| People are key to managing treasury risks |
Back |
| Last month Declan McGivern explained the crucial role enterprise risk management (ERM) plays in treasury risk management. This month he highlights the important role treasury culture plays in controlling risks and says that employees should be rewarded for strict compliance to company controls. |
Given the nature of treasury risk, past loss events and current ‘best practices’ in managing risk, how can ERM assist treasury and therefore the organisation as a whole? Firstly lets look at the components of ERM of which there are fundamentally four: Strategic business plans, budgets and goals; Corporate culture; Procedures; Technology.
This is the process of deciding the goals and objectives of an organisation and identifying the resources it needs and the steps to be taken to attain these objectives. Certain of the corporate failures of the past occurred when the activities entered into were at odds with the strategic objectives of the organisation.
As detailed above individuals are the main source, in the current era, of catastrophic losses to organisations. Organisations only manage risk if its employees manage risk. No amount of technology or procedures can force individuals to manage risk if they do not operate in an environment that actively encourages participation in the process. Unfortunately individuals are at great personal risk of alienation should they not subscribe to a corporate culture that merely pays lip service to risk management.
These should not be viewed as bureaucracy but rather as a means of empowering individuals to carry out their jobs. They systemise the process of risk management and if followed provide comfort that no unauthorised risks are being entered into or neglected. Effective procedures empower people by laying down what they should and shouldn’t do in specific circumstances. Procedures should cover areas should as reporting lines, risk limits and trading authority, product adoption. There should also be procedures in place to change procedures. The Basel II accord attempts to recognise operational risk and has given rise to the development of various software packages that attempt to capture instances where operating procedures have not been effective. It is interesting to note that quite a number of these software packages first need the organisation’s operating procedures to be loaded into the database for ongoing monitoring of workflow and procedures in order to calculate an operational risk exposure.
No bank dealing room or corporate treasury department is without its reliance on systems. In many large financial institutions specific systems are installed to support the trading activities of specialist areas and therefore no single system may contain all the organisation’s data at any one time. Electronic trading, payments, settlement, reconciliation, confirmation matching, general ledger and pricing systems are now an essential prerequisite to achieving the holy grail of Straight Through Processing. However the result of more systems is an increased overhead on security, interfacing, reconciliation and an increase in operational risk. Systems should facilitate the gathering and processing of data the provision of information for analysis and to be acted upon. All too often procedures and business processes are built around systems rather than the other way around. The IT infrastructure is there to support the business not to lead it.
Over the years I’ve come across a number of situations where systems have to a large extent facilitated the non-compliance with operating procedures. The dealers in question, who had deliberately set out to breach limits and enter into unauthorised trading activities, used the systems available to assist them in covering up their activities. In each instance, once discovered, appropriate security enhancing steps were instigated to prevent future abuses. Below are some examples.
• Static data access: A dealer had access to the credit limits on a front office dealing system. When Japanese banks were paying a credit premium some years ago, the dealer simply changed a limit to facilitate his additional lending to counterparties of that particular domicile in breach of the Group’s lending policy.
• Operating procedures: A dealer deliberately set out to breach his day light market risk limits. In order to conceal this, he simply entered his deal tickets into the front office system at the end of the day in an order that did not give rise a limit breach warning. This was only discovered after a reconstruction, from the dealers pad, of a number of days trading allied to confirmations, tapes and brokerage statements
• Pricing information: A dealer had access to a static data table that contained the end of day FX rates. It was his custom, developed over many years, to amend the electronically uploaded data for USD/YEN (his currency pair) to a rate that he thought was more ‘suitable’.
Having set out examples of loss events and breaches in controls, how does ERM assist the treasurer more so than the current control environment that may be in existence? ERM attempts, within treasury, to identify the risks being taken and then to manage them in a comprehensive risk management process that combines individual controls and, the sum being greater than the parts, enhances the overall control environment.
The normal controls one expects to find in a treasury environment would include such processes as: segregation of duties; policy manual; confirmation matching; operating procedures; reconciliations; budgets; security - electronic & physical; limits
Each control process is perfectly valid in its own right but assessing the possible interfaces between each one with the other may greatly enhance the effectiveness of each control. I’ve set out a number of possible scenarios in Table 3 where it can be clearly demonstrated that a control is capable of being more effective with input from another control.
Many of the risks, which result from treasury activities, may not actually be the responsibility of treasury. Perhaps a finance department may be responsible for managing regulatory risk, while a legal department may be responsible for legal risk and any failures in documentation that lead to loss. It is clear that market, credit (markets rather than consumer), liquidity, settlement, certain operational, commodity and reputation risk will squarely fall on the shoulders of treasury. ERM therefore attempts to integrate the departments, risks and controls such that, the overall effect is that each risk is managed, has an owner and is clearly understood by all concerned. It is only with this total integration that loss events can be mitigated.
The components of ERM (strategic planning, procedures, systems and corporate culture) are a framework within which each of the controls, departments and risks resides. Failure of any single control is a failure of a component of ERM. No single control is invulnerable, it’s the combination and interfacing of controls that provide an integrated control environment and hence ERM. Each of the financial losses set out in this article are directly attributable to a breach of controls within a corporate culture that was not conducive to detecting such failures. Below are some examples of treasury in an ERM environment.
• Treasury budget: Integration of the budget with limits available to a dealer. For instance if there was a budget of ?1,000 profit per day for a proprietary $/YEN FX dealer to achieve what market risk limits would he need to be in place to achieve this? Based on historic volatility of that currency pair it may be decided that $3M daylight and $1M overnight limit is sufficient. If the limits available to the dealer are in excess of that then the bank is inviting the dealer to take on more risk than his budget requires. Hence the possibility of excess profits or losses against budget.
• Profit & loss: Integration of profit and loss with budget. Correctly calculating the P&L of a dealer, dealing desk and dealing room is normally carried out on a daily basis in a financial institution usually less frequently in a corporate. Identifying excess profits or losses against budget may highlight a fundamental breach of controls e.g. limits, availability of excess limits or manipulation of pricing information.
• Credit limits and nostro (bank) reconciliation: The prompt identification of failures on a counterparty’s behalf to deliver funds could identify a credit issue. Linkage of the bank reconciliation function to the credit risk function may be the first manifestation of a potential credit failure and if acted upon promptly, may result in non extension of further facilities
• Confirmation matching and limits: Identification of incoming confirmations where no outgoing trade has been identified could highlight unauthorised dealing activity in breach of limits. Similarly the identification of outgoing confirmations to a counterparty with no incoming notification may be a sign of issues with the counterparty, either front or back office.
• Conclusion: ERM / Integrated Control Environment can be viewed as one and the same thing. Most treasury departments have most, if not all, of the controls and components in place. The main focus in achieving ERM should actually be the culture element and therefore the people. Allying culture changes to the integration and interfacing of individual controls will deliver ERM to an organisation. Risks are taken by people; controls and risk management exercised by them. All the procedures and systems will not force your employees to manage risk. Know your people; keep temptation out of their way by ensuring adequate detection controls are in place and reward for compliance.
Risk management is an unpopular profession - it’s about rocking the boat, whistle blowing and generally being the dog that chases the bone. Nobody will love you until you prevent something going wrong! |
Declan McGivern is a director at Matrix Treasury Consultants.
|
| Article appeared in the November 2002 issue.
|
|
|
