Successfully implementing risk management requires taking a business model approach. Risk management should focus on avoiding unintended risks and assuring that intended risks are aligned with investment decisions. The governance model should be built around a risk board, a team of risk measurement experts, independent risk controllers, and investment risk managers. It should be combined with a sound five step process based on i) measuring, ii) monitoring, iii) controlling, iv) managing, and v) communicating risk.
With the recent turmoil in the financial markets risk management has become even more a hot topic. To implement sound risk management practices for managing discretionary mandates, it is imperative to have an understanding what the outcome of risk management should be (product), who should be the beneficiary (clients), and how it should be delivered (service channels). This means developing and implementing a business model for risk management.
Why risk management?
Taking risk is at the core of managing discretionary mandates. Indeed it is only through taking risks that a return in excess of the risk free rate, the portfolio’s alpha, can be achieved. But not all risks taken will lead to a positive alpha. Therefore it is important to understand and manage the risks taken. Formally this means
- avoid unintended risks, and
- assure that the risks taken are aligned with the investment decisions.
The risks taken by the investment manager should be such that he expects a majority of the risks not to materialize, and thus translate into positive alpha.
The beneficiaries of risk management
There exist three major players interested in sound risk management:
- The client or investor – He wants to make sure that his assets are managed according to the agreed upon specification.
- Senior management – They want to make sure that the factory producing discretionary mandates runs as smoothly as possible and that the produced product quality comes as close as possible or even exceeds the agreements with the investor.
- Investment managers – Their goal is assuring that the risks universe is optimally exploited. Rather than limit or avoid risk, their goal is to maximize the risk taken, given the agreed upon guidelines, so as to maximize the alpha generated. In addition they want to avoid risks that are not rewarded.
The risk universe
There exist two categories of risk, i) the so-called intended risks, risk for which the investment manager expects to be rewarded, and ii) so-called unintended risks, which are risks that should be avoided (Diderich, 2009).
Intended risks are essentially market risks, credit or counterparty risk, market liquidity risk (risk stemming from holding assets for which potentially insufficient buyers exist at a given point in time), and most important information risk (risk of incorrect forecasts).
Unintended risks are diversifiable market risks, cash liquidity risks (so-called margin call risks), investment process risks, operational risks, model risks, and legal and reputation risks.
The governance structure forms a key pillar of a successful risk management business model. It should be composed of four bodies, i) the risk board, ii) the risk measurement team, iii) the risk controllers, and iv) the investment risk managers. Figure 1 shows the associated organizational structure.
The risk board is in charge of deciding on all aspects regarding risk. It has a strategic role and as such must have final authority on all risk topics, unless they are explicitly handled by the board of directors. It defines guidelines for managing intended risk and delegates the authority to enforce them to the risk controllers. It must not be involved in the day-to-day management of risk, roles which is delegated to the three other risk functions.
Risk measurement team
The risk measurement team is responsible for the development of in-house and implementation of all quantitative and qualitative risk models used. It is also responsible for the results of all day-to-day risk calculations. Finally it should play the role of subject matter expert with respect to risk and take a consulting stance. It should not have any controlling or enforcement responsibilities to assure independence and avoid conflicts of interest between the producer and the consumer of risk data.
The risk board delegates the day to day controlling of unintended risks as well assuring that all intended risks stay within the defined limits to the risk controllers. The risk controllers must be authorized to enforce corrective measures when risk breeches are detected. They should also have responsibility to approve risk guidelines at the client portfolio level, under the assumption that they do not violate any company or product specific guidelines. They should be in the lead of executing the risk management process, approved by the risk board.
Investment risk managers
The investment risk managers, whether a dedicated role or a function of the portfolio management role is responsible for managing the portfolio risk by i) assuring that only risks that are expected to generate positive alpha are taken, ii) risk limits are used according to the product or client guidelines, and iii) assuring that no risk limits are breached. They are the primary point of contact for the risk controllers. Any risk data used is provided by the risk measurement team to assure independence.
Risk management process
The risk management process should focus on taking a forward-looking stance, rather than be backward looking. There exist five steps in a sound risk management process as shown in Figure 2.
- Measuring risks – Risks are assessed by the risk measurement team using quantitative as well as qualitative methods.
- Monitoring risks – Risk figures are monitored and interpreted by the risk controllers according to a pre-defined and approved process.
- Controlling risks – If monitoring has shown irregularities, remedies are decided, enforced and reviewed by the risk controllers.
- Managing intended risks – Risk is steered as part of the investment process assuring that only risks aligned with investment decisions are taken.
- Communicating about risks – Risk results are communicated to all stakeholders after the fact.
To avoid any front-running or conflicts of interest, communication in steps 1 to 4 needs to be limited to a need-to-know basis.
There exist numerous tools for measuring and monitoring risk at the firm, product, client, portfolio, and instrument level. The most important tool or model selection criteria should be that it focuses on best assessing the specific risk to be tracked. Therefore the methods used for measuring intended risks should be aligned with the way the portfolios are managed. Keep in mind that there does not exist a one-size-fits-it-all solution.
- Avoid unintended risks and assure that intended risks taken are aligned with the investment decisions.
- A sound governance structure defining ownership and avoiding conflicts of interests is key.
- Implement a five step risk management process based on i) risk measurement, ii) risk monitoring, iii) risk controlling, iv) risk management, and v) risk communication.
Diderich, Claude (2009). The risk descriptions are taken from the book Positive Alpha Generation: Designing Sound Investment Processes, chapter 7 – modeling risk, authored by Dr. Claude Diderich, and published in 2009 by John Wiley & Sons.