability to aggregate and monitor exposures, a comprehensive set of limits to ensure that exposures remain within agreed boundaries, and mechanism for evaluating performance on a risk-adjusted basis.
GARP devotes significant attention to market risk and specifies that a market risk measurement framework should be established using methodologies which are comprehensive, yet comprehensible.
The resultant emphasis of the principles is on establishing an appropriate framework for measurement within the context of other types of risk, and ensuring that the methodologies and their underlying assumptions are fully recognized.
GARP makes clear that there is no one single type of measure that adequately covers all eventualities and satisfies all management requirements. All too often, risk managers look for a single measure to meet all their requirements, and end up with a model that meets none. As a result, a number of complementary measures need to be used, each of which must be developed with specific reference to their intended use. These should include:
a probability based measure, such as `value at risk', to provide a means of aggregating risk consistently across the firm's business units, allowing comparison between business units and a basis for capital allocation. It is vital that the accuracy and reliability of these models must be verified or back-tested against actual market events, and constantly updated to reflect changing market conditions;
risk sensitivity measures for more detailed analysis and control, especially for derivative products;
stress testing to determine the effect of abnormal market moves on the market value of the firm's portfolios and to quantify as effectively as possible, events lying outside the bounds of a probability based model.
GARP moves on from market risk to credit and liquidity risk, which are often not given the attention they deserve, and sets a requirement that aggregate limits must be established and reviewed periodically to control each of them.
Operations and systems
As referred to above, trading risk management does not stop at the quantification and reporting of market and credit risk.
Accordingly, equal weight in GARP is given to the requirement for robust operational controls in the front, middle and back offices as well as strong firm-wide support functions covering the principal legal, reputational, technology and human resources risks.
the front office: GARP sets standards relating to such issues as the authorization of individuals to commit the firm to new risks, the adequacy of information regarding the product, transaction type and counterparty, procedures for financing and controls around the models used for pricing transactions;
middle and back office: several key principles are set out in detailed checklists relating to valuation, product profit and loss accounting and transaction processing;
firm-wide support and control functions: these must provide assurance that risk management policies are being supported, controls are in effect and that complex areas are being appropriately dealt with. Links and reporting responsibilities need to be defined clearly for functions including Internal Audit, Legal, Compliance, Regulatory Capital Reporting, Tax, Legal Documentation and Human Resources.
The benefits of benchmarking against GARP
The summary above should provide a sense of the thoroughness of the benchmark set out in GARP. Accordingly, there are several important benefits that can be gained by using this as a tool to evaluate current risk management practice:
A rigorous and methodical assessment of risk management across the entire firm;
A comprehensive understanding of how the current risk management framework compares with best practice;
Identification of deficiencies prioritised by their relative importance;
A comparison of practices across businesses, products and locations;
A basis for drawing up action plans outlining the steps required to address gaps and, in the longer term, strategic development of the risk management framework.
The importance of undertaking a rigorous assessment of risk management practices in specific business units and locations has been evident from recent risk management failures which have been linked to dominant personalities in those areas. These failures have also highlighted the need for organizations to have comprehensive risk management controls in their trading activities, and not just sophisticated measurement techniques.
The benchmarking methodology
It is important to understand the outputs that might be produced in the course of a benchmarking study across product lines, geographic locations and consolidated firmwide. The example used is based on a technique developed by Coopers & Lybrand to `score' an organization against each of the individual principles and tie these back to the eight fundamental tenets set out at the beginning of this article. In conducting this process it is important to note that the principles need to be weighted in accordance with their relative importance and their relevance to the type of organization and its trading activities.
Using the results of this type of analysis, senior management can soon identify potential weaknesses, both at a high level, and also driven down to the most detailed operational levels, depending on the scope of the study.
Conclusion
The growing complexity and global scale of trading activities within many firms now require a tool with which senior management can evaluate the level of control and effectiveness of risk management across all its product lines and geographic locations. At the same time, recent experience has shown that the scope of the risks under review needs to be comprehensive, and the penetration at each level of the organization needs to be through.
Whilst individual publications and proposals by industry participants and their regulators have addressed in great detail certain aspects of the overall risk management framework, GARP, used correctly, can provide a truly comprehensive benchmark against which senior management can judge the adequacy of their risk management practices in every aspect.
(Reprinted with permission from Bankers Digest International.)
Generally accepted risk principles recognize that the challenge faced in the management of trading activities is not simply issue of being able to quantify accurately market risk.
