A project aiming to correct the failure of evaluating total exposure by counterparty, instrument, business unit and the institution as a whole must start by addressing a number of critical queries. Their intent is to make sure that both senior manage- ment and project members understand where the risks really lie and how they correlate with one another.

Because, as we have just seen, the human element is the weakest link in the chain, the project should start not with questions relating to tactical issues and

Chapter 4

75

mechanics, but with those of strategic importance: the overall concept, quality of internal controls and trading system dynamics. The first issues that should attract management’s attention are:

● Why is this counterparty dealing in options? Swaps? Forward rate agreements?

● Is the counterparty a steady user of OTC, or does it balance its business with exchange traded products?

● What’s the net and gross exposure with this counterparty? How does it compare with limits during the last three years? Five years?

● Is the account executive aware of total exposure? What has he or she done about the exposure? What’s the frequency of inputs to the client?

A suitable answer to these questions cannot be expressed in just a few numbers, the way the old culture has worked with ‘vanilla ice-cream’-type banking products.

Contrary to this short-sighted approach, banks should be keen to merge trading and analytical skills to better understand where precisely the risk occurs. Nobody can say ‘what has happened to others couldn’t happen to us’.

The best way to develop and implement a rigorous system of internal controls is to be specific. Many people understand that no two banks have the same requirements, and what may be good for one institution could be substandard for another. But few people appreciate that major cultural differences can exist within the same institution, and that these differences have a significant impact on risk control.

Speaking from professional experience, it has been a fairly frequent finding that even within the same financial organization different divisions have a hetero- geneous appreciation of exposure and incompatible systems of internal controls.

In many cases these divisional internal controls short-circuit the corporate-wide system. Divisions justify them as ‘better fit for their type of business’, but that’s nonsense.

A specialization of internal controls might be sufficient in single-product finan- cial institutions, but parochial systems are a disaster in conglomerates of products and services. Holistic results in risk management require total homogeneity of metrics, systems and procedures. Without them, it is not possible to understand where the risk occurs.

A crucial question to be asked when we structure or revamp internal controls is the diversity of the product lines they will be supporting, with emphasis on those instruments and product lines contributing the most to income and levels of exposure. An internal control system must be personalized to the institution

Risk Accounting and Risk Management for Accountants

76

Ch04-H8422.qxd 7/4/07 4:35 PM Page 76

that implements it. The structure of risk accounting, auditing, risk management and internal control must also observe the principle that organizations are staffed by people, and people:

● Create complex networks of power, and

● Stonewall information gathering and corrective action.

Every senior manager gathers about him or her trusted subordinates, who are in turn loyal to their own boss and work to that agenda. When in the Nixon years James Schlesinger became CIA director, he announced on arrival, ‘I am here to see that you guys don’t screw Richard Nixon!’ To underscore his point, Schlesinger told the CIA top brass he would be reporting directly to White House political advisor Bob Haldeman and not to National Security Advisor Henry Kissinger.³

As with any other system, internal control and the organization at large work as long as all these centres of power share a common vision and aim. When dis- putes arise, whether professional or personal, each power centre defends its own turf and the arteries of the organization clog. This becomes a contest of wills, and it may well damage the survival of the institution.

To overcome stonewalling, the better managed banks have sought out more rigorous control schemes. One of the evolving models is that of a centralized risk management function, which assumes primary responsibility for entity-wide risk control and establishes strict guidelines for operating units. Centralized risk management:

● Reports to a senior executive of the institution, and

● Works in association with the board’s risk management committee (Chapter 12).

Whether the centralized or distributed approach is chosen, clearly defined risk internal control and management processes must assure a system of personal responsibility and accountability (Chapter 3). They must also reduce the possi- bility that some risks will escape detection and control because one or more power centres make them opaque.

Along with the establishment of the appropriate structure, a crucial factor influencing the assignment of responsibility for risk control is the ability to qual- ify and quantify all dimensions of risk, including the personal dimension. A good example is the necessary separation between risk taking and risk evaluation, which must be clear-cut in all areas of activity.

Such separation seeks to assure that the originator of a given position cannot also be in charge of risk evaluation and of the trader’s performance measurement.

Chapter 4

77

It also helps to prevent price manipulations arising from conflicts of interest, which are boosted when the compensation of staff is directly linked to the performance of:

● Positions taken, and

● Commitments made on behalf of the bank.

Both have to be measured in a dependable manner, and confidence intervals should be established for both, as section 5 explains. ‘If you cannot measure it, you can’t manage it!’ is a new motto in the financial industry, and at the same time it sym- bolizes one of the main challenges in building risk accounting systems robust enough for new financial instruments.

In the case study of the ‘dear client’, which we examined in section 2, the first risky situation occurred when the client borrowed US dollars, switched his US dol- lar position to a Canadian dollar position and bought Canadian debt. A subsequent internal study has shown that at that moment the client should have been stopped.

However, the loan department authorized the US dollar loan based on his orig- inal deposit of 10 million guilders. The forex department authorized the switch from US dollars to Canadian dollars because it estimated the risk on Canadian dollars as not being that much different as on the US dollar, and the client said ‘it was only for a short period’. The securities department also made a good profit, and after all the client possessed Canadian dollars.

The court did not buy these arguments. Instead, the judge said: ‘Being a bank you should have known there were risks involved and you should have warned your client. Since you have not warned your client, you are liable and you have to pay your client a damage.’ The risks embedded in a tandem of transactions amplified one another.

Prices characterizing each of these positions change, in a gradual fashion, and this weighs heavily on total exposure. This lack of integrative risk control brings to mind the story of two bankers. One said: ‘I can’t sleep any more.’ The other stated: ‘I sleep like a baby.’ The first one asked: ‘How come?’ ‘Well,’ the second one answered, ‘every other hour I wake up and I have to cry.’