This article appeared in The Malaysian Accountant journal,

Sep-Oct 2010 issue

Auditing Derivatives: Think of what can go wrong - Risk

Management

By Jasvin Josen

Being in the Risk Management unit of an Investment Bank can be very overwhelming, let alone
auditing this function. The term itself carries unpleasant reminders of past crisis; Barings, LTCM and
Orange County of the 1990s; AIG, Bear Stearns and Lehman of 2008. All of these disasters seem to
directly implicate the Risk Management Group.

The Risk Management group is quite different from the Trading Floor and Controlling Group
discussed in the last two issues. Some companies associate the function with recovery and disaster
procedures. However in an investment bank, risk management is far more encompassing.

According to the International Financial Risk Institute (http://riskinstitute.ch/), risk management

provide four important functions:

to protect the firm against market, credit, liquidity, operational, and legal risks;

to protect the financial industry from systemic risk;

to protect the firm's customers from large non-market related losses (e.g., firm failure,
misappropriation, fraud, etc.); and

to protect the firm and its franchise from suffering adversely from reputational risk.

In auditing this function, one should avoid the temptation to get pulled in all directions. It is always
useful to start with thinking of what can go wrong by relating to past mishaps. The auditor should
also dare to imagine the improbable and occasionally, the impossible. After all, risk is about
uncertainty in the happenings of extreme events.

So what could go wrong? Below is a non-exhaustive risk of some lessons we can take from the
recent past.

Taking excessive risk (knowingly or unknowingly)

Assuming complicated risks

In 2008, Lehman Brothers was taking unprecedented risk in subprime CDOs by assuming first loss
default risk (or equity risk). AIG was the “dumping ground” for hedges of subprime CDOs. Default
risk and correlation risk, for the first time, was being taken at such a large scale.

Default risk and correlated default risk are not straightforward to comprehend as they involve heavy
mathematical modelling that is frequently based on unrealistic assumptions. As a result, prices and
market risk computations (e.g. delta, gamma, vega, rho, theta) thrown out by models were
questionable. But how many practitioners in the bank knew this?

Assuming high negative gamma risk

In the business of derivatives, negative gamma risk can be a scary experience. Gamma is the rate of
change in the delta of an option instrument. Delta is just the price change of the option compared to
the price of the underlying.

When gamma is positive, this means that as the price of the underlying moves in your favour, the
rate at which you profit will accelerate, i.e. the delta is increasing. When the underlying moves
against you, the rate at which you lose will decelerate. When gamma is negative, this means that the
rate at which you profit will DECELERATE as the stock price continues to move in your favour, but the
rate at which you lose will ACCELERATE as the stock price makes continued moves against you.

Markets can turn the corner suddenly and become very volatile. Short positions tend to suffer huge
negative gamma in volatile markets. The problem is not with the computation or knowledge of the
negative gamma, but more that risk managers are unable to tell when negative gamma will shoot up
in volatile markets. When the markets do turn suddenly and negative gamma rise suddenly, risk
managers often end up instructing for positions to be liquidated at a major loss. To make matters
worse in volatile times, another risk, liquidity, makes getting rid of positions even more difficult.

So, what does the auditor do

 Do not discourage such risks

It is a mistake to conclude that taking complicated risk and assuming negative gamma in
positions is bad and should be avoided at all costs. This is part and parcel of any growing
financial market. The answer is in managing the risks around the positions, so that when
things do falter (and they do), the safety net is ready. Regulators, especially in Asia (and
Malaysia), who have been shying away from “complicated” derivatives, are slowly realising
this and starting to liberalise their markets.

 Understand the business well

The auditor can start by taking a good look of the type of derivative business that the bank
engages in. Questions in his mind would be like: what kind of risk is being taken; are all types
of risk being considered; does any ambiguity exist in computation of any risk (for example,
there is still no market standard for correlated default risk); and the risk trends. A detail
assessment of the IT environment for risk computations and reports is critical too as risk
managers depend entirely on data processing and models.

It is always useful to review off-balance sheet structures with risk management personnel to
assess what risk they carry and if all the risks are captured and accounted for.

 Review stress testing and scenario analysis

The auditor should also review for scenario analysis and stress testing. The focus is not the
performance of the tests but that right parameters are stressed and the scenarios are
 extreme enough. Equally important is what is done with the results. A plan must exist to
provide for instances when results are not favourable - who do they get reported to and
what action is required. The auditor must attain a comfortable level with this issue or else,
take it up with management.

 Identify gaps in risk expertise

The risk management function has to strike a fine balance in investing in capital (human and
systems) to protect the firm and yet being profitable in doing so. A report by the Economic
Intelligence Unit in Feb 2010, “Rebuilding Trust: Next Steps for Risk Management in Financial
Services” identified gaps in risk expertise as a serious issue, even in the West. The report also
identified an over-reliance on risk models, and data problems that is widely seen as key
failures in financial risk management.

Ignoring Liquidity Risk

Liquidity risk is what killed Bear Stearns, the renowned hedge fund. The firm heavily invested in
seemingly low-risk CDOs, graded AAA or AA. The fund was heavily leveraged by borrowing money in
the low cost short term repos to buy higher yielding long term CDO tranches. The difference
between the borrowing interest rate and the yield on the CDOs generated the fund’s profits. As the
subprime credit market blew over, the dried up liquidity in the repo market caused interest rates to
shoot up, leading to the unsustainable business and downfall of the hedge fund.

Illiquid financial instruments are often priced off the parameters of other liquid instruments. For
example, off-the-run bonds are priced off the curve of on-the-run bonds. Highly structured interest
rate products are priced off interest rate volatility taken from a volatility surface built from liquid
caps, floors and swaptions. These practices are not unreasonable but it is dangerous to assume that
illiquid instruments like these will always trade close to its theoretical price. In times of financial
shocks, there will always be a “flight to quality” and instruments like these will trade at a large
discount.

So, what does the auditor do?

Bearing in mind the above, the auditor should look if the bank’s stress testing results includes
stretching liquidity in worst case scenario values.

It is very challenging for the treasury department managers of a bank to maintain enough liquidity in
a bank when the wider liquidity dries up in the market. The auditor should discuss with treasury
about the extent of leverage taken by all the leveraged transactions in the bank and should be
comfortable with what is being done to maintain enough liquidity.

Underestimating Counterparty Risk

Counterparty risk is basically the risk that the other party of a transaction will not be able to come up
with the payments due. These are mainly applicable in over-the-counter trades like swaps and
options. Credit risk can be minimized by requiring counterparties to maintain some collateral. Very
often AAA rated counterparties will not be required to put up any collateral.
When AIG was rated AAA, the firm did not have to post any collateral upfront with its counterparties
for over-the-counter trades. When the company was exposed to questionable accounting practises,
its rating was downgraded. It could not afford to post billions in collateral to its counterparties. AIG
was about to collapse and counterparties were nervous as the extent of their exposure to AIG was
enough to drag them down as well, leading to a serious economic collapse.

So, what does the auditor do?

The auditor should review the banks method of managing counterparty risk and may want to ensure
that banks do not entirely rely on their external ratings.

Unable to grasp systemic risk

The International Financial Risk Institute refers to systemic risk as a risk that encompasses the risk
that failure in one firm or one segment of the market would trigger failure in segments of or
throughout the entire financial markets.

So, what does the auditor do?

Systemic risk is perhaps the greatest challenge to risk mangers and to financial markets. Keeping the
big picture outlook, and daring to imagine the impossible in all situations, will keep the auditors
mind focussed on assessing the dangers of systemic risk.

Risk Managers’ warnings go unheard

With all the failures that we have heard in the last three years, it is hard to believe that all of them
were caused by solely excessive risk taking. There must be a few risk mangers that noticed cracks in
the system and alerted management immediately. A bigger problem seems to be that their warnings
were ignored.

A report prepared for the OECD in 2010 by R. C. Anderson encourages boards to assess and manage
the risk management culture, risk management maturity and it stresses the overall importance of
ethics to the management of risk. The paper encourages boards to take a more pro-active stance in
overseeing the risk management framework as part of the development of the assurance
framework.

So, what does the auditor do?

With this in mind, the auditor should be observant of the risk culture in the bank and how much
regard is given to the risk management team.

Risk Management Group sits in a high tower, operating in a silo

During the crisis, separating risk into separate departments (market risk management, credit risk
management, treasury-liquidity risk management) led many financial institutions to underestimate
risk concentrations and correlations. Poor communication between departments is seen as a key
barrier to effective risk management.

So, what does the auditor do?

The auditor needs to analyse the organisation structure and conduct interviews to assess how risks is
being communicated in the bank.

Conclusion

It may seem at present that investment banks in Malaysia do not face the same challenges as others
around the world as we do not trade those fancy derivatives. However there is a great possibility
that very soon Malaysia and neighbouring countries (Singapore already did a long time ago) will be
trading more aggressive financial products, in line with their efforts to liberalise the markets.

In the next article we will investigate a common risk measure, “Value at Risk” – a once popular
measure, whose effectiveness is now being questioned…